Skip to content

User's with IAM policies receive message "Access Denied" when trying to access a specific folder in bucket, and no one else's. Temporarily mitigated after refresh. #3210

New issue
New issue
Closed
#3219
Closed
User's with IAM policies receive message "Access Denied" when trying to access a specific folder in bucket, and no one else's. Temporarily mitigated after refresh.#3210
#3219
Assignees
prakashsvmx
Labels
communitytriage
@AuxiliumReleases

Description

@AuxiliumReleases
AuxiliumReleases
opened on Jan 22, 2024

Expected Behavior

We have a bucket labelled "Clients", that further has multiple folders assigned to users that need to upload contents there.
I.e., if we have a folder named "greentreefrog", that implies that the user "greentreefrog" will be able to read and write in that folder while not seeing any other folders within that bucket.

Each user has their own password and username for their credentials, and they are logging in directly through the web interface.

Current Behavior

Currently, if the user stated above logs in, and attempts to view the "Clients" bucket through the object browser, they are greeted with the notification "Access Denied", until they refresh the page which allows them in. This has only happened after we updated to the latest version of minio.

Below this line is the policy we apply to users that have folders relevant to them within the client bucket.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ListOnlyOwnFolder",
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::clients"
            ],
            "Condition": {
                "StringEquals": {
                    "s3:delimiter": [
                        "/"
                    ],
                    "s3:prefix": [
                        "${aws:username}/"
                    ]
                }
            }
        },
        {
            "Sid": "FullAccessToOwnFolder",
            "Effect": "Allow",
            "Action": [
                "s3:*"
            ],
            "Resource": [
                "arn:aws:s3:::clients/${aws:username}",
                "arn:aws:s3:::clients/${aws:username}/*"
            ]
        },
        {
            "Sid": "AllowGetBucketLocation",
            "Effect": "Allow",
            "Action": [
                "s3:GetBucketLocation",
                "s3:GetBucketPolicy"
            ],
            "Resource": [
                "arn:aws:s3:::clients"
            ]
        }
    ]
}

Steps to Reproduce (for bugs)

  1. Create a bucket with the name "clients"
  2. Add multiple folders inside the bucket, with one corresponding to a test user.
  3. Make a test user with their username matching one of the folders within the bucket.
  4. Assign the policy listed above to that user.
  5. Log in as that user, you should be (intermittently) greeted with "Access Denied" which is mitigated on refresh.

Context

Our clients are unable to upload important documents that are needed for nightly updates relating to software they use.

Your Environment

  • Version used (minio --version):
minio version RELEASE.2024-01-13T07-53-03Z (commit-id=993d96feef0e6b93d963932a66e2a50d3157575e)
Runtime: go1.21.5 linux/amd64
License: GNU AGPLv3 <https://www.gnu.org/licenses/agpl-3.0.html>
Copyright: 2015-2024 MinIO, Inc.
  • Server setup and configuration:
    Our minio instance is located within a ubuntu VM running on a hypervisor.
  • Operating System and version (uname -a):
    Linux minio1 5.15.0-91-generic minio/minio#101-Ubuntu SMP Tue Nov 14 13:30:08 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux

Metadata

Metadata

Assignees

Labels

communitytriage

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions