Comments (4)
So it appears that I'm slightly incorrect, ${jwt:groups}
does substitute the variable, but only with the first element when its an array of values; at least in terms of what my policy and requests authorize in testing.
...
{
"Effect": "Allow",
"Action": [
"s3:DeleteObject",
"s3:GetObject",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::testbucket1/${jwt:groups}",
"arn:aws:s3:::testbucket1/${jwt:groups}/*"
]
}
...
There doesn't seem to be any way to index them individually.
from minio.
Right now, we need cycles to take this up @rvIceBreaker. I suggest pushing our roadmaps by becoming a customer if you have a production requirement.
However, this is not a priority and will be addressed later if and when we find some time.
from minio.
You can use jwt:groups
as part of the ForAnyValue
or ForAllValues
conditionals. However, these are not supported in the resources and will only use the first element.
from minio.
@harshavardhana I appreciate the response, this information isn't really clearly stated anywhere so hopefully this thread can save someone else some time.
As far as I can tell using ForAnyValues
/ForAllValues
on s3:ListBucket
->s3:prefix
also only matches against the first element.
//s3:ListBucket statement
"Condition": {
"ForAllValues:StringLike": {
"s3:prefix": [
"${jwt:groups}",
"${jwt:groups}/*"
]
}
}
//s3:GetObject statement
"Resource": [
"arn:aws:s3:::testbucket1/*"
]
In my testing, the above effectively only allows listing from the first element in ${jwt:groups}
, though I can GetObject
on a known object path that differs.
from minio.
Related Issues (20)
- Set continuous retry in "mc mirror --retries " HOT 2
- auth v2 not available anymore (which means - AWS Java SDK V2 cannot connect) HOT 7
- Activating MINIO_API_SELECT_PARQUET not works HOT 4
- a bug? Dockerfile missing path HOT 3
- How to close pprof endpoint? HOT 2
- Always getting `SignatureDoesNotMatch` error for `get_presigned_url` for file upload HOT 1
- Order of properties in the body of a POST upload breaks the upload HOT 1
- Regression: checking if a file exists with JavaScript's fetch and the method HEAD now returns a CORS error HOT 1
- sftp not support directory permission HOT 1
- There are some error when runing systemctl status minio,but when everything is ok when runing mc admin info. HOT 2
- Is there any plan to add a configration for Erasure sets HOT 3
- Since RELEASE.2024-03-26T22-10-45Z console UI is very slow for LDAP authenticated users. HOT 7
- minio admin UI doesn't show all objects: foo/bar is invisible when foo exists HOT 4
- minio single-node mode met performance bottleneck HOT 4
- Error auth encoding in LDAP HOT 9
- Time Zone Settings Not Effective in Docker Container HOT 1
- Monitoring -> Usage -> Download menu is unusable. shows only "Dow..." HOT 1
- spring boot streaming big file to minio failure. HOT 1
- Login bug
- There is a problem with the read and write strategy (selecting nodes) HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from minio.