Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Access restriction: Unable to add specific user per bucket #3268

Closed
manju-rn opened this issue Mar 16, 2024 · 3 comments
Closed

Access restriction: Unable to add specific user per bucket #3268

manju-rn opened this issue Mar 16, 2024 · 3 comments
Labels
community triage

Comments

@manju-rn
Copy link

NOTE

Expected Behavior

Access isolation: Specific users can be assigned to specific buckets

Current Behavior

Any user that is added via the console is added to all the buckets. This should not be the case, each bucket should be allowed to have specific user

Possible Solution

Is there a way to allocate this via console?

Steps to Reproduce (for bugs)

  1. Create multiple buckets
  2. Add users
  3. Check the Access section is the bucket, all the users are listed there
    image

Context

Regression

Your Environment

  • Version used (minio --version):
  • Server setup and configuration:
  • Operating System and version (uname -a):
@manju-rn manju-rn changed the title Unabel to add only specific user per bucket Unable to add specific user per bucket Mar 16, 2024
@manju-rn manju-rn changed the title Unable to add specific user per bucket Access restriction: Unable to add specific user per bucket Mar 16, 2024
@harshavardhana harshavardhana pinned this issue Mar 16, 2024
@harshavardhana harshavardhana unpinned this issue Mar 16, 2024
@harshavardhana harshavardhana transferred this issue from minio/minio Mar 16, 2024
@dvaldivia
Copy link
Collaborator

What policies are you using? if the right policy is used and assigned per user, your expected behavior can be achieved

@manju-rn
Copy link
Author

What policies are you using? if the right policy is used and assigned per user, your expected behavior can be achieved

It's not about the policies. Say if I have 2 users and 2 buckets. Say if I want user1 for bucket1 and user2 for bucket2 - In the current console, this cannot be done, you get both the users in both the buckets.
Even so, say, if I want to have user 1 in bucket 1 to have consoleadmin but no policy in bucket 2, how do I achieve this?
Currently, If I have the policy for user1 - say consoleadmin, it affects in both the buckets. The console does not provide option to change user 1 policy in for bucket1 different from bucket 2. Ideally, bucket1 should NOT have the user2 added to it's list in the first place

@prakashsvmx
Copy link
Member

prakashsvmx commented Mar 19, 2024
edited
Loading

Are you looking for something like

 {
     "Version": "2012-10-17",
     "Statement": [
         {
             "Effect": "Allow",
             "Action": [
                 "s3:*"
             ],
             "Resource": [
                 "arn:aws:s3:::specific-bucket/*"
             ]
         }
     ]
 }

this allows All s3 operations on bucket specific-bucket other buckets/options are not allowed to the user whom the policy is assigned.

Policies are at user/group level. You allow or deny Resources which can be one or more buckets or prefixes in a bucket.

So check the policies listed under Access Audit. It means those two policies can access the bucket. Please share them to validate

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
community triage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@dvaldivia @prakashsvmx @manju-rn