console icon indicating copy to clipboard operation
console copied to clipboard
verified publisher icon minio

Upload error due to lack of access rights

Open hall-b opened this issue 3 years ago • 0 comments

Upload error when readonly access

There is an issue when uploading an object to a bucket where you only have read access.

This happens when you restrict a user to have readwrite access to all buckets except one. When that restricted user logs in and tries to do some operation with that special bucket, things seems to work mostly as expected:

  • In the user interface (UI) it's specified I only have read access
  • I cannot delete an object from the UI (when trying to delete an object, a red banner shows up with the text: "Access denied")
  • I cannot delete or upload an object via the mc client (error message says explicitly "access denied" )

However, when I try to upload an object on the UI , it seems to work, to progress bar is loading and finaly it fails with no furhter information. (On my self-hosted minio instance it made sometimes MinIO crash.)

Expected Behavior

  • Do not allow a user with only read access to upload an object

Current Behavior

  • red banner with text saying : Uploaded files 0/1
  • In download/upload recap it says the upload failed
  • (In my self hosted minio instance, some times, it created an error and made my minio container crash)

Possible Solution

  • make sure the user cannot click on the upload button (hide it or put it in gray as the Rewind button can be)
  • When uploading the object, put a red banner with "Access denied" (same behaviour as if you would delete an object without the sufficient rights)

Steps to Reproduce (for bugs)

  1. Go to https://play.min.io:9443/
  2. Create a policy with read&write access on all buckets except one:
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:*"
            ],
            "Resource": [
                "arn:aws:s3:::*"
            ]
        },
        {
            "Effect": "Deny",
            "Action": [
                "s3:DeleteObject",
                "s3:PutObject"
            ],
            "Resource": [
                "arn:aws:s3:::asia/*"
            ]
        }
    ]
}
  1. Create a new user and assign to him the newly created policy
  2. Log into minio with the new user
  3. Go to the only bucket where you have only read access
  4. Try to upload an object with the upload button

Context

This issue has the following drawback:

  1. The user don't know why his upload failed
  2. This might create an internal error
  3. On a self-hosted minio server, it made my minio instance crash

Regression

I don't know

Your Environment

Used the instance running at https://play.min.io:9443/ with the version: Latest Version: minio/minio:RELEASE.2022-06-07T00-33-41Z

Logs

logs produced with the command mc admin trace -v -a play. We can clearly see a 403 error code with an Access Denied. error message. Why not show this on the user interface?

play.min.io:9000 
play.min.io:9000 [REQUEST s3.PutObject] [2022-06-08T16:23:21:000] [Client IP: 147.75.201.93]
play.min.io:9000 PUT /asia//latakia_1.jpg
play.min.io:9000 Proto: HTTP/1.1
play.min.io:9000 Host: play.min.io:9000
play.min.io:9000 X-Amz-Content-Sha256: UNSIGNED-PAYLOAD
play.min.io:9000 X-Amz-Date: 20220608T142321Z
play.min.io:9000 X-Amz-Security-Token: eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJhY2Nlc3NLZXkiOiJYMEY3V09XNzJRSkUwSTY3UzZWNyIsImV4cCI6MTY1NDcwMTMxMSwicGFyZW50IjoidGVzdF9hY2NvdW50In0.bnREufHyDOmHk2A3sC8qw_Q0-7wpLyaRl0SYUf5r6znQkJCaCBwDgJqduBfcGzdE9JGrujWBTaFPPNkPxbkAmg
play.min.io:9000 Authorization: AWS4-HMAC-SHA256 Credential=X0F7WOW72QJE0I67S6V7/20220608/us-east-1/s3/aws4_request, SignedHeaders=content-type;host;x-amz-content-sha256;x-amz-date;x-amz-security-token, Signature=e2c9fec30babd9c7146c3c867144e1ef76874f29968bf3c956449f562a0d0869
play.min.io:9000 Content-Length: 71114
play.min.io:9000 Content-Type: image/jpeg
play.min.io:9000 User-Agent: MinIO (linux; amd64) minio-go/v7.0.27
play.min.io:9000 <BODY>
play.min.io:9000 [RESPONSE] [2022-06-08T16:23:21:000] [ Duration 450µs  ↑ 111 B  ↓ 678 B ]
play.min.io:9000 403 Forbidden
play.min.io:9000 Content-Length: 324
play.min.io:9000 Content-Security-Policy: block-all-mixed-content
play.min.io:9000 Strict-Transport-Security: max-age=31536000; includeSubDomains
play.min.io:9000 Vary: Origin,Accept-Encoding
play.min.io:9000 X-Amz-Request-Id: 16F6AB3F5DF69DBF
play.min.io:9000 X-Xss-Protection: 1; mode=block
play.min.io:9000 Accept-Ranges: bytes
play.min.io:9000 Content-Type: application/xml
play.min.io:9000 Server: MinIO
play.min.io:9000 X-Amz-Bucket-Region: us-east-1
play.min.io:9000 X-Content-Type-Options: nosniff
play.min.io:9000 <?xml version="1.0" encoding="UTF-8"?>
<Error><Code>AccessDenied</Code><Message>Access Denied.</Message><Key>latakia_1.jpg</Key><BucketName>asia</BucketName><Resource>/asia//latakia_1.jpg</Resource><Region>us-east-1</Region><RequestId>16F6AB3F5DF69DBF</RequestId><HostId>2e2fed6f-f04c-4f1f-bf24-29c59ddaabf4</HostId></Error>
play.min.io:9000

hall-b avatar Jun 08 '22 15:06 hall-b