You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When trying to expose a multi tenant bucket (different users have different locations they should be able to access) via mountpoint-S3 it seems that I need to grant more permissions than needed.
Given following structure:
bucket
project1
project2
folder0
folder1
dummy
files
file1
file2
A User needs access to prefix project1/ and project2/folder1/dummy/files/
From a Least Privilege principle I need to provide GetObject and ListBucket Permissions to
project1/* and project2/folder1/dummy/files/*
Using the above described policy when using aws s3 client it does seem to work, i'm able to list files/folders in both paths and don't have access to any of the parent folders or siblings.
When using mountpoint-s3 i'm unable to use the above described policy as the OS tries to access project2/ before transversing to project2/folder1/ , and so on until it tries to list in project2/folder1/dummy/files/.
From a confidentiality point of view, the end user cannot list anything besides the two path specified.
Is there a possibility for mountpoint to cope with this Linux OS/Fuse specific behaviour to ensure we as a client don't need to provide more permissions than needed. This will allow us to use a single mount for an entire subtree structure and a single limited IAM policy. Using separate mounts cannot be done as it will potentially entail having 1K mounts on a OS.
The above described capability in combination with subPath expression in kubernetes/eks allows to only expose what is needed to the user.
The text was updated successfully, but these errors were encountered:
I don't have any workaround I can share today (other than using separate mounts which as you mentioned wouldn't be feasible in this case). I'll take this to the team so we can investigate ways to allow this type of mount without needing to grant the broad permissions.
Tell us more about this new feature.
Hi,
When trying to expose a multi tenant bucket (different users have different locations they should be able to access) via mountpoint-S3 it seems that I need to grant more permissions than needed.
Given following structure:
bucket
A User needs access to prefix project1/ and project2/folder1/dummy/files/
From a Least Privilege principle I need to provide GetObject and ListBucket Permissions to
project1/* and project2/folder1/dummy/files/*
Using the above described policy when using aws s3 client it does seem to work, i'm able to list files/folders in both paths and don't have access to any of the parent folders or siblings.
When using mountpoint-s3 i'm unable to use the above described policy as the OS tries to access project2/ before transversing to project2/folder1/ , and so on until it tries to list in project2/folder1/dummy/files/.
From a confidentiality point of view, the end user cannot list anything besides the two path specified.
Is there a possibility for mountpoint to cope with this Linux OS/Fuse specific behaviour to ensure we as a client don't need to provide more permissions than needed. This will allow us to use a single mount for an entire subtree structure and a single limited IAM policy. Using separate mounts cannot be done as it will potentially entail having 1K mounts on a OS.
The above described capability in combination with subPath expression in kubernetes/eks allows to only expose what is needed to the user.
The text was updated successfully, but these errors were encountered: