Thread (2): how does the GUI access data?
When yo...
# helpa
Ariel Shaqed (Scolnicov)
07/27/2022, 2:00 AMThread (2): how does the GUI access data?
When you log into the lakeFS GUI, you get a jwt representing your identity. The GUI uses that for all access, and the lakeFS server will apply access policies for that user.
Now the GUI can access objects on lakeFS. It uses the lakeFS api for that. Every metadata operation (such as listing repos or branches, or listing paths in a "directory") is obviously performed on the server.
What about data operations (uploading and downloading contents)? The GUI still asks the lakeFS server. The server applies policies for the user, and if all goes well it accesses data on the storage backend (S3) on behalf of the user and transfers data to or from the user. This is all done using the server credentials; the user does not need credentials for direct data access on the storage.
k
Kevin Vasko
07/27/2022, 2:09 AMOk so essentially it sounds like I need to create an IAM_ROLE for my server hosting lakeFS which will directly access the s3 buckets…when a user logs in they get an abstraction layer through lakeFS e.g “lakefs://“ set of permissions that can access the data
👍🏼 1
Kevin Vasko
07/27/2022, 2:09 AMIs that about right?
a
Ariel Shaqed (Scolnicov)
07/27/2022, 2:13 AMYup!
Typically your server will run on aws ec2, or on k8s, both of which allow you to give it instance roles.
Have you taken a look at our setup trail? It starts with "preparing your storage" (link goes to s3), which helpfully includes an iam policy that will work.
k
Kevin Vasko
07/27/2022, 2:19 AMI saw that, but that looks like a bucket policy, not a iam policy?
Kevin Vasko
07/29/2022, 6:22 PM@Ariel Shaqed (Scolnicov) hey so I've got an IAM role attached to my Ec2 instance at the command line I can do “aws s3 s3//mybucket” but lakeFS complains “failed to load shared credentials”. Where is lakeFS pulling credentials ?
a
Ariel Shaqed (Scolnicov)
07/29/2022, 6:37 PMHi Kevin,
This is odd. It looks like you comfigured everything according to this guide for EC2. Maybe you have some environment variable setting a profile?
If you need more help, could you send the config YAML file and environment variables starting with "AWS"? But please... Make sure not to send any secrets, of course!
k
Kevin Vasko
07/29/2022, 6:38 PMohhhh i see it…yeah ‘profile: default’ was in my config
👍🏼 1
Kevin Vasko
07/29/2022, 6:38 PMbut running aws configure list it shows no profile
a
Ariel Shaqed (Scolnicov)
07/29/2022, 6:39 PMI saw that, but that looks like a bucket policy, not a iam policy?
Sorry, missed this one. This bucket policy will work. You're right, I don't think we have a guide for setting a role policy anywhere. You'll need to copy the same permissions, of course. I'll look on Sunday to see if I can find an example written out somewhere.
Ariel Shaqed (Scolnicov)
07/29/2022, 6:40 PMConfiguration options are part of what makes working with AWS so much fun...
Ariel Shaqed (Scolnicov)
07/29/2022, 6:41 PMI think if you drop the profile it should work.
k
Kevin Vasko
07/29/2022, 6:41 PMit's awful and confusing as hell
Kevin Vasko
07/29/2022, 6:41 PMyup i dropped the profile and it worked as amazon injects it into the OS some how
a
Ariel Shaqed (Scolnicov)
07/29/2022, 6:46 PMYou'd wish it did that. I think that the default credentials provider goes to the instance metadata service, which appears by virtual magic, and that gives credentials to get the role.
Fun fun fun.
k
Kevin Vasko
07/29/2022, 6:47 PMaka “magic”
Kevin Vasko
07/29/2022, 6:56 PMSo now to figure out how I want to structure my prefixes in s3
🙂 1
sunglasses lakefs 1
Kevin Vasko
07/29/2022, 7:03 PMWould you give a prefix for lakefs or just let users put whatever into lakeFS
Kevin Vasko
07/29/2022, 7:04 PMa
Ariel Shaqed (Scolnicov)
07/29/2022, 7:06 PMI like prefixes :-) . So I'd recommend something with "lakeFS/repos" in it. That way it's easier for me to know what I and my users put into S3, and what lakeFS put in there.
k
Kevin Vasko
07/29/2022, 7:06 PMgot it
7 Views