Hi all, Can anyone help mw with the exact JSON of ...
# help
m
Hi all, Can anyone help mw with the exact JSON of the policy for setting read, write access to a specific repository. As of now this is what I’m using but the user gets insufficient permissions
Copy code
{
  "statement": [
    {
      "action": [
        "fs:ListRepositories",
        "fs:ReadRepository",
        "fs:ReadCommit",
        "fs:ListBranches",
        "fs:ListObjects",
        "fs:ReadObject",
        "fs:WriteObject",
        "fs:DeleteObject",
        "fs:RevertBranch",
        "fs:ReadBranch",
        "fs:CreateBranch",
        "fs:DeleteBranch",
        "fs:CreateCommit"
      ],
      "effect": "allow",
      "resource": "arn:lakefs:fs:::repository/repository-name/*"
    }
  ]
}
y
Hey @mishraprafful, I'm checking this and will reply here soon
m
Thanks @Yoni Augarten Looking forward to your response šŸ™‚
y
Could you tell me which action gets the insufficient permissions error?
m
Listing the repositories gets that error and when using the URL to view specific repository details like branches the user gets a blank white screen.
y
@mishraprafful, in order for the user to be able to list the repositories - they have to get "fs:ListRepositories" permission with "*" as the resource. I understand this is not ideal as they will be able to see all the other repositories. I will open an issue for us to reconsider that and come up with a better solution.
Regarding the specific repository screen, please use the following policy:
Copy code
{
  "statement": [
    {
      "action": [
        "fs:ReadRepository",
        "fs:ReadCommit",
        "fs:ListBranches",
        "fs:ListTags",
        "fs:ListObjects"
      ],
      "effect": "allow",
      "resource": "arn:lakefs:fs:::repository/repository-name"
    },
    {
      "action": [
        "fs:RevertBranch",
        "fs:ReadBranch",
        "fs:CreateBranch",
        "fs:DeleteBranch",
        "fs:CreateCommit"
      ],
      "effect": "allow",
      "resource": "arn:lakefs:fs:::repository/repository-name/branch/*"
    },
    {
      "action": [
        "fs:ReadObject",
        "fs:WriteObject",
        "fs:DeleteObject"
      ],
      "effect": "allow",
      "resource": "arn:lakefs:fs:::repository/repository-name/object/*"
    },
    {
      "action": [
        "fs:ReadTag",
        "fs:CreateTag",
        "fs:DeleteTag"
      ],
      "effect": "allow",
      "resource": "arn:lakefs:fs:::repository/repository-name/tag/*"
    },
    {
      "action": [
        "fs:ReadConfig"
      ],
      "effect": "allow",
      "resource": "*"
    }
  ]
}
Note that this is giving the "fs:ReadConfig" for the user on all repositories. This will allow them to find out the storage type (s3/gcs/...) of every repository in lakeFS. This is a bug on our side and I will also open an issue for that
m
Sounds good let me try these suggestions, also regarding the above two issues, could you point me to them as well, would love to follow and maybe contribute regarding these.
y
Sure! I appreciate that
Tagged you on our #C01APUNTSGH channel with all the relevant issues
m
Thanks for the help and support. ā¤ļø
y
You are most welcome, we're here if you need anything else šŸ™‚
šŸ™Œ 1
ā¤ļø 1