Hi All, I am trying to give permission to one of o...
# helpn
Nagarajan SG
08/26/2021, 11:13 AMHi All, I am trying to give permission to one of our developer to set the GC rules, but they are getting the below error
request failed: [401 Unauthorized] insufficient permissions Copy code
RepoManagementFullAccess
FSFullAccessy
Yoni Augarten
08/26/2021, 11:19 AMHey @Nagarajan SG! These policies should be enough to set the GC rules. We may have had a bug in generating these policies. Let me check
n
Nagarajan SG
08/26/2021, 11:20 AMHi @Yoni Augarten Thanks for your quick response
y
Yoni Augarten
08/26/2021, 11:21 AM@Nagarajan SG, do you have
lakectln
Nagarajan SG
08/26/2021, 11:22 AMNo, how do I configure?
y
Yoni Augarten
08/26/2021, 11:23 AMIt's ok, we can use the UI for now.
n
Nagarajan SG
08/26/2021, 11:24 AMfine, even I would like to configure, if you have any doc, please share, let me setup in sometimes
y
Yoni Augarten
08/26/2021, 11:24 AMCan you please go to the Administration page > Policies > RepoManagementFullAccess?
n
Nagarajan SG
08/26/2021, 11:24 AMOk
y
Yoni Augarten
08/26/2021, 11:25 AMThen click Edit, and paste here the json that appears
n
Nagarajan SG
08/26/2021, 11:25 AM Copy code
{
"statement": [
{
"action": [
"ci:*"
],
"effect": "allow",
"resource": "*"
}
]
}y
Yoni Augarten
08/26/2021, 11:25 AMThanks
Yoni Augarten
08/26/2021, 11:26 AMIt seems like we had a bug when adding the retention policies.
Yoni Augarten
08/26/2021, 11:26 AMCan you please change the JSON to the following:
Copy code
{
"statement": [
{
"action": [
"ci:*",
"retention:*",
"fs:ReadConfig"
],
"effect": "allow",
"resource": "*"
}
]
}Yoni Augarten
08/26/2021, 11:26 AMAfterwards, try setting the rules again
n
Nagarajan SG
08/26/2021, 11:27 AMGetting error while saving
retention:*: invalid service namey
Yoni Augarten
08/26/2021, 11:28 AMLet me check
n
Nagarajan SG
08/26/2021, 11:28 AMOk
y
Yoni Augarten
08/26/2021, 11:29 AMCan you please tell me which version of lakeFS you're using?
n
Nagarajan SG
08/26/2021, 11:30 AMJust a min, let me check and share
👍🏻 1
Nagarajan SG
08/26/2021, 11:32 AMlakefs version 0.44.0y
Yoni Augarten
08/26/2021, 11:35 AMI'm sorry for the trouble @Nagarajan SG, I'm afraid that this version did have a bug where the retention policies could not be added. If it's possible for you to upgrade to the latest version, let's do that.
Otherwise, I will try to come up with a workaround.
n
Nagarajan SG
08/26/2021, 11:40 AMI can do the upgrade, but I need to check how can I do that
y
Yoni Augarten
08/26/2021, 11:40 AMI can help with that if you want
n
Nagarajan SG
08/26/2021, 11:40 AMBut, if you share the workaround for now, it will be great !!!
y
Yoni Augarten
08/26/2021, 11:40 AMI'm afraid the workaround will include running a query on the postgres database. Is that something you have access to?
n
Nagarajan SG
08/26/2021, 11:41 AMYes, I have access to the database
Nagarajan SG
08/26/2021, 11:42 AMAnd regarding upgrade, is there any downtime and do we need to update to our developer prior to the upgrade ?
y
Yoni Augarten
08/26/2021, 11:44 AMThe upgrade should take a few seconds.
Yoni Augarten
08/26/2021, 11:45 AMThis will be transparent to developers.
Yoni Augarten
08/26/2021, 11:45 AMRegarding the workaround, let me just describe the bug so that you understand what we're doing: in this version, we forgot to include "retention" as a valid service name. For that reason, you can't use the API (or the UI) to add retention permissions. We will use a database query to add it manually.
Yoni Augarten
08/26/2021, 11:46 AMYou need to run the following query on the lakeFS schema:
Copy code
BEGIN;
UPDATE auth_policies
SET statement = statement || '[{"Action": ["fs:ReadConfig"], "Effect": "allow", "Resource": "*"}]'::jsonb
WHERE display_name = 'RepoManagementReadAll' AND NOT statement @> '[{"Action": ["fs:ReadConfig"], "Effect": "allow", "Resource": "*"}]'::jsonb;
UPDATE auth_policies
SET statement = statement || '[{"Action": ["fs:ReadConfig"], "Effect": "allow", "Resource": "*"}]'::jsonb
WHERE display_name = 'RepoManagementFullAccess' AND NOT statement @> '[{"Action": ["fs:ReadConfig"], "Effect": "allow", "Resource": "*"}]'::jsonb;
UPDATE auth_policies
SET statement = statement || '[{"Action": ["retention:Get*"], "Effect": "allow", "Resource": "*"}]'::jsonb
WHERE display_name = 'RepoManagementReadAll' AND NOT statement @> '[{"Action": ["retention:Get*"], "Effect": "allow", "Resource": "*"}]'::jsonb;
UPDATE auth_policies
SET statement = statement || '[{"Action": ["retention:*"], "Effect": "allow", "Resource": "*"}]'::jsonb
WHERE display_name = 'RepoManagementFullAccess' AND NOT statement @> '[{"Action": ["retention:*"], "Effect": "allow", "Resource": "*"}]'::jsonb;
COMMIT;n
Nagarajan SG
08/26/2021, 11:48 AMThanks, before executing this, just I wanted to know the process for upgrade
Nagarajan SG
08/26/2021, 11:49 AMBecause if it takes only few seconds, then I can opt upgrade instead of executing this query on the db 🙂
y
Yoni Augarten
08/26/2021, 11:49 AMAre you running lakeFS on k8s?
Yoni Augarten
08/26/2021, 11:50 AMIf you used Helm to install it on k8s, then the upgrade should be very simple.
n
Nagarajan SG
08/26/2021, 11:51 AMNo, I am running it on ec2 instance
y
Yoni Augarten
08/26/2021, 11:52 AMOk, I can guide you through the upgrade, we can do this in private so we don't bother everyone here
n
Nagarajan SG
08/26/2021, 1:41 PMNow its working fine after upgrading the lakefs version to the latest, thanks @Yoni Augarten
😀 1
y
Yoni Augarten
08/26/2021, 1:44 PMThanks for the update, we're here if you need anything else
👍 1
4 Views