Hey @Kevin Vasko, I'm sorry for this inconvenience. It is a known issue. It wasn't prioritized yet since until now users who required repository-specific permissions haven't used the UI. The cause for this issue is that the page you are trying to view is the page that shows all the repositories, and the permission to list the installation's repositories is a global one. I will discuss with the team tomorrow whether we want to prioritize this right now. As a workaround, you can direct your users directly to a specific repository's page, using the URL:

<LAKEFS_UI_URL>/repositories/my-repo/objects

.

So what’s weird about this is that the page goes blank if i got to that URL

@Kevin Vasko, alternatively, you can give the users the ListRepositories permissions, but this will mean that they will be able to see the list of all repositories (but not browse to their content).

@Yoni Augarten Yewh that’s what I was doing actually but when I click on the repo it just displays a blank page

Let's do this one by one 🙂 First of all, do you get a blank page for a repository you should be able to see, or one that should be denied?

Let me validate. So just to make sure…i should be doing “arn:lakefs:fs:::repository/repo-name” where repo-name is my lakefs repo name and not the actual s3 bucket and prefix correct? I also assume I don’t need to do “arn:lakefs:fs:::repository/repo-name/“ or “arn:lakefs:fs:::repository/repo-name/*”

You are correct. Which action are you attaching this resource to?

Everything in your default FSReadWriteAll

Let me check

Yes, i get a blank page for both something i should have access to and to something I shouldn’t

Here is an example of how to configure the policy for operating on a specific repository. It's a bit more complex than what you mentioned.

Yup, that works…does it have to be broken up thst explicitly?

Yes, since permissions are divided by the type of resource they are relevant to, e.g. repository, branch etc.

ahhh

Regarding the "Already exists" error, it does seem to be a bug. I've opened an issue for it and will discuss with the team. https://github.com/treeverse/lakeFS/issues/4319

sorry for the picture but on a lab system

ReadConfig is a permission to get some information about the whole installation, required for the UI. For example, it allows the UI to retrieve the type of the storage the installation is on top of.

gotcha

Thank you for flagging these issues. Let me know if there's anything else I can help with.

ok so i see what you were saying so that very bottom “*” resource in that example you gave i added “fs:ListRepositories” now I can go to the main page, I see all the repos but I get a white blank screen on pages i don’t have the permissions on

Yes, that's a usability issue - we hope to solve it as part of the issue I mentioned above.

yup yup, this works