https://lakefs.io/ logo
Title
r

Robin Moffatt

03/01/2023, 4:01 PM
after making changes to a policy attached to a user's authorisation with RBAC, should that user have to re-auth for them to take effect? and/or, what's the error in this policy here to block the user from accessing the files (which they can do, see on the right)
g

Guy Hardonag

03/01/2023, 4:09 PM
Hi @Robin Moffatt, the user shouldn’t re-auth, it might take a few seconds to take effect due to the fact it’s cached. The resource should be by this pattern:
arn:lakefs:fs:::repository/{repositoryId}/object/{objectKey}
Replacing the first
*
with
object
should do the job
r

Robin Moffatt

03/01/2023, 4:20 PM
ah, so literally
object
?
I saw that in the docs but thought it was a placeholder for the path
g

Guy Hardonag

03/01/2023, 4:44 PM
Yes, in order to check it try reading or writing to the path
r

Robin Moffatt

03/01/2023, 5:48 PM
so with
arn:lakefs:fs:::repository/drones03/object/sensitive/*
I can still browse and see the folder contents, but if I click on the object I get an error. Is the error showing the permissions are working? I'd have expected not to be able to browse the contents either
Iw: Iw at ot (<https://rmoff-test.us-east-2.lakefscloud.io/assets/index-6dd372f1.js:67:10488>) at async VG.head (<https://rmoff-test.us-east-2.lakefscloud.io/assets/index-6dd372f1.js:67:21061>) at async <https://rmoff-test.us-east-2.lakefscloud.io/assets/index-6dd372f1.js:67:29262>
g

Guy Hardonag

03/01/2023, 5:50 PM
I understand, currently, listing can be restricted only by the repository level
r

Robin Moffatt

03/01/2023, 6:07 PM
ah ok, good to know
and that error I'm seeing there is the one saying "access forbidden"?
thanks for all your help btw 🙂
g

Guy Hardonag

03/01/2023, 6:09 PM
No problem 😃
and that error I’m seeing there is the one saying “access forbidden”?
It is, but I agree the error isn’t clear would you like to open an issue for that, or would you like me to?
a

Ariel Shaqed (Scolnicov)

03/01/2023, 7:28 PM
We're a lot like s3. IAM there also has a bucket-level permission for listing buckets. https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListObjects.html says:
To use this action in an AWS Identity and Access Management (IAM) policy, you must have permissions to perform the s3:ListBucket action.
It's an object store thing: there really are no directories!
r

Robin Moffatt

03/02/2023, 2:53 PM
OK. So would it be valid to log an enhancement request to be able to limit the listing of a given object path [folder] ? If I'm understanding correctly the granularity by which access can be blocked is per object for RW but only per repo for list?