after making changes to a policy attached to a user's authorisation with RBAC, should that user have to re-auth for them to take effect? and/or, what's the error in this policy here to block the user from accessing the files (which they can do, see on the right)

Hi @Robin Moffatt, the user shouldn’t re-auth, it might take a few seconds to take effect due to the fact it’s cached. The resource should be by this pattern:

arn:lakefs:fs:::repository/{repositoryId}/object/{objectKey}

Replacing the first

*

with

object

should do the job

ah, so literally

object

?

Yes, in order to check it try reading or writing to the path

so with

arn:lakefs:fs:::repository/drones03/object/sensitive/*

I can still browse and see the folder contents, but if I click on the object I get an error. Is the error showing the permissions are working? I'd have expected not to be able to browse the contents either

Iw: Iw at ot (<https://rmoff-test.us-east-2.lakefscloud.io/assets/index-6dd372f1.js:67:10488>) at async VG.head (<https://rmoff-test.us-east-2.lakefscloud.io/assets/index-6dd372f1.js:67:21061>) at async <https://rmoff-test.us-east-2.lakefscloud.io/assets/index-6dd372f1.js:67:29262>

I understand, currently, listing can be restricted only by the repository level

ah ok, good to know

No problem 😃

We're a lot like s3. IAM there also has a bucket-level permission for listing buckets. https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListObjects.html says:

To use this action in an AWS Identity and Access Management (IAM) policy, you must have permissions to perform the s3:ListBucket action.

It's an object store thing: there really are no directories!

OK. So would it be valid to log an enhancement request to be able to limit the listing of a given object path [folder] ? If I'm understanding correctly the granularity by which access can be blocked is per object for RW but only per repo for list?