Description of problem (please be detailed as possible and provide log snippests): Ihac who is applying vaiours bucket policies and seeing below error for most of the policies: `An error occurred (MalformedPolicy) when calling the PutBucketPolicy operation: Policy has invalid action` I tried to apply bucket policies and I am seeing the same error. Below is a list of all policies which are throwing error: ListObjects ListMultipartUploads GetObjectAttributes ListObjectVersions ListParts PutObjectRetention UploadPart UploadPartCopy Version of all relevant components (if applicable): ODF 4.12 Does this issue impact your ability to continue to work with the product (please explain in detail what is the user impact)? Yes, impacting customer's development environment Is there any workaround available to the best of your knowledge? No Rate from 1 - 5 the complexity of the scenario you performed that caused this bug (1 - very simple, 5 - very complex)? 2 Can this issue reproducible? Yes Can this issue reproduce from the UI? No If this is a regression, please provide more details to justify this: Not I am aware of Steps to Reproduce: 1. Create obc 2. Follow doc [A] to apply bucket policy 3. In action field of policy, specify the list of actions shared above: For ex.: Using below policy: ~~~ { "Version": "NewVersion", "Statement": [ { "Sid": "Example", "Effect": "Allow", "Principal": [ "user1" ], "Action": [ "s3:ListObjects" ], "Resource": [ "arn:aws:s3:::test-policy-61fefee9-013d-42d1-a914-e09f4f7dd4e8" ] } ] } ~~~ 4. Apply policy, you will see the above error What are the supported actions for bucket policy? Actual results: An error occurred (MalformedPolicy) when calling the PutBucketPolicy operation: Policy has invalid action Expected results: s3 supported actions should be applied on noobaa buckets Additional info: - [A] https://access.redhat.com/documentation/en-us/red_hat_openshift_data_foundation/4.12/html-single/managing_hybrid_and_multicloud_resources/index#using-bucket-policies
Hi Nadav, Did you get a chance to check this bug? Regards, Sonal Arora
Hi Sonal, note that those commands have different names in policy: https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazons3.html can you try the following commands instead: ListObjects: ListBucket ListMultipartUploads: ListBucketMultipartUploads ListObjectVersions: ListBucketVersions ListParts: ListMultipartUploadParts UploadPart: PutObject UploadPartCopy: PutObject regarding PutObjectRetention I will fix it regarding GetObjectAttributes doesn't look like this command is supported Regards Nadav Mizrahi
Hi Nadav, Thanks for the update. I tried above alternative policies you have shared, all of them works. > regarding PutObjectRetention I will fix it Perfect, thank you. Can you please share the jira/bug id where its been tracked if already exists, or once you open a new bug for it? > regarding GetObjectAttributes doesn't look like this command is supported This is a valid policy as mentioned in aws document you have shared. Any reason why ODF does not support this? ------- I have one more query. I created a NoobaaAccount user1. Applied GetObject policy successfully for user1 on a OBC (using credential of the default user created for obc). Verified from ListBucket the policy is applied successful. I want to test if user1 can list objects from the bucket, ran aws ls command with credentials of user1. However user1 is not able to list buckets. Since ListBucket policy is applied to user1, it should be able to list objects. Am I doing anything wrong with the steps or credentials? ~~~ AWS_ACCESS_KEY_ID=61lcRVamBLqHcr03IUBy AWS_SECRET_ACCESS_KEY=SrCOucKCWypDhfRTtwTWpL/GReB5Eq/VY58CKUdf aws --endpoint https://s3-openshift-storage.apps.sdsupi.ocp.gsslab.pnq2.redhat.com --no-verify-ssl s3 ls s3://test-policy-61fefee9-013d-42d1-a914-e09f4f7dd4e8 /usr/lib/python3.11/site-packages/urllib3/connectionpool.py:1045: InsecureRequestWarning: Unverified HTTPS request is being made to host 's3-openshift-storage.apps.sdsupi.ocp.gsslab.pnq2.redhat.com'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html#ssl-warnings warnings.warn( An error occurred (AccessDenied) when calling the ListObjectsV2 operation: Access Denied ~~~
Hi Sonal, glad the alternative policies worked for you I have attached linked to the github fix, I will use this bug as the issues bug, as it already was opened for this problem regarding GetObjectAttributes: I meant that the command itself isn't yet implemented in our system. adding it to the policy will meaningless, as it will not work anyway. regarding your other query: it should work. can you send the policy you used and logs if possible
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Important: Red Hat OpenShift Data Foundation 4.14.0 security, enhancement & bug fix update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2023:6832