Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NC | NSFS | Multiple accounts and same bucket scenarios : technical discussion #8736

Closed
naveenpaul1 opened this issue Jan 29, 2025 · 1 comment · May be fixed by #8751
Closed

NC | NSFS | Multiple accounts and same bucket scenarios : technical discussion #8736

naveenpaul1 opened this issue Jan 29, 2025 · 1 comment · May be fixed by #8751
Labels
NS-FS

Comments

@naveenpaul1
Copy link
Contributor

naveenpaul1 commented Jan 29, 2025
edited
Loading

Environment info

  • NooBaa Version: VERSION
  • Platform: Kubernetes 1.14.1 | minikube 1.1.1 | OpenShift 4.1 | other: specify

Actual behavior

  1. In a scenario where a first user with UID 1001 and GID 1001, created an object with a key a/b/c, and second user with UID 2001 and GID 2001 created a second object and key isa/b/c, is this validcase?
  2. How multiple account access in the same bucket path should work? Do we need to give permission to objects dirs that are not created by the same user?
  3. How list-object scenario work for multiple account-linked buckets? List all the items for both of these users?
  4. Consider a case where two accounts with different UID and GID points to the same bucket and bucket access is given through bucket policy. Account1 put an object to the bucket and created internal directories(upload, multipart-upload etc) using the account's UID and GID, Is there any chance the second account faces an access deny issue when trying to put an object to the same bucket
  5. If there is an object inside the bucket directory with conflicting ownership (other than account owner). what should happen when try to list objects?

Expected behavior

Steps to reproduce

More information - Screenshots / Logs / Other output
@naveenpaul1
Copy link
Contributor Author

naveenpaul1 commented Jan 29, 2025
edited
Loading

All the bucket dir will be created with mod 770, and because that account shares GID can access dir and files.

  1. This is an invalid case, An Account with the same GID can access the bucket path, In this case, both accounts have different UID and GID, and even bucket path access is restricted for the second user
  2. In scale, For two or more accounts to share the same bucket all the accounts should have the same GID. When all the accounts share the same GID with bucket dir mod 770, all the accounts can list objects in that bucket.
  3. Yes, When all the accounts share the same GID with bucket dir mod 770, all the accounts can list objects in that bucket.
  4. Posix will throw an error when trying to create an internal folder even if we set a bucket policy that allows two accounts (with different UID and GID) to access the same bucket path.
    if the GID of two accounts is the same there won't be any error. Mod 770 will allow the same GID accounts to access the dir created but different accounts(with different UIDs)
  5. NC | Multi Protocol Access | If there is an object inside the bucket directory with a conflicting ownership (other than account owner), list objects throws access denied #8735

cc: @romayalon @guymguym

@naveenpaul1 naveenpaul1 mentioned this issue Jan 29, 2025
Open
@naveenpaul1 naveenpaul1 linked a pull request Feb 4, 2025 that will close this issue
NC | Multi Protocol Access | List object with conflicting ownership #8751
Open
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
NS-FS
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

NC | Multi Protocol Access | List object with conflicting ownership naveenpaul1/noobaa-core
1 participant
@naveenpaul1