Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-42350

Remove requirement for ListAllMyBuckets permission

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Open (View Workflow)
    • Priority: Minor
    • Resolution: Unresolved
    • Component/s: s3-plugin
    • Labels:
      None
    • Similar Issues:

      Description

      Forgive me if I'm wrong, but it appears that the ListAllMyBuckets permission is only used to perform a login check when validating the form: https://github.com/jenkinsci/s3-plugin/blob/1feed0d956cf6eeff24306028d76e765ee997547/src/main/java/hudson/plugins/s3/S3BucketPublisher.java#L494

      If the permission is not actually required when publishing to S3 then can we make this optional? For security reasons, we'd like to limit S3 access to a specific bucket and not allow the plugin to access our full list of buckets.

        Attachments

          Activity

          Hide
          jimilian Alexander A added a comment -

          I wish to help, but I don't have any idea how to do it.

          I don't know a place there I can add or remove requirements. If you know such API method or place in S3 Plugin, give it me. Or (even better) create PR.

          AFAIK you can remove permission for "ListAllMyBuckets" if it's not needed for anything else -> in this case you will only see warning "Can't connect to S3 service:" instead of "Check passed".

          Show
          jimilian Alexander A added a comment - I wish to help, but I don't have any idea how to do it. I don't know a place there I can add or remove requirements. If you know such API method or place in S3 Plugin, give it me. Or (even better) create PR. AFAIK you can remove permission for "ListAllMyBuckets" if it's not needed for anything else -> in this case you will only see warning "Can't connect to S3 service:" instead of "Check passed".
          Hide
          davehunt Dave Hunt added a comment -

          Removing the permission for "ListAllMyBuckets" allowed the configured plugin to continue to operate as it is currently. As you suggest, the only issue would be validating the form. I'm informed by our ops team that it wasn't possible to configure the plugin without this permission, which I suspect is due to the FormValidation.error, and I wonder if changing this to FormValidation.warning may help?

          Show
          davehunt Dave Hunt added a comment - Removing the permission for "ListAllMyBuckets" allowed the configured plugin to continue to operate as it is currently. As you suggest, the only issue would be validating the form. I'm informed by our ops team that it wasn't possible to configure the plugin without this permission, which I suspect is due to the FormValidation.error, and I wonder if changing this to FormValidation.warning may help?
          Hide
          jimilian Alexander A added a comment -

          Dave Hunt it works fine with `FormValidation.error` - I just tested it in last Jenkins with wrong credentials. Form was saved, content was valid. And I believe that same behavior was in 1.6xx something as well. You can double check with your ops guys.

          Show
          jimilian Alexander A added a comment - Dave Hunt it works fine with `FormValidation.error` - I just tested it in last Jenkins with wrong credentials. Form was saved, content was valid. And I believe that same behavior was in 1.6xx something as well. You can double check with your ops guys.
          Hide
          davehunt Dave Hunt added a comment -

          Thanks Alexander A, I'll let our ops team know. Perhaps this issue could be resolved with a simple tweak to the error message? Something like "Configuration has been saved, but connection to S3 could not be verified. Publishing to S3 may operate as intended, however for this verification to work you will need to grant the ListAllMyBuckets permission."

          Show
          davehunt Dave Hunt added a comment - Thanks Alexander A , I'll let our ops team know. Perhaps this issue could be resolved with a simple tweak to the error message? Something like "Configuration has been saved, but connection to S3 could not be verified. Publishing to S3 may operate as intended, however for this verification to work you will need to grant the ListAllMyBuckets permission."

            People

            Assignee:
            jimilian Alexander A
            Reporter:
            davehunt Dave Hunt
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Dates

              Created:
              Updated: