-
Improvement
-
Resolution: Unresolved
-
Minor
-
None
Forgive me if I'm wrong, but it appears that the ListAllMyBuckets permission is only used to perform a login check when validating the form: https://github.com/jenkinsci/s3-plugin/blob/1feed0d956cf6eeff24306028d76e765ee997547/src/main/java/hudson/plugins/s3/S3BucketPublisher.java#L494
If the permission is not actually required when publishing to S3 then can we make this optional? For security reasons, we'd like to limit S3 access to a specific bucket and not allow the plugin to access our full list of buckets.
[JENKINS-42350] Remove requirement for ListAllMyBuckets permission
Dave Hunt
added a comment - Removing the permission for "ListAllMyBuckets" allowed the configured plugin to continue to operate as it is currently. As you suggest, the only issue would be validating the form. I'm informed by our ops team that it wasn't possible to configure the plugin without this permission, which I suspect is due to the FormValidation.error, and I wonder if changing this to FormValidation.warning may help?
Dave Hunt
added a comment - Removing the permission for "ListAllMyBuckets" allowed the configured plugin to continue to operate as it is currently. As you suggest, the only issue would be validating the form. I'm informed by our ops team that it wasn't possible to configure the plugin without this permission, which I suspect is due to the FormValidation.error, and I wonder if changing this to FormValidation.warning may help? davehunt it works fine with `FormValidation.error` - I just tested it in last Jenkins with wrong credentials. Form was saved, content was valid. And I believe that same behavior was in 1.6xx something as well. You can double check with your ops guys.
Dave Hunt
added a comment - Thanks jimilian, I'll let our ops team know. Perhaps this issue could be resolved with a simple tweak to the error message? Something like "Configuration has been saved, but connection to S3 could not be verified. Publishing to S3 may operate as intended, however for this verification to work you will need to grant the ListAllMyBuckets permission."
Dave Hunt
added a comment - Thanks jimilian , I'll let our ops team know. Perhaps this issue could be resolved with a simple tweak to the error message? Something like "Configuration has been saved, but connection to S3 could not be verified. Publishing to S3 may operate as intended, however for this verification to work you will need to grant the ListAllMyBuckets permission." 
I wish to help, but I don't have any idea how to do it.
I don't know a place there I can add or remove requirements. If you know such API method or place in S3 Plugin, give it me. Or (even better) create PR.
AFAIK you can remove permission for "ListAllMyBuckets" if it's not needed for anything else -> in this case you will only see warning "Can't connect to S3 service:" instead of "Check passed".