From a42eef376dc179e758bdc5384bee69aa2520b349 Mon Sep 17 00:00:00 2001 From: Javier Adriel Date: Wed, 21 Dec 2022 11:55:43 -0600 Subject: [PATCH] Support wildcard list actions (#2520) --- portal-ui/src/common/SecureComponent/permissions.ts | 11 +++++++++-- .../Console/Buckets/BucketDetails/BrowserHandler.tsx | 3 ++- .../Console/Buckets/ListBuckets/ListBuckets.tsx | 10 ++++++++-- .../ListBuckets/Objects/ListObjects/ListObjects.tsx | 11 +++++++++-- .../Objects/ListObjects/ListObjectsTable.tsx | 3 ++- .../screens/Console/ObjectBrowser/OBBucketList.tsx | 10 ++++++++-- portal-ui/tests/utils/elements.ts | 2 +- 7 files changed, 39 insertions(+), 11 deletions(-) diff --git a/portal-ui/src/common/SecureComponent/permissions.ts b/portal-ui/src/common/SecureComponent/permissions.ts index 9c0ba1cff..ec2b756e0 100644 --- a/portal-ui/src/common/SecureComponent/permissions.ts +++ b/portal-ui/src/common/SecureComponent/permissions.ts @@ -24,6 +24,7 @@ export const IAM_ROLES = { export const IAM_SCOPES = { S3_STAR_BUCKET: "s3:*Bucket", S3_LIST_BUCKET: "s3:ListBucket", + S3_ALL_LIST_BUCKET: "s3:List*", S3_GET_BUCKET_POLICY: "s3:GetBucketPolicy", S3_PUT_BUCKET_POLICY: "s3:PutBucketPolicy", S3_GET_OBJECT: "s3:GetObject", @@ -238,7 +239,10 @@ export const IAM_PERMISSIONS = { IAM_SCOPES.S3_PUT_OBJECT, IAM_SCOPES.S3_DELETE_OBJECT, ], - [IAM_ROLES.BUCKET_VIEWER]: [IAM_SCOPES.S3_LIST_BUCKET], + [IAM_ROLES.BUCKET_VIEWER]: [ + IAM_SCOPES.S3_LIST_BUCKET, + IAM_SCOPES.S3_ALL_LIST_BUCKET, + ], [IAM_ROLES.BUCKET_ADMIN]: [ IAM_SCOPES.S3_ALL_ACTIONS, IAM_SCOPES.ADMIN_ALL_ACTIONS, @@ -585,4 +589,7 @@ export const deleteBucketPermissions = [ IAM_SCOPES.S3_FORCE_DELETE_BUCKET, ]; -export const browseBucketPermissions = [IAM_SCOPES.S3_LIST_BUCKET]; +export const browseBucketPermissions = [ + IAM_SCOPES.S3_LIST_BUCKET, + IAM_SCOPES.S3_ALL_LIST_BUCKET, +]; diff --git a/portal-ui/src/screens/Console/Buckets/BucketDetails/BrowserHandler.tsx b/portal-ui/src/screens/Console/Buckets/BucketDetails/BrowserHandler.tsx index 7c5b62953..338f4551d 100644 --- a/portal-ui/src/screens/Console/Buckets/BucketDetails/BrowserHandler.tsx +++ b/portal-ui/src/screens/Console/Buckets/BucketDetails/BrowserHandler.tsx @@ -381,6 +381,7 @@ const BrowserHandler = () => { const displayListObjects = hasPermission(bucketName, [ IAM_SCOPES.S3_LIST_BUCKET, + IAM_SCOPES.S3_ALL_LIST_BUCKET, ]); // Common objects list @@ -529,7 +530,7 @@ const BrowserHandler = () => { {!versionsMode ? ( diff --git a/portal-ui/src/screens/Console/Buckets/ListBuckets/ListBuckets.tsx b/portal-ui/src/screens/Console/Buckets/ListBuckets/ListBuckets.tsx index b6e6d6036..f4870d44b 100644 --- a/portal-ui/src/screens/Console/Buckets/ListBuckets/ListBuckets.tsx +++ b/portal-ui/src/screens/Console/Buckets/ListBuckets/ListBuckets.tsx @@ -220,7 +220,10 @@ const ListBuckets = ({ classes }: IListBucketsProps) => { }; const canCreateBucket = hasPermission("*", [IAM_SCOPES.S3_CREATE_BUCKET]); - const canListBuckets = hasPermission("*", [IAM_SCOPES.S3_LIST_BUCKET]); + const canListBuckets = hasPermission("*", [ + IAM_SCOPES.S3_LIST_BUCKET, + IAM_SCOPES.S3_ALL_LIST_BUCKET, + ]); return ( @@ -453,7 +456,10 @@ const ListBuckets = ({ classes }: IListBucketsProps) => {
{permissionTooltipHelper( - [IAM_SCOPES.S3_LIST_BUCKET], + [ + IAM_SCOPES.S3_LIST_BUCKET, + IAM_SCOPES.S3_ALL_LIST_BUCKET, + ], "view the buckets on this server" )}
diff --git a/portal-ui/src/screens/Console/Buckets/ListBuckets/Objects/ListObjects/ListObjects.tsx b/portal-ui/src/screens/Console/Buckets/ListBuckets/Objects/ListObjects/ListObjects.tsx index 9d52cd2d9..03ac45ec8 100644 --- a/portal-ui/src/screens/Console/Buckets/ListBuckets/Objects/ListObjects/ListObjects.tsx +++ b/portal-ui/src/screens/Console/Buckets/ListBuckets/Objects/ListObjects/ListObjects.tsx @@ -955,6 +955,7 @@ const ListObjects = () => { disabled={ !hasPermission(bucketName, [ IAM_SCOPES.S3_LIST_BUCKET, + IAM_SCOPES.S3_ALL_LIST_BUCKET, ]) || rewindEnabled } /> @@ -1016,7 +1017,10 @@ const ListObjects = () => { ) : ( @@ -1050,7 +1054,10 @@ const ListObjects = () => { )} diff --git a/portal-ui/src/screens/Console/Buckets/ListBuckets/Objects/ListObjects/ListObjectsTable.tsx b/portal-ui/src/screens/Console/Buckets/ListBuckets/Objects/ListObjects/ListObjectsTable.tsx index 65c092481..7e79d3283 100644 --- a/portal-ui/src/screens/Console/Buckets/ListBuckets/Objects/ListObjects/ListObjectsTable.tsx +++ b/portal-ui/src/screens/Console/Buckets/ListBuckets/Objects/ListObjects/ListObjectsTable.tsx @@ -114,6 +114,7 @@ const ListObjectsTable = () => { const displayListObjects = hasPermission(bucketName, [ IAM_SCOPES.S3_LIST_BUCKET, + IAM_SCOPES.S3_ALL_LIST_BUCKET, ]); const filteredRecords = records.filter((b: BucketObjectItem) => { @@ -221,7 +222,7 @@ const ListObjectsTable = () => { customEmptyMessage={ !displayListObjects ? permissionTooltipHelper( - [IAM_SCOPES.S3_LIST_BUCKET], + [IAM_SCOPES.S3_LIST_BUCKET, IAM_SCOPES.S3_ALL_LIST_BUCKET], "view Objects in this bucket" ) : `This location is empty${ diff --git a/portal-ui/src/screens/Console/ObjectBrowser/OBBucketList.tsx b/portal-ui/src/screens/Console/ObjectBrowser/OBBucketList.tsx index 925189a7a..bead9e69c 100644 --- a/portal-ui/src/screens/Console/ObjectBrowser/OBBucketList.tsx +++ b/portal-ui/src/screens/Console/ObjectBrowser/OBBucketList.tsx @@ -129,7 +129,10 @@ const OBListBuckets = () => { const hasBuckets = records.length > 0; - const canListBuckets = hasPermission("*", [IAM_SCOPES.S3_LIST_BUCKET]); + const canListBuckets = hasPermission("*", [ + IAM_SCOPES.S3_LIST_BUCKET, + IAM_SCOPES.S3_ALL_LIST_BUCKET, + ]); const tableActions = [ { @@ -276,7 +279,10 @@ const OBListBuckets = () => {
{permissionTooltipHelper( - [IAM_SCOPES.S3_LIST_BUCKET], + [ + IAM_SCOPES.S3_LIST_BUCKET, + IAM_SCOPES.S3_ALL_LIST_BUCKET, + ], "view the buckets on this server" )}
diff --git a/portal-ui/tests/utils/elements.ts b/portal-ui/tests/utils/elements.ts index dae614b6b..53fa525a2 100644 --- a/portal-ui/tests/utils/elements.ts +++ b/portal-ui/tests/utils/elements.ts @@ -141,7 +141,7 @@ export const table = Selector(".ReactVirtualized__Table"); export const bucketsTableDisabled = Selector("#object-list-wrapper") .find(".MuiPaper-root") .withText( - "You require additional permissions in order to view Objects in this bucket. Please ask your MinIO administrator to grant you s3:ListBucket permission in order to view Objects in this bucket." + "You require additional permissions in order to view Objects in this bucket. Please ask your MinIO administrator to grant you" ); export const createGroupUserTable = Selector( ".MuiDialog-container .ReactVirtualized__Table"