From e5da67d1bcf50c54866ed71468e5fcc8ba4f1417 Mon Sep 17 00:00:00 2001 From: Kaan Kabalak Date: Mon, 9 Jan 2023 08:42:19 -0800 Subject: [PATCH] Allow s3:Get* actions in Console (#2559) --- .../src/common/SecureComponent/permissions.ts | 3 ++ .../Buckets/BucketDetails/AccessRulePanel.tsx | 4 ++- .../Buckets/BucketDetails/BrowserHandler.tsx | 1 + .../Buckets/BucketDetails/BucketDetails.tsx | 9 ++++- .../BucketDetails/BucketEventsPanel.tsx | 6 +++- .../BucketDetails/BucketLifecyclePanel.tsx | 6 +++- .../BucketDetails/BucketReplicationPanel.tsx | 6 +++- .../BucketDetails/BucketSummaryPanel.tsx | 34 +++++++++++++++---- .../BucketDetails/SummaryItems/BucketTags.tsx | 2 +- .../Objects/ListObjects/ListObjects.tsx | 12 +++++-- .../Objects/ListObjects/ObjectDetailPanel.tsx | 24 +++++++++---- .../Objects/ObjectDetails/TagsModal.tsx | 5 ++- 12 files changed, 89 insertions(+), 23 deletions(-) diff --git a/portal-ui/src/common/SecureComponent/permissions.ts b/portal-ui/src/common/SecureComponent/permissions.ts index 7282530d3..9d05c9d30 100644 --- a/portal-ui/src/common/SecureComponent/permissions.ts +++ b/portal-ui/src/common/SecureComponent/permissions.ts @@ -29,6 +29,7 @@ export const IAM_SCOPES = { S3_PUT_BUCKET_POLICY: "s3:PutBucketPolicy", S3_GET_OBJECT: "s3:GetObject", S3_PUT_OBJECT: "s3:PutObject", + S3_GET_ACTIONS: "s3:Get*", S3_PUT_ACTIONS: "s3:Put*", S3_GET_OBJECT_LEGAL_HOLD: "s3:GetObjectLegalHold", S3_PUT_OBJECT_LEGAL_HOLD: "s3:PutObjectLegalHold", @@ -300,11 +301,13 @@ export const IAM_PERMISSIONS = { IAM_SCOPES.ADMIN_LIST_USER_POLICIES, IAM_SCOPES.ADMIN_LIST_USERS, IAM_SCOPES.ADMIN_HEAL, + IAM_SCOPES.S3_GET_ACTIONS, IAM_SCOPES.S3_PUT_ACTIONS, ], [IAM_ROLES.BUCKET_LIFECYCLE]: [ IAM_SCOPES.S3_GET_LIFECYCLE_CONFIGURATION, IAM_SCOPES.S3_PUT_LIFECYCLE_CONFIGURATION, + IAM_SCOPES.S3_GET_ACTIONS, IAM_SCOPES.S3_PUT_ACTIONS, IAM_SCOPES.ADMIN_LIST_TIERS, IAM_SCOPES.ADMIN_SET_TIER, diff --git a/portal-ui/src/screens/Console/Buckets/BucketDetails/AccessRulePanel.tsx b/portal-ui/src/screens/Console/Buckets/BucketDetails/AccessRulePanel.tsx index 4bd371b15..326a33b30 100644 --- a/portal-ui/src/screens/Console/Buckets/BucketDetails/AccessRulePanel.tsx +++ b/portal-ui/src/screens/Console/Buckets/BucketDetails/AccessRulePanel.tsx @@ -97,6 +97,7 @@ const AccessRule = () => { const displayAccessRules = hasPermission(bucketName, [ IAM_SCOPES.S3_GET_BUCKET_POLICY, + IAM_SCOPES.S3_GET_ACTIONS, ]); const deleteAccessRules = hasPermission(bucketName, [ @@ -200,6 +201,7 @@ const AccessRule = () => { scopes={[ IAM_SCOPES.S3_GET_BUCKET_POLICY, IAM_SCOPES.S3_PUT_BUCKET_POLICY, + IAM_SCOPES.S3_GET_ACTIONS, IAM_SCOPES.S3_PUT_ACTIONS, ]} resource={bucketName} @@ -221,7 +223,7 @@ const AccessRule = () => { diff --git a/portal-ui/src/screens/Console/Buckets/BucketDetails/BrowserHandler.tsx b/portal-ui/src/screens/Console/Buckets/BucketDetails/BrowserHandler.tsx index e0fc1330c..d739c53d3 100644 --- a/portal-ui/src/screens/Console/Buckets/BucketDetails/BrowserHandler.tsx +++ b/portal-ui/src/screens/Console/Buckets/BucketDetails/BrowserHandler.tsx @@ -524,6 +524,7 @@ const BrowserHandler = () => { IAM_SCOPES.S3_LIST_BUCKET_VERSIONS, IAM_SCOPES.S3_GET_BUCKET_POLICY_STATUS, IAM_SCOPES.S3_DELETE_BUCKET_POLICY, + IAM_SCOPES.S3_GET_ACTIONS, IAM_SCOPES.S3_PUT_ACTIONS, ]); diff --git a/portal-ui/src/screens/Console/Buckets/BucketDetails/BucketDetails.tsx b/portal-ui/src/screens/Console/Buckets/BucketDetails/BucketDetails.tsx index d7c5a4daf..95c3f2438 100644 --- a/portal-ui/src/screens/Console/Buckets/BucketDetails/BucketDetails.tsx +++ b/portal-ui/src/screens/Console/Buckets/BucketDetails/BucketDetails.tsx @@ -255,7 +255,10 @@ const BucketDetails = ({ classes }: IBucketDetailsProps) => { title={bucketName} subTitle={ Access: @@ -361,6 +364,7 @@ const BucketDetails = ({ classes }: IBucketDetailsProps) => { disabled: !hasPermission(bucketName, [ IAM_SCOPES.S3_GET_BUCKET_NOTIFICATIONS, IAM_SCOPES.S3_PUT_BUCKET_NOTIFICATIONS, + IAM_SCOPES.S3_GET_ACTIONS, IAM_SCOPES.S3_PUT_ACTIONS, ]), to: getRoutePath("events"), @@ -378,6 +382,7 @@ const BucketDetails = ({ classes }: IBucketDetailsProps) => { !hasPermission(bucketName, [ IAM_SCOPES.S3_GET_REPLICATION_CONFIGURATION, IAM_SCOPES.S3_PUT_REPLICATION_CONFIGURATION, + IAM_SCOPES.S3_GET_ACTIONS, IAM_SCOPES.S3_PUT_ACTIONS, ]), to: getRoutePath("replication"), @@ -393,6 +398,7 @@ const BucketDetails = ({ classes }: IBucketDetailsProps) => { !hasPermission(bucketName, [ IAM_SCOPES.S3_GET_LIFECYCLE_CONFIGURATION, IAM_SCOPES.S3_PUT_LIFECYCLE_CONFIGURATION, + IAM_SCOPES.S3_GET_ACTIONS, IAM_SCOPES.S3_PUT_ACTIONS, ]), to: getRoutePath("lifecycle"), @@ -418,6 +424,7 @@ const BucketDetails = ({ classes }: IBucketDetailsProps) => { component: Link, disabled: !hasPermission(bucketName, [ IAM_SCOPES.S3_GET_BUCKET_POLICY, + IAM_SCOPES.S3_GET_ACTIONS, ]), to: getRoutePath("prefix"), }, diff --git a/portal-ui/src/screens/Console/Buckets/BucketDetails/BucketEventsPanel.tsx b/portal-ui/src/screens/Console/Buckets/BucketDetails/BucketEventsPanel.tsx index f281099e5..48763804a 100644 --- a/portal-ui/src/screens/Console/Buckets/BucketDetails/BucketEventsPanel.tsx +++ b/portal-ui/src/screens/Console/Buckets/BucketDetails/BucketEventsPanel.tsx @@ -80,6 +80,7 @@ const BucketEventsPanel = ({ classes }: IBucketEventsProps) => { const displayEvents = hasPermission(bucketName, [ IAM_SCOPES.S3_GET_BUCKET_NOTIFICATIONS, + IAM_SCOPES.S3_GET_ACTIONS, ]); useEffect(() => { @@ -177,7 +178,10 @@ const BucketEventsPanel = ({ classes }: IBucketEventsProps) => { diff --git a/portal-ui/src/screens/Console/Buckets/BucketDetails/BucketLifecyclePanel.tsx b/portal-ui/src/screens/Console/Buckets/BucketDetails/BucketLifecyclePanel.tsx index 68be2a905..0b096aeaf 100644 --- a/portal-ui/src/screens/Console/Buckets/BucketDetails/BucketLifecyclePanel.tsx +++ b/portal-ui/src/screens/Console/Buckets/BucketDetails/BucketLifecyclePanel.tsx @@ -76,6 +76,7 @@ const BucketLifecyclePanel = ({ classes }: IBucketLifecyclePanelProps) => { const displayLifeCycleRules = hasPermission(bucketName, [ IAM_SCOPES.S3_GET_LIFECYCLE_CONFIGURATION, + IAM_SCOPES.S3_GET_ACTIONS, ]); useEffect(() => { @@ -298,7 +299,10 @@ const BucketLifecyclePanel = ({ classes }: IBucketLifecyclePanelProps) => { diff --git a/portal-ui/src/screens/Console/Buckets/BucketDetails/BucketReplicationPanel.tsx b/portal-ui/src/screens/Console/Buckets/BucketDetails/BucketReplicationPanel.tsx index 53bcde36f..29c54f5a1 100644 --- a/portal-ui/src/screens/Console/Buckets/BucketDetails/BucketReplicationPanel.tsx +++ b/portal-ui/src/screens/Console/Buckets/BucketDetails/BucketReplicationPanel.tsx @@ -94,6 +94,7 @@ const BucketReplicationPanel = ({ classes }: IBucketReplicationProps) => { const displayReplicationRules = hasPermission(bucketName, [ IAM_SCOPES.S3_GET_REPLICATION_CONFIGURATION, + IAM_SCOPES.S3_GET_ACTIONS, ]); useEffect(() => { @@ -303,7 +304,10 @@ const BucketReplicationPanel = ({ classes }: IBucketReplicationProps) => { diff --git a/portal-ui/src/screens/Console/Buckets/BucketDetails/BucketSummaryPanel.tsx b/portal-ui/src/screens/Console/Buckets/BucketDetails/BucketSummaryPanel.tsx index 0a0e35b08..6e27f28d5 100644 --- a/portal-ui/src/screens/Console/Buckets/BucketDetails/BucketSummaryPanel.tsx +++ b/portal-ui/src/screens/Console/Buckets/BucketDetails/BucketSummaryPanel.tsx @@ -149,10 +149,12 @@ const BucketSummary = ({ classes }: IBucketSummaryProps) => { const displayGetBucketObjectLockConfiguration = hasPermission(bucketName, [ IAM_SCOPES.S3_GET_BUCKET_OBJECT_LOCK_CONFIGURATION, + IAM_SCOPES.S3_GET_ACTIONS, ]); const displayGetBucketEncryptionConfiguration = hasPermission(bucketName, [ IAM_SCOPES.S3_GET_BUCKET_ENCRYPTION_CONFIGURATION, + IAM_SCOPES.S3_GET_ACTIONS, ]); const displayGetBucketQuota = hasPermission(bucketName, [ @@ -417,14 +419,17 @@ const BucketSummary = ({ classes }: IBucketSummaryProps) => { Summary { { { { {distributedSetup && ( @@ -571,7 +588,10 @@ const BucketSummary = ({ classes }: IBucketSummaryProps) => { {hasObjectLocking && ( diff --git a/portal-ui/src/screens/Console/Buckets/BucketDetails/SummaryItems/BucketTags.tsx b/portal-ui/src/screens/Console/Buckets/BucketDetails/SummaryItems/BucketTags.tsx index 28d845550..78da96c0d 100644 --- a/portal-ui/src/screens/Console/Buckets/BucketDetails/SummaryItems/BucketTags.tsx +++ b/portal-ui/src/screens/Console/Buckets/BucketDetails/SummaryItems/BucketTags.tsx @@ -96,7 +96,7 @@ const BucketTags = ({ bucketName }: BucketTagProps) => { {isLoading ? : null} { const fileUpload = useRef(null); const folderUpload = useRef(null); - const canDownload = hasPermission(bucketName, [IAM_SCOPES.S3_GET_OBJECT]); + const canDownload = hasPermission(bucketName, [ + IAM_SCOPES.S3_GET_OBJECT, + IAM_SCOPES.S3_GET_ACTIONS, + ]); const canDelete = hasPermission(bucketName, [IAM_SCOPES.S3_DELETE_OBJECT]); const canUpload = hasPermission( uploadPath, @@ -792,7 +795,7 @@ const ListObjects = () => { tooltip: canDownload ? "Download Selected" : permissionTooltipHelper( - [IAM_SCOPES.S3_GET_OBJECT], + [IAM_SCOPES.S3_GET_OBJECT, IAM_SCOPES.S3_GET_ACTIONS], "download objects from this bucket" ), }, @@ -968,7 +971,10 @@ const ListObjects = () => { }} disabled={ !isVersioned || - !hasPermission(bucketName, [IAM_SCOPES.S3_GET_OBJECT]) + !hasPermission(bucketName, [ + IAM_SCOPES.S3_GET_OBJECT, + IAM_SCOPES.S3_GET_ACTIONS, + ]) } /> diff --git a/portal-ui/src/screens/Console/Buckets/ListBuckets/Objects/ListObjects/ObjectDetailPanel.tsx b/portal-ui/src/screens/Console/Buckets/ListBuckets/Objects/ListObjects/ObjectDetailPanel.tsx index 5429c9410..a1ea4fc61 100644 --- a/portal-ui/src/screens/Console/Buckets/ListBuckets/Objects/ListObjects/ObjectDetailPanel.tsx +++ b/portal-ui/src/screens/Console/Buckets/ListBuckets/Objects/ListObjects/ObjectDetailPanel.tsx @@ -455,6 +455,7 @@ const ObjectDetailPanel = ({ [ IAM_SCOPES.S3_GET_OBJECT_RETENTION, IAM_SCOPES.S3_PUT_OBJECT_RETENTION, + IAM_SCOPES.S3_GET_ACTIONS, IAM_SCOPES.S3_PUT_ACTIONS, ], true @@ -466,10 +467,12 @@ const ObjectDetailPanel = ({ IAM_SCOPES.S3_GET_BUCKET_VERSIONING, IAM_SCOPES.S3_PUT_BUCKET_VERSIONING, IAM_SCOPES.S3_GET_OBJECT_VERSION, + IAM_SCOPES.S3_GET_ACTIONS, IAM_SCOPES.S3_PUT_ACTIONS, ]); const canGetObject = hasPermission(objectResources, [ IAM_SCOPES.S3_GET_OBJECT, + IAM_SCOPES.S3_GET_ACTIONS, ]); const canDelete = hasPermission( [bucketName, currentItem, [bucketName, actualInfo.name].join("/")], @@ -487,7 +490,7 @@ const ObjectDetailPanel = ({ tooltip: canGetObject ? "Download this Object" : permissionTooltipHelper( - [IAM_SCOPES.S3_GET_OBJECT], + [IAM_SCOPES.S3_GET_OBJECT, IAM_SCOPES.S3_GET_ACTIONS], "download this object" ), }, @@ -501,7 +504,7 @@ const ObjectDetailPanel = ({ tooltip: canGetObject ? "Share this File" : permissionTooltipHelper( - [IAM_SCOPES.S3_GET_OBJECT], + [IAM_SCOPES.S3_GET_OBJECT, IAM_SCOPES.S3_GET_ACTIONS], "share this object" ), }, @@ -518,7 +521,7 @@ const ObjectDetailPanel = ({ tooltip: canGetObject ? "Preview this File" : permissionTooltipHelper( - [IAM_SCOPES.S3_GET_OBJECT], + [IAM_SCOPES.S3_GET_OBJECT, IAM_SCOPES.S3_GET_ACTIONS], "preview this object" ), }, @@ -561,6 +564,7 @@ const ObjectDetailPanel = ({ [ IAM_SCOPES.S3_GET_OBJECT_RETENTION, IAM_SCOPES.S3_PUT_OBJECT_RETENTION, + IAM_SCOPES.S3_GET_ACTIONS, IAM_SCOPES.S3_PUT_ACTIONS, ], "change Retention Rules for this object" @@ -580,6 +584,7 @@ const ObjectDetailPanel = ({ [ IAM_SCOPES.S3_PUT_OBJECT_TAGGING, IAM_SCOPES.S3_GET_OBJECT_TAGGING, + IAM_SCOPES.S3_GET_ACTIONS, IAM_SCOPES.S3_PUT_ACTIONS, ], "set Tags on this object" @@ -626,8 +631,9 @@ const ObjectDetailPanel = ({ [ IAM_SCOPES.S3_GET_BUCKET_VERSIONING, IAM_SCOPES.S3_PUT_BUCKET_VERSIONING, - IAM_SCOPES.S3_PUT_ACTIONS, IAM_SCOPES.S3_GET_OBJECT_VERSION, + IAM_SCOPES.S3_GET_ACTIONS, + IAM_SCOPES.S3_PUT_ACTIONS, ], "display all versions of this object" ), @@ -845,7 +851,10 @@ const ObjectDetailPanel = ({ @@ -857,7 +866,10 @@ const ObjectDetailPanel = ({ diff --git a/portal-ui/src/screens/Console/Buckets/ListBuckets/Objects/ObjectDetails/TagsModal.tsx b/portal-ui/src/screens/Console/Buckets/ListBuckets/Objects/ObjectDetails/TagsModal.tsx index 00b603f70..1c0c5288b 100644 --- a/portal-ui/src/screens/Console/Buckets/ListBuckets/Objects/ObjectDetails/TagsModal.tsx +++ b/portal-ui/src/screens/Console/Buckets/ListBuckets/Objects/ObjectDetails/TagsModal.tsx @@ -239,7 +239,10 @@ const AddTagModal = ({ ) : (