Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

The same bucket has inconsistent permissions under different menus #3511

Open
amosnothing opened this issue Mar 3, 2025 · 9 comments
Open

The same bucket has inconsistent permissions under different menus #3511

amosnothing opened this issue Mar 3, 2025 · 9 comments

Comments

@amosnothing
Copy link

amosnothing commented Mar 3, 2025
edited
Loading

The same bucket has inconsistent permissions under different menus, resulting in files that have already been granted access still displaying "AccessDenied".

User - Object Browser
Image

Administrator - Buckets
Image

Image

MinIO Object Storage Server
Copyright: 2015-2024 MinIO, Inc.
License: GNU AGPLv3 - https://www.gnu.org/licenses/agpl-3.0.html
Version: RELEASE.2024-11-07T00-52-20Z (go1.23.3 linux/amd64)
@balamurugana balamurugana transferred this issue from minio/minio-java Mar 3, 2025
@harshavardhana harshavardhana transferred this issue from minio/minio Mar 3, 2025
@prakashsvmx
Copy link
Member

prakashsvmx commented Mar 3, 2025
edited
Loading

Access Policy is meant for Anonymous Access , so it implies that there is a custom Anonymous access policy is set. Other than Public anonymous policy, it is considered as 'Private` ..
There is no functional impact.
it is a cosmetic which can be updated based on the outcome of the discussion

Also share trace for AccessDenied error for better understanding. it is mostly due to IAM policy which is slightly different from the Anonymous access Policy

@amosnothing
Copy link
Author

What more information do I need to provide to help you troubleshoot this issue.

@prakashsvmx
Copy link
Member

Troubleshooting is exclusive to [SUBNET](Please subscribe to our paid subscription plans for 24x7 support from our Engineering team.)

in general trace, and policy needs to be checked.

@cesnietor
Copy link
Collaborator

@amosnothing please share the policy (string) that you have. And the trace as requested.

@amosnothing
Copy link
Author

Policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "*"
                ]
            },
            "Action": [
                "s3:GetBucketLocation",
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::quality-2025-w10"
            ]
        },
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "*"
                ]
            },
            "Action": [
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::quality-2025-w10"
            ],
            "Condition": {
                "StringEquals": {
                    "s3:prefix": [
                        "*"
                    ]
                }
            }
        },
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "*"
                ]
            },
            "Action": [
                "s3:GetObject"
            ],
            "Resource": [
                "arn:aws:s3:::quality-2025-w10/**"
            ]
        }
    ]
}

@prakashsvmx
Copy link
Member

Can you please describe the expected behavior of designing such policy ?
and
is the policy associated to a user or bucket ( anonymous policy ) ?

@amosnothing
Copy link
Author

amosnothing commented Mar 12, 2025
edited
Loading

Every time I encounter this problem, I go back to the web and open the bucket with abnormal permissions. When I access the files in the bucket again, they can be opened normally again. Throughout the entire operation, no configuration was modified. When there is a problem, a bucket will store files generated within 7 days, with a quantity ranging from 10000 to 50000 copies. Now I have modified it to a bucket containing nearly 5000 files generated in a day. And it may not be possible to reproduce the problem now, nor have we been able to obtain the corresponding trace.

Can you please describe the expected behavior of designing such policy ? and is the policy associated to a user or bucket ( anonymous policy ) ?

Can you please describe the expected behavior of designing such policy ?
Anyone can open this file, as the system is only used within our company's intranet.

is the policy associated to a user or bucket ( anonymous policy ) ?
All buckets will use this strategy, and some will experience this issue while others will not.

@amosnothing
Copy link
Author

I'm not sure if this issue is related to the following reasons:

  1. The number or total size of files in the bucket.
  2. The minio system is deployed within a container, and the directory of minio points to the mounting disk of the container.

@prakashsvmx
Copy link
Member

prakashsvmx commented Mar 12, 2025
edited
Loading

if this is inconsistent, or appears sporadically, it would require involved efforts to debug.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@cesnietor @prakashsvmx @amosnothing