Closed
Bug 1316410
Opened 8 years ago
Closed 8 years ago
AWS policies taskcluster-level-X-sccache shouldn't have GetObjectAcl and PutObjectAcl
Categories
(Taskcluster :: Operations and Service Requests, task)
Taskcluster
Operations and Service Requests
Tracking
(Not tracked)
RESOLVED
WONTFIX
People
(Reporter: jonasfj, Unassigned)
References
Details
I would prefer if policies: taskcluster-level-X-sccache Didn't have GetObjectAcl and PutObjectAcl. This breaks sccache, but works with sccache2. Note: I've attached these policies to tc-auth so it can issues temporary credentials for these buckets. @pmoore, grenade: Is this something we can easily do. I prefer clients don't have to ability to make something public, if it's not supposed to be public. If we want it public I propose a doing it with a bucket policy.
Flags: needinfo?(rthijssen)
Flags: needinfo?(pmoore)
Comment 1•8 years ago
|
||
I think we need to relax this requirement and allow PutObjectAcl. Prohibiting it breaks just about every tool that works with S3. We never did get a good answer from the S3 engineers on the details of the IAM policy. Maybe we could get their attention by exploiting one of their customers and collecting a bounty :)
Comment 2•8 years ago
|
||
i added the acl permissions to the policies in an effort to fix sccache (v1). since that's still broken (because of the task user directory name issue) and since sccache2 apparently doesn't need the acl rights, i wouldn't object to having them removed but i would coordinate with ted so he has a chance to test his symlink patches in bug 1187257 in case that does rely on the acl rights. currently there's nothing in the buckets to protect.
Flags: needinfo?(rthijssen)
Updated•8 years ago
|
Flags: needinfo?(pmoore)
Reporter | ||
Comment 3•8 years ago
|
||
Okay, let's go back an reconsider this in some future when sscache v1 isn't in use anymore.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → WONTFIX
Comment 4•8 years ago
|
||
We enabled sccache2 on taskcluster, so this should no longer be an issue.
Comment 5•8 years ago
|
||
i have now removed GetObjectAcl and PutObjectAcl from the policies
Assignee | ||
Updated•5 years ago
|
Component: Operations → Operations and Service Requests
You need to log in
before you can comment on or make changes to this bug.
Description
•