Closed Bug 971555 Opened 11 years ago Closed 11 years ago

Add s3:PutObjectAcl access to shared cache buckets from build slaves

Categories

(Release Engineering :: General, defect)

Product:
Release Engineering
Component:
General
Platform:
All
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: glandium, Assigned: rail)

References

Details

So it turns out that to make the shared cache script work for ceph, I added x-amz-acl: public-read to the PUT request it does unconditionally. I just noticed this blocked caching on s3 because of the IAM rules set in bug 966152. The two possible solutions would be to either change the script to do it conditionally, or to update the IAM rules to allow it. Both require releng action (since the script is already on tooltool so that would require a tooltool package update), and I thought it would be better to just add the proper rights. I tested this additional statement: { "Sid": "AllowPutAcl", "Effect": "Allow", "Action": [ "s3:PutObjectAcl" ], "Resource": [ "arn:aws:s3:::{bucket_name}/*", ], "Condition": { "StringEquals":{ "s3:x-amz-acl":["public-read"] } } } It does allow x-amz-acl: public-read while preventing other values like authenticated-read or public-read-write. Interestingly, it still allows private, but I don't think that matters. The most important is to avoid public-read-write.
Done. FTR, this is how the current role policy for try-linux64 looks like. The second policy is exactly the same except the bucket name. { "Version": "2012-10-17", "Statement": [ { "Sid": "AllowPut", "Effect": "Allow", "Action": [ "s3:GetObject", "s3:PutObject" ], "Resource": [ "arn:aws:s3:::mozilla-releng-s3-cache-us-east-1-try/*" ] }, { "Sid": "AllowPutAcl", "Effect": "Allow", "Action": [ "s3:PutObjectAcl" ], "Resource": [ "arn:aws:s3:::mozilla-releng-s3-cache-us-east-1-try/*" ], "Condition": { "StringEquals":{ "s3:x-amz-acl":["public-read"] } } } ] }
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Component: General Automation → General
You need to log in before you can comment on or make changes to this bug.