Backblaze / b2-sdk-python

Python library to access B2 cloud storage.
Other
186 stars 61 forks source link

Downloads and uploads requires listBuckets permission #497

Closed mullenkamp closed 5 months ago

mullenkamp commented 6 months ago

Hi,

I just started testing the b2sdk and realised that downloads and uploads (other than download_file_by_id) require the listBuckets permission. This is because get_bucket_by_name (or get_bucket_by_id) must be called to create a bucket object, and this request makes a list_buckets request. Is there a way around the list_buckets request, because this seems like an unnecessary extra permission to download and upload files?

Thanks

ppolewicz commented 6 months ago

You can use a key restricted to a bucket - in this case b2 account authorize will pre-fill the bucket id-to-name cache and you shouldn't need list_buckets

mullenkamp commented 6 months ago

Thanks for the reply. But it's still unclear when (and how) that cache gets updated with the bucket id and bucket name.

Following the tutorial (with real keys of course):

from b2sdk.v2 import InMemoryAccountInfo, B2Api

info = B2Api.InMemoryAccountInfo()
b2_api = B2Api.B2Api(info)
b2_api.authorize_account("production", 'fake_key_id', 'fake_key')

bucket = b2_api.get_bucket_by_id('fake_bucket_id')

The last line fails with an Unauthorized: unauthorized for application key with capabilities error. Is there a step I'm missing? The key that I'm using has read and write access to the files.

Thanks again

mjurbanski-reef commented 6 months ago

Seems the source of your problem to be in: https://github.com/Backblaze/b2-sdk-python/blob/aaf8569b81eb303c1619efb95e22b017a3ed01f9/b2sdk/_internal/session.py#L74-L79 I have to look more into this behavior, as my first instinct would be to change it, but we have a strong non-breaking changes policy.

In short, if AccountInfo is manually passed, then cache object is not automagically created for API and it is to expected to be passed in, explicitly, as you did with AccountInfo, i.e.

from b2sdk.v2 import B2Api, InMemoryAccountInfo, InMemoryCache

info = InMemoryAccountInfo()
b2_api = B2Api(
    info,
    cache=InMemoryCache()  # Without this line Bucket-specific Key with only readFiles capability won't work
)
mullenkamp commented 6 months ago

Thank you very much @ppolewicz , your solution does seem to work and I understand what's going on. Maybe a brief mention of this in the docs would be helpful, because the tutorial only uses the InMemoryAccountInfo as I described. Thanks again

mjurbanski-reef commented 5 months ago

To avoid breaking changes, the change was made to yet not stable b2sdk._v3 interface, while b2sdk.v2 stays as it was, but fixed documentation of to recommend:

from b2sdk.v2 import B2Api, InMemoryAccountInfo, AuthInfoCache

info = InMemoryAccountInfo()
b2_api = B2Api(
    info,
    cache=AuthInfoCache(info)
)

where as in b2sdk.v3 the manual creation of AuthInfoCache won't be required to attain the exactly same effect (i.e. having a working bucket cache).