search

minio / mc

Unix like utilities for object store
https://min.io/download
GNU Affero General Public License v3.0
2.86k stars 548 forks source link

mc cp error for a policy without permissions #5067

Open prakashsvmx opened 1 week ago

prakashsvmx commented 1 week ago

Expected behavior

Expected Access Denied

Actual behavior

Failed to copy~/Downloads/test-all-file-types/Sizes/10G.img. Your proposed upload size ‘10737418240’ exceeds the maximum allowed object size ‘5368709120’ for single PUT operation

Steps to reproduce the behavior

As an Admin: Create a policy test-policy 

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:*"
            ],
            "Resource": [
                "arn:aws:s3:::vcache"
            ]
        }
    ]
}

Create a bucket vcache Create a user with credentials like: test-user minio123 Assign the policy to the test-user

add an alias with test-user credentials. now try to copy a large file 

fallocate -l 10G 10G.img

➜ mc cp 10G.img tu/vcache        
mc: <ERROR> Failed to copy `~/Downloads/test-all-file-types/Sizes/10G.img`. Your proposed upload size ‘10737418240’ exceeds the maximum allowed object size ‘5368709120’ for single PUT operation.

Debug info

 mc cp 10G.img tu/vcache --debug
 0 B / ? ┃░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░▓┃mc: <DEBUG> GET /vcache/?location= HTTP/1.1
Host: localhost:22000
User-Agent: MinIO (linux; amd64) minio-go/v7.0.77 mc/RELEASE.2024-10-08T09-37-26Z
Accept-Encoding: zstd,gzip
Authorization: AWS4-HMAC-SHA256 Credential=test-user/20241021/us-east-1/s3/aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date, Signature=**REDACTED**
X-Amz-Content-Sha256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
X-Amz-Date: 20241021T102645Z

mc: <DEBUG> HTTP/1.1 200 OK
Content-Length: 128
Accept-Ranges: bytes
Content-Type: application/xml
Date: Mon, 21 Oct 2024 10:26:45 GMT
Server: MinIO
Strict-Transport-Security: max-age=31536000; includeSubDomains
Vary: Origin
Vary: Accept-Encoding
X-Amz-Id-2: 48addc98c2360aa8669eaf51e6e422b59d52374e3af3dd7f59fd25b0da98e481
X-Amz-Request-Id: 180070E98DAEC03E
X-Content-Type-Options: nosniff
X-Ratelimit-Limit: 1518
X-Ratelimit-Remaining: 1518
X-Xss-Protection: 1; mode=block

mc: <DEBUG> Response Time:  1.196939ms

mc: <DEBUG> GET /vcache/?object-lock= HTTP/1.1
Host: localhost:22000
User-Agent: MinIO (linux; amd64) minio-go/v7.0.77 mc/RELEASE.2024-10-08T09-37-26Z
Accept-Encoding: zstd,gzip
Authorization: AWS4-HMAC-SHA256 Credential=test-user/20241021/us-east-1/s3/aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date, Signature=**REDACTED**
X-Amz-Content-Sha256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
X-Amz-Date: 20241021T102645Z

mc: <DEBUG> HTTP/1.1 404 Not Found
Content-Length: 358
Accept-Ranges: bytes
Content-Type: application/xml
Date: Mon, 21 Oct 2024 10:26:45 GMT
Server: MinIO
Strict-Transport-Security: max-age=31536000; includeSubDomains
Vary: Origin
Vary: Accept-Encoding
X-Amz-Id-2: 48addc98c2360aa8669eaf51e6e422b59d52374e3af3dd7f59fd25b0da98e481
X-Amz-Request-Id: 180070E98DB9837C
X-Content-Type-Options: nosniff
X-Ratelimit-Limit: 1518
X-Ratelimit-Remaining: 1518
X-Xss-Protection: 1; mode=block

<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>ObjectLockConfigurationNotFoundError</Code><Message>Object Lock configuration does not exist for this bucket</Message><BucketName>vcache</BucketName><Resource>/vcache/</Resource><RequestId>180070E98DB9837C</RequestId><HostId>48addc98c2360aa8669eaf51e6e422b59d52374e3af3dd7f59fd25b0da98e481</HostId></Error>mc: <DEBUG> Response Time:  804.02µs

mc: <DEBUG> HEAD /vcache/ HTTP/1.1
Host: localhost:22000
User-Agent: MinIO (linux; amd64) minio-go/v7.0.77 mc/RELEASE.2024-10-08T09-37-26Z
Authorization: AWS4-HMAC-SHA256 Credential=test-user/20241021/us-east-1/s3/aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date, Signature=**REDACTED**
X-Amz-Content-Sha256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
X-Amz-Date: 20241021T102645Z

mc: <DEBUG> HTTP/1.1 200 OK
Accept-Ranges: bytes
Content-Type: application/xml
Date: Mon, 21 Oct 2024 10:26:45 GMT
Server: MinIO
Strict-Transport-Security: max-age=31536000; includeSubDomains
Vary: Origin
Vary: Accept-Encoding
X-Amz-Id-2: 48addc98c2360aa8669eaf51e6e422b59d52374e3af3dd7f59fd25b0da98e481
X-Amz-Request-Id: 180070E98DD28E47
X-Content-Type-Options: nosniff
X-Ratelimit-Limit: 1518
X-Ratelimit-Remaining: 1518
X-Xss-Protection: 1; mode=block
Content-Length: 0

mc: <DEBUG> Response Time:  372.444µs

mc: <DEBUG> POST /vcache/10G.img?uploads= HTTP/1.1
Host: localhost:22000
User-Agent: MinIO (linux; amd64) minio-go/v7.0.77 mc/RELEASE.2024-10-08T09-37-26Z
Content-Length: 0
Accept-Encoding: zstd,gzip
Authorization: AWS4-HMAC-SHA256 Credential=test-user/20241021/us-east-1/s3/aws4_request, SignedHeaders=content-type;host;x-amz-content-sha256;x-amz-date, Signature=**REDACTED**
Content-Type: application/octet-stream
X-Amz-Content-Sha256: UNSIGNED-PAYLOAD
X-Amz-Date: 20241021T102645Z

mc: <DEBUG> HTTP/1.1 403 Forbidden
Content-Length: 317
Accept-Ranges: bytes
Content-Type: application/xml
Date: Mon, 21 Oct 2024 10:26:45 GMT
Server: MinIO
Strict-Transport-Security: max-age=31536000; includeSubDomains
Vary: Origin
Vary: Accept-Encoding
X-Amz-Id-2: 48addc98c2360aa8669eaf51e6e422b59d52374e3af3dd7f59fd25b0da98e481
X-Amz-Request-Id: 180070E98DE658F6
X-Content-Type-Options: nosniff
X-Ratelimit-Limit: 1518
X-Ratelimit-Remaining: 1518
X-Xss-Protection: 1; mode=block

<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>AccessDenied</Code><Message>Access Denied.</Message><Key>10G.img</Key><BucketName>vcache</BucketName><Resource>/vcache/10G.img</Resource><RequestId>180070E98DE658F6</RequestId><HostId>48addc98c2360aa8669eaf51e6e422b59d52374e3af3dd7f59fd25b0da98e481</HostId></Error>mc: <DEBUG> Response Time:  335.553µs

mc: <ERROR> Failed to copy `~/Downloads/test-all-file-types/Sizes/10G.img`. Your proposed upload size ‘10737418240’ exceeds the maximum allowed object size ‘5368709120’ for single PUT operation.
 (3) cp-main.go:487 cmd.doCopySession(..) Tags: [~/Downloads/test-all-file-types/Sizes/10G.img]
 (2) common-methods.go:510 cmd.uploadSourceToTargetURL(..) Tags: [~/Downloads/test-all-file-types/Sizes/10G.img]
 (1) common-methods.go:212 cmd.putTargetStream(..) Tags: [tu, http://localhost:22000/vcache/10G.img]
 (0) client-s3.go:1161 cmd.(*S3Client).Put(..)
 Release-Tag:RELEASE.2024-10-08T09-37-26Z | Commit:cf128de2cf42 | Host:minio | OS:linux | Arch:amd64 | Lang:go1.22.8 | Mem:5.2 MiB/23 MiB | Heap:5.2 MiB/15 MiB

mc --version

 ➜ mc --version                   
mc version RELEASE.2024-10-08T09-37-26Z (commit-id=cf128de2cf42e763e7bd30c6df8b749fa94e0c10)
Runtime: go1.22.8 linux/amd64
Copyright (c) 2015-2024 MinIO, Inc.
License GNU AGPLv3 <https://www.gnu.org/licenses/agpl-3.0.html>

 ➜ minio --version
minio version DEVELOPMENT.2024-10-14T16-35-37Z (commit-id=3da7c9cce3dea46c50b53bc9a5a93ede46741d92)
Runtime: go1.23.2 linux/amd64
License: GNU AGPLv3 - https://www.gnu.org/licenses/agpl-3.0.html
Copyright: 2015-2024 MinIO, Inc.

The policy with which it works as expected: 

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:*"
            ],
            "Resource": [
                "arn:aws:s3:::vcache/*"
            ]
        }
    ]
}

System information