Configuring blob store on Minio S3 gives: "Bucket exists but is not owned by you"

[eriklogtenberg]

I am trying to configure Nexus OSS to use a S3 bucket on Minio for a blob store.

Documentation [1] calls for the following permissions for the case where a suitable bucket was already created: s3:PutObject s3:GetObject s3:DeleteObject s3:ListBucket s3:GetLifecycleConfiguration s3:PutLifecycleConfiguration s3:PutObjectTagging s3:GetObjectTagging s3:DeleteObjectTagging s3:GetBucketAcl ( used for problem diagnosis )

I created a policy just like that, except for the GetBucketAcl permission, since Minio doesn't support it (Minio uses Policies and not ACL's [2]). There is some user contributed documentation [3] that suggests some specific options for Minio, most notably to set the "Use path-style access" checkbox. When I save the configuration, Nexus does a connection check and gives the error: An error occurred saving data. ValidationErrorXO{id='*', message='Bucket exists but is not owned by you.'}

I am not sure how to solve this issue. Minio doesn't seem to support the notion of bucket ownership, a user simply has a set of permissions, based on the policy. The user that I created for Nexus has full permissions on this bucket. I suspect that the unsupported GetBucketAcl permission might have something to do with it. The official documentation [1] links to https://issues.sonatype.org/browse/NEXUS-19494 for more information specifically for that setting, but that URL is no longer accessible, and I couldn't find a corresponding issue here on GitHub. Any suggestions?

[1] https://help.sonatype.com/repomanager3/nexus-repository-administration/repository-management/configuring-blob-stores [2] https://github.com/minio/minio/issues/8195 [3] https://gist.github.com/ataylor284/7b15c276441906d16d43f58cf8e3ea94

[eriklogtenberg]

I experimented a bit further:

1. I tried using the REST API to create the S3 backed Blob store, hoping that the failing access check was only implemented in the GUI. Unfortunately the API behaves exactly the same way as the UI (in itself a good thing of course), and it returned a 500 "Internal Server Error" with the same message: "ValidationErrorXO{id='*', message='Bucket exists but is not owned by you.'}"

2. I tried adding a bucket create/delete policy, as suggested by the documentation. I figured, perhaps if Nexus creates the bucket itself, the check won't be executed. Interestingly, it fails with the same error. In this case, the bucket actually does not exist, nor does Nexus create it. It does say 'Bucket exists but is not owned by you.' though.

[ThoSap]

Hi,

I already tried setting up Nexus with a MinIO S3 blob store in January 2021.

The issue is that Nexus is checking the s3:GetBucketAcl permission on the S3 bucket BucketManager.java#L240-L252 S3BlobStoreException.java#L42 S3BlobStoreException.java#L82-L84 S3BlobStoreException.java#L40 and that fails due to the fact, that MinIO does not implement Object ACL permissions/operations. https://github.com/minio/minio/issues/8195 https://github.com/minio/minio/issues/5706

AWS is trying to get rid of the S3 Object ACL model by replacing it completely with IAM for some time, so maybe Nexus should also get rid of the s3:GetBucketAcl check, or at least make a checkbox to disable this check for AWS S3 compatible Object Storage implementations like MinIO or Cloudflare R2. https://infosecwriteups.com/take-confusion-out-of-iam-policies-aws-s3-bucket-policies-and-aws-s3-acls-61d8fa04a658

[uqix]

Any workaround for this? we use version 3.36.0-01.

[ThoSap]

@uqix unfortunately, no :( This needs to be fixed by the Sonatype devs

[vswaminathan777]

@eriklogtenberg @uqix Thank you for taking the time to submit this problem statement and bringing this to our awareness. @ThoSap suggestion of making it a configurable option seems to be a reasonable solution for this issue. I will further discuss this with the technical team and keep you posted on the outcome.

[kanami1990]

@eriklogtenberg @uqix Thank you for taking the time to submit this problem statement and bringing this to our awareness. @ThoSap suggestion of making it a configurable option seems to be a reasonable solution for this issue. I will further discuss this with the technical team and keep you posted on the outcome.

try these policy

{
            "Effect": "Allow",
            "Action": [
                "s3:DeleteBucketPolicy",
                "s3:GetBucketPolicy",
                "s3:PutBucketPolicy"
            ],
            "Resource": [
                "arn:aws:s3:::*"
            ]
        }

it work for me

[ThoSap]

@vswaminathan777 do you have an update on this?

[scholzi100]

Looks like there is a property for disabling bucket owner check nexus.blobstore.s3.ownership.check.disabled that was added in 51396c2d32d3704a8c94b477a633ed8553c510cf .