Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enable canned ACL for S3 #9042

Merged
merged 14 commits into from
Dec 14, 2021
Merged

Enable canned ACL for S3 #9042

merged 14 commits into from
Dec 14, 2021

Conversation

atburke
Copy link
Contributor

@atburke atburke commented Nov 18, 2021

This PR allows admins to specify a canned ACL when using S3 to store session recordings. The acl flag has been added as a query param for the audit session uri.

teleport:
  ...
  storage:
    region: us-west-2
    audit_sessions_uri: "s3://example-s3-bucket/path?acl=bucket-owner-full-control"

Resolves #7869.

@atburke atburke self-assigned this Nov 18, 2021
@atburke atburke requested a review from zmb3 November 18, 2021 00:39
russjones
russjones reviewed Nov 18, 2021
View reviewed changes
lib/events/s3sessions/s3stream.go
Comment on lines +51 to +53
if h.Config.ACL != "" {
input.ACL = aws.String(h.Config.ACL)
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you check if this is needed? I think you're setting it on the AWS session, so it shouldn't be needed right?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks like it might be needed, but please verify.

https://docs.aws.amazon.com/AmazonS3/latest/API/API_CreateMultipartUpload.html

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is needed. The session doesn't handle the ACL.

zmb3
zmb3 reviewed Nov 19, 2021
View reviewed changes
constants.go Outdated
@@ -582,11 +585,25 @@ const (
// MinClientVersion is the minimum client version required by the server.
var MinClientVersion string

// S3AllowedACL is the set of canned ACLs that S3 accepts
var S3AllowedACL map[string]struct{}
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It looks like you only need this in one package, so I would define it in the package where it is used and unexport it.

Less things can go wrong this way 🙂

lib/events/s3sessions/s3handler_test.go
} {
t.Run(tc.desc, func(t *testing.T) {
url, err := url.Parse(fmt.Sprintf("%s?acl=%s", baseUrl, tc.acl))
require.Nil(t, err)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Use NoError instead of Nil.

@russjones
Copy link
Contributor

russjones commented Nov 22, 2021
edited
Loading

@atburke I think one of the requirements in the ticket was to transfer ownership to a different account right?

How will that be handled?

@atburke
Copy link
Contributor Author

atburke commented Nov 22, 2021

Ownership is transferred when the ACL is set to bucket-owner-full-control.

@russjones
Copy link
Contributor

russjones commented Nov 22, 2021
edited
Loading

@atburke So you have to be able to write to a bucket in another account and ownership goes to account owner? Do you have an example of how to setup permissions like that? I think it would be useful for our documentation.

@atburke
Copy link
Contributor Author

atburke commented Nov 22, 2021

Correct. The AWS docs have an example for doing exactly this.

@atburke atburke enabled auto-merge (squash) December 13, 2021 20:20
@atburke atburke merged commit e5ba176 into master Dec 14, 2021
@atburke atburke deleted the atburke/s3-transfer-ownership branch December 14, 2021 20:31
atburke added a commit that referenced this pull request Jan 27, 2022
@atburke
Enable canned ACL for S3 (#9042)
f094559 
This change allows admins to specify a canned ACL when using S3.
atburke added a commit that referenced this pull request Jan 27, 2022
@atburke
Enable canned ACL for S3 (#9042)
6672516 
This change allows admins to specify a canned ACL when using S3.
This was referenced Jan 28, 2022
Merged
Merged
atburke added a commit that referenced this pull request Jan 28, 2022
@atburke
Enable canned ACL for S3 (#9042)
8926de5 
This change allows admins to specify a canned ACL when using S3.
This was referenced Feb 1, 2022
Merged
Merged
atburke added a commit that referenced this pull request Feb 1, 2022
@atburke
Enable canned ACL for S3 (#9042)
39c824e 
This change allows admins to specify a canned ACL when using S3.
@webvictim webvictim mentioned this pull request Mar 4, 2022
Closed
@alexatcanva alexatcanva mentioned this pull request Oct 13, 2022
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@zmb3 zmb3 zmb3 left review comments

@fspmarshall fspmarshall fspmarshall approved these changes

@russjones russjones russjones approved these changes

@klizhentas klizhentas klizhentas approved these changes

@nklaassen nklaassen Awaiting requested review from nklaassen

Assignees

@atburke atburke

Labels
documentation
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

S3 object ownership
5 participants
@atburke @russjones @klizhentas @zmb3 @fspmarshall