Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Remove "Storage Admin" role requirement. #412

Closed

Conversation

wooyek
Copy link

@wooyek wooyek commented Oct 26, 2017

Call to get_bucket results 403 Caller does not have storage.buckets.get
access to bucket. If permissions are limited.

If auto_create_bucket bucket is not True, we don't have to check if
bucket exits just in case we would want to create it - which we don't,
cause we don't have privileges anyway

wooyek and others added 9 commits June 26, 2017 18:01
Call to get_bucket results 403 Caller does not have storage.buckets.get
access to bucket. If permissions are limited.

If auto_create_bucket bucket is not True, we don't have to check if
bucket exits just in case we would want to create it - which we don't.
+test_bucket_auto_create_false
a call to get_bucket instead of just creating a reference to it by name
remove @override_settings(GS_AUTO_CREATE_BUCKET=True)
Pass linting
./storages/backends/ftp.py:112:13: E722 do not use bare except'
@codecov-io
Copy link

codecov-io commented Nov 21, 2017

Codecov Report

Merging #412 into master will decrease coverage by 0.55%.
The diff coverage is 100%.

Impacted file tree graph

@@            Coverage Diff             @@
##           master     #412      +/-   ##
==========================================
- Coverage    77.1%   76.54%   -0.56%     
==========================================
  Files          10       11       +1     
  Lines        1520     1599      +79     
==========================================
+ Hits         1172     1224      +52     
- Misses        348      375      +27
Impacted Files Coverage Δ
storages/backends/gcloud.py 95.05% <100%> (+0.11%) ⬆️
storages/backends/s3boto.py 88.03% <0%> (-0.67%) ⬇️
storages/backends/s3boto3.py 87.12% <0%> (-0.6%) ⬇️
storages/utils.py 96.87% <0%> (-0.1%) ⬇️
storages/backends/gs.py 69.73% <0%> (ø)

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 82f31b8...8c10a2d. Read the comment docs.

@wooyek
Copy link
Author

wooyek commented Nov 21, 2017

Phew! I had to clean up some other things to pass the tests:

  • cryptography dropped support for py33 with version 2 so there is a constraint in the tox
  • a minor linting problem with ftp backend, that I did not touch originally

Please tell me If there is something more I should do to make this PR accepted

…into feature/gcs-no-storage-admin-support

# Conflicts:
#	AUTHORS
#	storages/backends/ftp.py
#	tox.ini
@wooyek
Copy link
Author

wooyek commented Jul 2, 2018

@jschneier Please tell me If there is something more I should do to make this PR accepted

@sww314
Copy link
Contributor

sww314 commented Jul 3, 2018

@wooyek Can you reimplement this against master? I tried to review it, but there is over a year of changes and I am not sure what changed. There are at least a few unrelated changes it would be great to separate out.

@wooyek
Copy link
Author

wooyek commented Jul 3, 2018

I'm confused I thought I am implementing this against master. Please see the changes here:

https://github.com/jschneier/django-storages/pull/412/files

I am happy to try again if that's not sufficient.

@jschneier
Copy link
Owner

Instead of adding a setting maybe we just want to catch the error, log and return the proxy?

@wooyek
Copy link
Author

wooyek commented Aug 14, 2018

IMHO setting is more explicit and by default does not change current behavior.

If you want I can rewrite this later on. But I really would like to do this in another PR and release this one as soon as possible. I don't like for production systems to rely on git repos instead of released packages.

@sww314
Copy link
Contributor

sww314 commented Aug 14, 2018

Personally, I would be in favor of removal of the GS_AUTO_CREATE_BUCKET capability. For the vast majority of use cases, it requires more permissions than needed + is inefficient because it creates a network trip to Google every time to check the bucket status.

Is there a real use case for this capability? If you are dynamically creating buckets - you probably need more logic than this provides anyway.

@jschneier
Copy link
Owner

jschneier commented Aug 14, 2018 via email

@wooyek
Copy link
Author

wooyek commented Aug 14, 2018

+1 to the removal of GS_AUTO_CREATE_BUCKET, but please let's do that in another PR. Let's not make this PR a all-in-one constantly postponed PR.

Let's focus on the issue here, working around 403 that is not caused by lack od create permissions but from lack of Caller does not have storage.buckets.get access to bucket permission. Let's solve that and move on to the next improvements.

@jschneier
Copy link
Owner

If you want to catch Forbidden and return the bucket then I will merge that. I don't want to add another setting if we are going to go ahead and then remove the auto_create_bucket that would then require deprecating the setting. That will fix this issue.

@jschneier
Copy link
Owner

I see. The behavior in S3Boto3 is different from in Google Cloud and the S3Boto backend. The first does not hit the API at all unless you can possibly create the bucket. Okay maybe we should make that change instead.

jschneier pushed a commit that referenced this pull request Sep 8, 2019
Motivation for this change is to send fewer requests to Google Storage
API. We do not check existence of bucket unless auto_create_bucket is
configured or exists('') is called.

When creating bucket, instead of making two requests to get and create,
we just create and look for conflict.

Based on the work in #575 and supersedes #412.
@jschneier
Copy link
Owner

Fixed by #718.

@jschneier jschneier closed this Sep 8, 2019
bors bot added a commit to mozilla/normandy that referenced this pull request Sep 17, 2019
1984: Scheduled weekly dependency update for week 37 r=rehandalal a=pyup-bot






### Update [botocore](https://pypi.org/project/botocore) from **1.12.224** to **1.12.228**.


<details>
  <summary>Changelog</summary>
  
  
   ### 1.12.228
   ```
   ========

* api-change:``elbv2``: Update elbv2 client to latest version
* api-change:``ec2``: Update ec2 client to latest version
* api-change:``workmailmessageflow``: Update workmailmessageflow client to latest version
* api-change:``medialive``: Update medialive client to latest version
   ```
   
  
  
   ### 1.12.227
   ```
   ========

* api-change:``stepfunctions``: Update stepfunctions client to latest version
* api-change:``rds``: Update rds client to latest version
* api-change:``ec2``: Update ec2 client to latest version
* api-change:``mediaconnect``: Update mediaconnect client to latest version
* api-change:``ses``: Update ses client to latest version
* api-change:``config``: Update config client to latest version
   ```
   
  
  
   ### 1.12.226
   ```
   ========

* api-change:``storagegateway``: Update storagegateway client to latest version
   ```
   
  
  
   ### 1.12.225
   ```
   ========

* api-change:``qldb``: Update qldb client to latest version
* api-change:``marketplacecommerceanalytics``: Update marketplacecommerceanalytics client to latest version
* api-change:``appstream``: Update appstream client to latest version
* api-change:``ec2``: Update ec2 client to latest version
* api-change:``robomaker``: Update robomaker client to latest version
* api-change:``appmesh``: Update appmesh client to latest version
* api-change:``qldb-session``: Update qldb-session client to latest version
   ```
   
  
</details>


 

<details>
  <summary>Links</summary>
  
  - PyPI: https://pypi.org/project/botocore
  - Changelog: https://pyup.io/changelogs/botocore/
  - Repo: https://github.com/boto/botocore
</details>





### Update [certifi](https://pypi.org/project/certifi) from **2019.6.16** to **2019.9.11**.


*The bot wasn't able to find a changelog for this release. [Got an idea?](https://github.com/pyupio/changelogs/issues/new)*

<details>
  <summary>Links</summary>
  
  - PyPI: https://pypi.org/project/certifi
  - Homepage: https://certifi.io/
</details>





### Update [datadog](https://pypi.org/project/datadog) from **0.29.3** to **0.30.0**.


<details>
  <summary>Changelog</summary>
  
  
   ### 0.30.0
   ```
   * [BUGFIX] Treat `API_HOST` as URL, not as string [411][]
* [FEATURE] Add `return_raw_response` option to `initialize` to enable adding raw responses to return values [414][]
* [IMPROVEMENT] Add project URLs to package metadata [413][] (thanks [Tenzer][])
* [IMPROVEMENT] Add support for handling a 401 status as an API error [418][]
* [IMPROVEMENT] Allow configuring proxy in `~/.dogrc` for usage with dogshell [415][]
* [IMPROVEMENT] Update `user` resource name to `users` to match new plural endpoints [421][]
* [OTHER] Add deprecation warning to old aws lambda threadstats integration [417][]
* [OTHER] Removed functionality to delete events and comments, as it&#39;s no longer supported by API [420][]
   ```
   
  
</details>


 

<details>
  <summary>Links</summary>
  
  - PyPI: https://pypi.org/project/datadog
  - Changelog: https://pyup.io/changelogs/datadog/
  - Homepage: https://www.datadoghq.com
</details>





### Update [importlib-metadata](https://pypi.org/project/importlib-metadata) from **0.20** to **0.23**.


*The bot wasn't able to find a changelog for this release. [Got an idea?](https://github.com/pyupio/changelogs/issues/new)*

<details>
  <summary>Links</summary>
  
  - PyPI: https://pypi.org/project/importlib-metadata
  - Docs: http://importlib-metadata.readthedocs.io/
</details>





### Update [pluggy](https://pypi.org/project/pluggy) from **0.12.0** to **0.13.0**.


<details>
  <summary>Changelog</summary>
  
  
   ### 0.13.0
   ```
   ==========================

Trivial/Internal Changes
------------------------

- `222 &lt;https://github.com/pytest-dev/pluggy/issues/222&gt;`_: Replace ``importlib_metadata`` backport with ``importlib.metadata`` from the
  standard library on Python 3.8+.
   ```
   
  
</details>


 

<details>
  <summary>Links</summary>
  
  - PyPI: https://pypi.org/project/pluggy
  - Changelog: https://pyup.io/changelogs/pluggy/
  - Repo: https://github.com/pytest-dev/pluggy
</details>





### Update [boto3](https://pypi.org/project/boto3) from **1.9.224** to **1.9.228**.


<details>
  <summary>Changelog</summary>
  
  
   ### 1.9.228
   ```
   =======

* api-change:``elbv2``: [``botocore``] Update elbv2 client to latest version
* api-change:``ec2``: [``botocore``] Update ec2 client to latest version
* api-change:``workmailmessageflow``: [``botocore``] Update workmailmessageflow client to latest version
* api-change:``medialive``: [``botocore``] Update medialive client to latest version
   ```
   
  
  
   ### 1.9.227
   ```
   =======

* api-change:``stepfunctions``: [``botocore``] Update stepfunctions client to latest version
* api-change:``rds``: [``botocore``] Update rds client to latest version
* api-change:``ec2``: [``botocore``] Update ec2 client to latest version
* api-change:``mediaconnect``: [``botocore``] Update mediaconnect client to latest version
* api-change:``ses``: [``botocore``] Update ses client to latest version
* api-change:``config``: [``botocore``] Update config client to latest version
   ```
   
  
  
   ### 1.9.226
   ```
   =======

* api-change:``storagegateway``: [``botocore``] Update storagegateway client to latest version
   ```
   
  
  
   ### 1.9.225
   ```
   =======

* api-change:``qldb``: [``botocore``] Update qldb client to latest version
* api-change:``marketplacecommerceanalytics``: [``botocore``] Update marketplacecommerceanalytics client to latest version
* api-change:``appstream``: [``botocore``] Update appstream client to latest version
* api-change:``ec2``: [``botocore``] Update ec2 client to latest version
* api-change:``robomaker``: [``botocore``] Update robomaker client to latest version
* api-change:``appmesh``: [``botocore``] Update appmesh client to latest version
* api-change:``qldb-session``: [``botocore``] Update qldb-session client to latest version
   ```
   
  
</details>


 

<details>
  <summary>Links</summary>
  
  - PyPI: https://pypi.org/project/boto3
  - Changelog: https://pyup.io/changelogs/boto3/
  - Repo: https://github.com/boto/boto3
</details>





### Update [django-countries](https://pypi.org/project/django-countries) from **5.4** to **5.5**.


<details>
  <summary>Changelog</summary>
  
  
   ### 5.5
   ```
   =======================

- Django 3.0 compatibility.

- Plugin system for extending the ``Country`` object.
   ```
   
  
</details>


 

<details>
  <summary>Links</summary>
  
  - PyPI: https://pypi.org/project/django-countries
  - Changelog: https://pyup.io/changelogs/django-countries/
  - Repo: https://github.com/SmileyChris/django-countries/
</details>





### Update [django-storages](https://pypi.org/project/django-storages) from **1.7.1** to **1.7.2**.


<details>
  <summary>Changelog</summary>
  
  
   ### 1.7.2
   ```
   ******************

S3
--

- Avoid misleading ``AWS_DEFAULT_ACL`` warning for insecure ``default_acl`` when
  overridden as a class variable (`591_`)
- Propagate file deletion to cache when ``preload_metadata`` is ``True``,
  (not the default) (`743`_, `749`_)
- Fix exception raised on closed file (common if using ``ManifestFilesMixin`` or
  ``collectstatic``. (`382`_, `754`_)

Azure
-----

- Pare down the required packages in ``extra_requires`` when installing the ``azure`` extra to only
  ``azure-storage-blob`` (`680`_, `684`_)
- Fix compatability with ``generate_blob_shared_access_signature`` updated signature (`705`_, `723`_)
- Fetching a file now uses the configured timeout rather than hardcoding one (`727`_)
- Add support for configuring all blobservice options: ``AZURE_EMULATED_MODE``, ``AZURE_ENDPOINT_SUFFIX``,
  ``AZURE_CUSTOM_DOMAIN``, ``AZURE_CONNECTION_STRING``, ``AZURE_CUSTOM_CONNECTION_STRING``,
  ``AZURE_TOKEN_CREDENTIAL``. See the docs for more info. Huge thanks once again to nitely. (`750`_)
- Fix filename handling to not strip special characters (`609`_, `752`_)


Google Cloud
------------

- Set the file acl in the same call that uploads it (`698`_)
- Reduce the number of queries and required permissions when ``GS_AUTO_CREATE_BUCKET`` is
  ``False`` (the default) (`412`_, `718`_)
- Set the ``predefined_acl`` when creating a ``GoogleCloudFile`` using ``.write``
  (`640`_, `756`_)
- Add ``GS_BLOB_CHUNK_SIZE`` setting to enable efficient uploading of large files (`757`_)

Dropbox
-------

- Complete migration to v2 api with file fetching and metadata fixes (`724`_)
- Add ``DROPBOX_TIMEOUT`` to configure client timeout defaulting to 100 seconds
  to match the underlying sdk. (`419`_, `747`_)

SFTP
----

- Fix reopening a file (`746`_)

.. _591: jschneier/django-storages#591
.. _680: jschneier/django-storages#680
.. _684: jschneier/django-storages#684
.. _698: jschneier/django-storages#698
.. _705: jschneier/django-storages#705
.. _723: jschneier/django-storages#723
.. _727: jschneier/django-storages#727
.. _746: jschneier/django-storages#746
.. _724: jschneier/django-storages#724
.. _412: jschneier/django-storages#412
.. _718: jschneier/django-storages#718
.. _743: jschneier/django-storages#743
.. _749: jschneier/django-storages#749
.. _750: jschneier/django-storages#750
.. _609: jschneier/django-storages#609
.. _752: jschneier/django-storages#752
.. _382: jschneier/django-storages#382
.. _754: jschneier/django-storages#754
.. _419: jschneier/django-storages#419
.. _747: jschneier/django-storages#747
.. _640: jschneier/django-storages#640
.. _756: jschneier/django-storages#756
.. _757: jschneier/django-storages#757
   ```
   
  
</details>


 

<details>
  <summary>Links</summary>
  
  - PyPI: https://pypi.org/project/django-storages
  - Changelog: https://pyup.io/changelogs/django-storages/
  - Repo: https://github.com/jschneier/django-storages
</details>





### Update [kinto-http](https://pypi.org/project/kinto-http) from **10.4.1** to **10.5.0**.


<details>
  <summary>Changelog</summary>
  
  
   ### 10.5.0
   ```
   ===================

**New features**

- Add history support (fixes 112), Thanks FlorianKuckelkorn!
   ```
   
  
</details>


 

<details>
  <summary>Links</summary>
  
  - PyPI: https://pypi.org/project/kinto-http
  - Changelog: https://pyup.io/changelogs/kinto-http/
  - Repo: https://github.com/Kinto/kinto-http.py/
</details>







Co-authored-by: pyup-bot <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants