Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Blob IAM support apparently invalid #4087

Closed
tseaver opened this issue Sep 29, 2017 · 13 comments
Closed

Blob IAM support apparently invalid #4087

tseaver opened this issue Sep 29, 2017 · 13 comments
Assignees
Labels
api: storage Issues related to the Cloud Storage API. backend priority: p2 Moderately-important priority. Fix may not be included in next release. status: blocked Resolving the issue is dependent on other work. type: bug Error or flaw in code with unintended results or allowing sub-optimal usage patterns.

Comments

@tseaver
Copy link
Contributor

tseaver commented Sep 29, 2017

While writing system tests for the requester_pays feature, I triggered the following:

Traceback (most recent call last):
  File "/home/tseaver/projects/agendaless/Google/src/google-cloud-python/storage/tests/system.py", line 372, in test_blob_acl_iam_w_user_project
    blob.set_iam_policy(policy)
  File "/home/tseaver/projects/agendaless/Google/src/google-cloud-python/storage/google/cloud/storage/blob.py", line 1148, in set_iam_policy
    _target_object=None)
  File "/home/tseaver/projects/agendaless/Google/src/google-cloud-python/storage/.nox/sys-3-6/lib/python3.6/site-packages/google/cloud/_http.py", line 293, in api_request
    raise exceptions.from_http_response(response)
google.api.core.exceptions.BadRequest: 400 PUT https://www.googleapis.com/storage/v1/b/new_1506705016579/o/SmallFile/iam?userProject=citric-celerity-697: roles/storage.objectViewer is not a valid role for projects/_/buckets/new_1506705016579/objects/SmallFile#0.

Note that the earlier call to Blob.get_iam_policy does succeed, returning:

(Pdb) pp policy.to_api_repr()
{'bindings': [{'members': ['projectEditor:some-project-742',
                           'projectOwner:some-project-742',
                           'serviceAccount:1065521786570-19reuv03qbdp37du41inh9gtd1s35g1j@developer.gserviceaccount.com'],
               'role': 'roles/storage.legacyObjectOwner'},
              {'members': ['projectViewer:some-project-742'],
               'role': 'roles/storage.legacyObjectReader'},
              {'members': ['allUsers'], 'role': 'roles/storage.objectViewer'}],
 'etag': 'CAM='}

We don't have existing system tests for Blob.set_iam_policy, but the Storage IAM docs don't define any IAM operations for blobs, only for buckets and projects. Indeed, they say:

To learn about controlling access to individual objects in your buckets, see Access Control Lists.

The API documentation for Objects also doesn't (any longer?) show getIamPolicy, setIamPolicy, or testIamPermissions.

@lukesneeringer can you loop somebody in to clarify?

@tseaver tseaver added api: storage Issues related to the Cloud Storage API. backend type: bug Error or flaw in code with unintended results or allowing sub-optimal usage patterns. labels Sep 29, 2017
@tseaver
Copy link
Contributor Author

tseaver commented Sep 29, 2017

@frankyn confirmed to me offline:

There is no Object level IAM only Object Level ACL.

@tseaver
Copy link
Contributor Author

tseaver commented Sep 29, 2017

It turns out that Blob.set_iam_policy can only assign the following "legacy" roles:

  • roles/storage.legacyObjectReader
  • roles/storage.legacyObjectOwner

@frankyn
Copy link
Member

frankyn commented Oct 18, 2017

IAM object-level methods should not be deprecated. We should document how to use these methods to assign legacy roles instead.

@tseaver
Copy link
Contributor Author

tseaver commented Oct 20, 2017

@frankyn ISTM that the back-end docs need to be updated correspondingly (and first, so that we track them without guesswork).

@frankyn
Copy link
Member

frankyn commented Oct 23, 2017

Good point. I'm working on resolving this in Storage docs. I'll update this issue.

@tseaver tseaver added priority: p2 Moderately-important priority. Fix may not be included in next release. docs and removed type: bug Error or flaw in code with unintended results or allowing sub-optimal usage patterns. labels Nov 2, 2017
@tseaver
Copy link
Contributor Author

tseaver commented Jan 4, 2018

@frankyn ping?

@frankyn
Copy link
Member

frankyn commented Jan 5, 2018 via email

@chemelnucfin chemelnucfin added the type: bug Error or flaw in code with unintended results or allowing sub-optimal usage patterns. label Jan 9, 2018
@frankyn
Copy link
Member

frankyn commented Jan 10, 2018

@tseaver docs were blocked by an internal bug and I will check-in again this week. Apologies for the delay.

@tseaver
Copy link
Contributor Author

tseaver commented Feb 20, 2018

@frankyn I still don't see API documentation for objects.getIamPermissions et. al.

@frankyn
Copy link
Member

frankyn commented Feb 20, 2018

Will update soon. I need to sync with a few stakeholders on the GCS team before continuing there exist additional open questions before introducing the docs back into the world. Setting up meeting for mid-next week given some are OOO. I will have a better update then. Thank you for patience.

@tseaver tseaver added the status: blocked Resolving the issue is dependent on other work. label Feb 20, 2018
@frankyn
Copy link
Member

frankyn commented Feb 22, 2018

Sent a document for GCS team review to determine consensus for what to do here.

@tseaver
Copy link
Contributor Author

tseaver commented Apr 11, 2018

@frankyn ping?

@frankyn
Copy link
Member

frankyn commented Apr 11, 2018

Hey @tseaver, responding through hangouts.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
api: storage Issues related to the Cloud Storage API. backend priority: p2 Moderately-important priority. Fix may not be included in next release. status: blocked Resolving the issue is dependent on other work. type: bug Error or flaw in code with unintended results or allowing sub-optimal usage patterns.
Projects
None yet
Development

No branches or pull requests

3 participants