Policy action wildcards do not include the policy with no character after wildcard

[sdejong629]

NOTE

If this case is urgent, please subscribe to Subnet so that our 24/7 support team may help you faster.

When using wildcards in a s3 policy, this does not include policy names with a null value for the wildcard after upgrading in the Minio GUI.

Expected Behavior

When you for example have a policy action named "s3:DeleteObject*", this should include "s3:DeleteObject" (no *) action after upgrading to version 2024.1.16. In the GUI you can delete objects based on that policy.

Current Behavior

Users with a policy action of "s3:DeleteObject*" can not delete objects within the GUI. You have to explicitly add "s3:DeleteObject" as a policy. This behavior has changed since our previous version.

Possible Solution

• should also include the actions where there are no more characters after the action name.

Steps to Reproduce (for bugs)

1. Add a policy for a bucket

   {
      "Version": "2012-10-17",
      "Statement": [
          {
              "Effect": "Allow",
              "Action": [
                  "s3:ListBucket",
                  "s3:ListAllMyBuckets",
                  "s3:GetBucketVersioning",
                  "s3:DeleteObjectVersion",
                  "s3:ListBucketVersions",
                  "s3:GetObject*",
                  "s3:DeleteObject*",
                  "s3:PutObject*"
              ],
              "Resource": [
                  "arn:aws:s3:::bucket_name",
                  "arn:aws:s3:::bucket_name/*"
              ]
          }
      ]
   }

2. Log on to GUI and try to add or delete objects
3. You can't, can you?

Context

We had to add policies for every bucket in our environment after updating

Regression

No sure what that means

Your Environment

minio version DEVELOPMENT.2024-01-16T16-07-38Z (commit-id=ca258c04cb1dea33c31fed86250eaa3d1f020ff8)
Runtime: go1.21.6 linux/amd64
License: GNU AGPLv3 https://www.gnu.org/licenses/agpl-3.0.html
Copyright: 2015-2024 MinIO, Inc.
Running in docker on Ubuntu 22.04

[harshavardhana]

what is ${bucket_name}? there is no such thing as ${bucket_name}. There are standard keywords you can use, but you can only do what you want here. https://github.com/minio/minio/tree/master/docs/multi-user#policy-variables

[sdejong629]

what is ${bucket_name}? there is no such thing as ${bucket_name}. There are standard keywords you can use, but you can only do what you want here. https://github.com/minio/minio/tree/master/docs/multi-user#policy-variables

Changed it to something even more generic. That is a placeholder for terraform. Just replace it with an actual bucket name.

[harshavardhana]

Will check

[prakashsvmx]

S3_GET_ACTIONS: "s3:Get*",
S3_PUT_ACTIONS: "s3:Put*",
S3_ALL_LIST_BUCKET: "s3:List*",
S3_STAR_BUCKET: "s3:*Bucket",
S3_ALL_ACTIONS: "s3:*",
ADMIN_ALL_ACTIONS: "admin:*",
KMS_ALL_ACTIONS: "kms:*"

@sdejong629 as of now only the above f wildcards are supported for actions.

[cesnietor]

@harshavardhana are we planning to support it? this might be coming from mc client.

[harshavardhana]

@harshavardhana are we planning to support it? this might be coming from mc client.

what is?