Skip to content

fix(Catalog): Add List PolarisStorageAction for all metadata read operations #1391

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

fix(Catalog): Add List PolarisStorageAction for all metadata read operations #1391

wants to merge 4 commits into from

Conversation

fivetran-ashokborra
Copy link

@fivetran-ashokborra fivetran-ashokborra commented Apr 17, 2025
edited
Loading

Fixes #1380

Issue:

Currently, loadTable returns a 403 error when the metadata file is not found, which can be misleading. Since users are expected to have configured the appropriate ListBucket permissions in their IAM policy, a 404 error would be more accurate in this scenario.

Access Denied or Forbidden error: User: arn:aws:sts::{account}:assumed-role/{role}/PolarisAwsCredentialsStorageIntegration is not authorized to perform: s3:ListBucket on resource: \"arn:aws:s3:::ashok-test-local\" because no session policy allows the s3:ListBucket action (Service: S3, Status Code: 403, Request ID: W6Q2D563ETEKR6XZ, Extended Request ID: Izq3QS7eZmGjhjfyoxJWMHeCgrFvUlpZjj73JYMO8i/qnKw6CjOaPVgOWVLFr/JsToTeTxO0YaM=)

As per S3 GetObject documentation, the error message returned depens on ListBucket permission

If the object that you request doesn’t exist, the error that Amazon S3 returns depends on whether you also have the s3:ListBucket permission.

If you have the s3:ListBucket permission on the bucket, Amazon S3 returns an HTTP status code 404 Not Found error.

If you don’t have the s3:ListBucket permission, Amazon S3 returns an HTTP status code 403 Access Denied error.

We are adding ListBucket statement to the session policy only when PolarisStorageAction.List is passed

@github-project-automation github-project-automation bot moved this to PRs In Progress in Basic Kanban Board Apr 17, 2025
singhpk234
singhpk234 reviewed Apr 17, 2025
View reviewed changes
Copy link
Collaborator

@singhpk234 singhpk234 left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IMHO, we should in general go with a prinicipal of least priviledges, how hard is this to catch this / parse this and re:throw 404 ?

That being set I do see catalog such as Unity does this already code, mean while can you please add an UT for this ?

@singhpk234
Copy link
Collaborator

cc @flyrain @dennishuo

@collado-mike
Copy link
Contributor

IMHO, we should in general go with a prinicipal of least priviledges, how hard is this to catch this / parse this and re:throw 404 ?

Generally, I'd agree about the least privilege concern, but I'm opposed to reinterpreting AWS exceptions. I think we ought to get AWS to return the correct error code so we don't have to guess at runtime

@fivetran-ashokborra
Copy link
Author

@singhpk234

mean while can you please add an UT for this ?

This is already covered here and here. Do we still need 1 more UT?

@singhpk234
Copy link
Collaborator

@fivetran-ashokborra i was mostly coming from the fact that this was not catched by a test case, so to be it future proof, if some one removes or adds new permission this would fail.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@singhpk234 singhpk234 singhpk234 left review comments

@adutra adutra Awaiting requested review from adutra adutra is a code owner

@ashvina ashvina Awaiting requested review from ashvina ashvina is a code owner

@dennishuo dennishuo Awaiting requested review from dennishuo dennishuo is a code owner

@dimas-b dimas-b Awaiting requested review from dimas-b dimas-b is a code owner

@eric-maynard eric-maynard Awaiting requested review from eric-maynard eric-maynard is a code owner

@jackye1995 jackye1995 Awaiting requested review from jackye1995 jackye1995 is a code owner

@jbonofre jbonofre Awaiting requested review from jbonofre jbonofre is a code owner

@vvcephei vvcephei Awaiting requested review from vvcephei vvcephei is a code owner

@collado-mike collado-mike Awaiting requested review from collado-mike collado-mike is a code owner

@snazy snazy Awaiting requested review from snazy snazy is a code owner

@RussellSpitzer RussellSpitzer Awaiting requested review from RussellSpitzer RussellSpitzer is a code owner

@takidau takidau Awaiting requested review from takidau takidau is a code owner

@MonkeyCanCode MonkeyCanCode Awaiting requested review from MonkeyCanCode MonkeyCanCode is a code owner

@flyrain flyrain Awaiting requested review from flyrain flyrain is a code owner

@ebyhr ebyhr Awaiting requested review from ebyhr ebyhr is a code owner

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

LoadTable returns Access Denied instead of 404 for a missing metadata file in S3
3 participants
@fivetran-ashokborra @singhpk234 @collado-mike