Remove "Storage Admin" role requirement. #412
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Call to get_bucket results 403 Caller does not have storage.buckets.get access to bucket. If permissions are limited. If auto_create_bucket bucket is not True, we don't have to check if bucket exits just in case we would want to create it - which we don't.
+test_bucket_auto_create_false
run configurations in PyCharm
a call to get_bucket instead of just creating a reference to it by name
remove @override_settings(GS_AUTO_CREATE_BUCKET=True)
Pass linting ./storages/backends/ftp.py:112:13: E722 do not use bare except'
Codecov Report
@@ Coverage Diff @@
## master #412 +/- ##
==========================================
- Coverage 77.1% 76.54% -0.56%
==========================================
Files 10 11 +1
Lines 1520 1599 +79
==========================================
+ Hits 1172 1224 +52
- Misses 348 375 +27
Continue to review full report at Codecov.
|
|
Phew! I had to clean up some other things to pass the tests:
Please tell me If there is something more I should do to make this PR accepted |
…into feature/gcs-no-storage-admin-support # Conflicts: # AUTHORS # storages/backends/ftp.py # tox.ini
|
@jschneier Please tell me If there is something more I should do to make this PR accepted |
|
@wooyek Can you reimplement this against master? I tried to review it, but there is over a year of changes and I am not sure what changed. There are at least a few unrelated changes it would be great to separate out. |
|
I'm confused I thought I am implementing this against master. Please see the changes here: https://github.com/jschneier/django-storages/pull/412/files I am happy to try again if that's not sufficient. |
|
Instead of adding a setting maybe we just want to catch the error, log and return the proxy? |
|
IMHO setting is more explicit and by default does not change current behavior. If you want I can rewrite this later on. But I really would like to do this in another PR and release this one as soon as possible. I don't like for production systems to rely on git repos instead of released packages. |
|
Personally, I would be in favor of removal of the GS_AUTO_CREATE_BUCKET capability. For the vast majority of use cases, it requires more permissions than needed + is inefficient because it creates a network trip to Google every time to check the bucket status. Is there a real use case for this capability? If you are dynamically creating buckets - you probably need more logic than this provides anyway. |
|
Yeah. Was thinking that as well.
… On Aug 14, 2018, at 11:14 AM, Scott White ***@***.***> wrote:
Personally, I would be in favor of removal of the GS_AUTO_CREATE_BUCKET capability. For the vast majority of use cases, it requires more permissions than needed + is inefficient because it creates a network trip to Google every time to check the bucket status.
Is there a real use case for this capability? If you are dynamically creating buckets - you probably need more logic than this provides anyway.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub <#412 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ACJB2CpJQw0PQj81iOWq84mVnBBoQWM-ks5uQulFgaJpZM4QHWVf>.
|
|
+1 to the removal of GS_AUTO_CREATE_BUCKET, but please let's do that in another PR. Let's not make this PR a all-in-one constantly postponed PR. Let's focus on the issue here, working around 403 that is not caused by lack od create permissions but from lack of Caller does not have storage.buckets.get access to bucket permission. Let's solve that and move on to the next improvements. |
|
If you want to catch |
|
I see. The behavior in S3Boto3 is different from in Google Cloud and the S3Boto backend. The first does not hit the API at all unless you can possibly create the bucket. Okay maybe we should make that change instead. |
This was referenced Jun 25, 2019
jschneier
pushed a commit
that referenced
this pull request
Sep 8, 2019
Motivation for this change is to send fewer requests to Google Storage
API. We do not check existence of bucket unless auto_create_bucket is
configured or exists('') is called.
When creating bucket, instead of making two requests to get and create,
we just create and look for conflict.
Based on the work in #575 and supersedes #412.
|
Fixed by #718. |
bors bot
added a commit
to mozilla/normandy
that referenced
this pull request
Sep 17, 2019
1984: Scheduled weekly dependency update for week 37 r=rehandalal a=pyup-bot ### Update [botocore](https://pypi.org/project/botocore) from **1.12.224** to **1.12.228**. <details> <summary>Changelog</summary> ### 1.12.228 ``` ======== * api-change:``elbv2``: Update elbv2 client to latest version * api-change:``ec2``: Update ec2 client to latest version * api-change:``workmailmessageflow``: Update workmailmessageflow client to latest version * api-change:``medialive``: Update medialive client to latest version ``` ### 1.12.227 ``` ======== * api-change:``stepfunctions``: Update stepfunctions client to latest version * api-change:``rds``: Update rds client to latest version * api-change:``ec2``: Update ec2 client to latest version * api-change:``mediaconnect``: Update mediaconnect client to latest version * api-change:``ses``: Update ses client to latest version * api-change:``config``: Update config client to latest version ``` ### 1.12.226 ``` ======== * api-change:``storagegateway``: Update storagegateway client to latest version ``` ### 1.12.225 ``` ======== * api-change:``qldb``: Update qldb client to latest version * api-change:``marketplacecommerceanalytics``: Update marketplacecommerceanalytics client to latest version * api-change:``appstream``: Update appstream client to latest version * api-change:``ec2``: Update ec2 client to latest version * api-change:``robomaker``: Update robomaker client to latest version * api-change:``appmesh``: Update appmesh client to latest version * api-change:``qldb-session``: Update qldb-session client to latest version ``` </details> <details> <summary>Links</summary> - PyPI: https://pypi.org/project/botocore - Changelog: https://pyup.io/changelogs/botocore/ - Repo: https://github.com/boto/botocore </details> ### Update [certifi](https://pypi.org/project/certifi) from **2019.6.16** to **2019.9.11**. *The bot wasn't able to find a changelog for this release. [Got an idea?](https://github.com/pyupio/changelogs/issues/new)* <details> <summary>Links</summary> - PyPI: https://pypi.org/project/certifi - Homepage: https://certifi.io/ </details> ### Update [datadog](https://pypi.org/project/datadog) from **0.29.3** to **0.30.0**. <details> <summary>Changelog</summary> ### 0.30.0 ``` * [BUGFIX] Treat `API_HOST` as URL, not as string [411][] * [FEATURE] Add `return_raw_response` option to `initialize` to enable adding raw responses to return values [414][] * [IMPROVEMENT] Add project URLs to package metadata [413][] (thanks [Tenzer][]) * [IMPROVEMENT] Add support for handling a 401 status as an API error [418][] * [IMPROVEMENT] Allow configuring proxy in `~/.dogrc` for usage with dogshell [415][] * [IMPROVEMENT] Update `user` resource name to `users` to match new plural endpoints [421][] * [OTHER] Add deprecation warning to old aws lambda threadstats integration [417][] * [OTHER] Removed functionality to delete events and comments, as it's no longer supported by API [420][] ``` </details> <details> <summary>Links</summary> - PyPI: https://pypi.org/project/datadog - Changelog: https://pyup.io/changelogs/datadog/ - Homepage: https://www.datadoghq.com </details> ### Update [importlib-metadata](https://pypi.org/project/importlib-metadata) from **0.20** to **0.23**. *The bot wasn't able to find a changelog for this release. [Got an idea?](https://github.com/pyupio/changelogs/issues/new)* <details> <summary>Links</summary> - PyPI: https://pypi.org/project/importlib-metadata - Docs: http://importlib-metadata.readthedocs.io/ </details> ### Update [pluggy](https://pypi.org/project/pluggy) from **0.12.0** to **0.13.0**. <details> <summary>Changelog</summary> ### 0.13.0 ``` ========================== Trivial/Internal Changes ------------------------ - `222 <https://github.com/pytest-dev/pluggy/issues/222>`_: Replace ``importlib_metadata`` backport with ``importlib.metadata`` from the standard library on Python 3.8+. ``` </details> <details> <summary>Links</summary> - PyPI: https://pypi.org/project/pluggy - Changelog: https://pyup.io/changelogs/pluggy/ - Repo: https://github.com/pytest-dev/pluggy </details> ### Update [boto3](https://pypi.org/project/boto3) from **1.9.224** to **1.9.228**. <details> <summary>Changelog</summary> ### 1.9.228 ``` ======= * api-change:``elbv2``: [``botocore``] Update elbv2 client to latest version * api-change:``ec2``: [``botocore``] Update ec2 client to latest version * api-change:``workmailmessageflow``: [``botocore``] Update workmailmessageflow client to latest version * api-change:``medialive``: [``botocore``] Update medialive client to latest version ``` ### 1.9.227 ``` ======= * api-change:``stepfunctions``: [``botocore``] Update stepfunctions client to latest version * api-change:``rds``: [``botocore``] Update rds client to latest version * api-change:``ec2``: [``botocore``] Update ec2 client to latest version * api-change:``mediaconnect``: [``botocore``] Update mediaconnect client to latest version * api-change:``ses``: [``botocore``] Update ses client to latest version * api-change:``config``: [``botocore``] Update config client to latest version ``` ### 1.9.226 ``` ======= * api-change:``storagegateway``: [``botocore``] Update storagegateway client to latest version ``` ### 1.9.225 ``` ======= * api-change:``qldb``: [``botocore``] Update qldb client to latest version * api-change:``marketplacecommerceanalytics``: [``botocore``] Update marketplacecommerceanalytics client to latest version * api-change:``appstream``: [``botocore``] Update appstream client to latest version * api-change:``ec2``: [``botocore``] Update ec2 client to latest version * api-change:``robomaker``: [``botocore``] Update robomaker client to latest version * api-change:``appmesh``: [``botocore``] Update appmesh client to latest version * api-change:``qldb-session``: [``botocore``] Update qldb-session client to latest version ``` </details> <details> <summary>Links</summary> - PyPI: https://pypi.org/project/boto3 - Changelog: https://pyup.io/changelogs/boto3/ - Repo: https://github.com/boto/boto3 </details> ### Update [django-countries](https://pypi.org/project/django-countries) from **5.4** to **5.5**. <details> <summary>Changelog</summary> ### 5.5 ``` ======================= - Django 3.0 compatibility. - Plugin system for extending the ``Country`` object. ``` </details> <details> <summary>Links</summary> - PyPI: https://pypi.org/project/django-countries - Changelog: https://pyup.io/changelogs/django-countries/ - Repo: https://github.com/SmileyChris/django-countries/ </details> ### Update [django-storages](https://pypi.org/project/django-storages) from **1.7.1** to **1.7.2**. <details> <summary>Changelog</summary> ### 1.7.2 ``` ****************** S3 -- - Avoid misleading ``AWS_DEFAULT_ACL`` warning for insecure ``default_acl`` when overridden as a class variable (`591_`) - Propagate file deletion to cache when ``preload_metadata`` is ``True``, (not the default) (`743`_, `749`_) - Fix exception raised on closed file (common if using ``ManifestFilesMixin`` or ``collectstatic``. (`382`_, `754`_) Azure ----- - Pare down the required packages in ``extra_requires`` when installing the ``azure`` extra to only ``azure-storage-blob`` (`680`_, `684`_) - Fix compatability with ``generate_blob_shared_access_signature`` updated signature (`705`_, `723`_) - Fetching a file now uses the configured timeout rather than hardcoding one (`727`_) - Add support for configuring all blobservice options: ``AZURE_EMULATED_MODE``, ``AZURE_ENDPOINT_SUFFIX``, ``AZURE_CUSTOM_DOMAIN``, ``AZURE_CONNECTION_STRING``, ``AZURE_CUSTOM_CONNECTION_STRING``, ``AZURE_TOKEN_CREDENTIAL``. See the docs for more info. Huge thanks once again to nitely. (`750`_) - Fix filename handling to not strip special characters (`609`_, `752`_) Google Cloud ------------ - Set the file acl in the same call that uploads it (`698`_) - Reduce the number of queries and required permissions when ``GS_AUTO_CREATE_BUCKET`` is ``False`` (the default) (`412`_, `718`_) - Set the ``predefined_acl`` when creating a ``GoogleCloudFile`` using ``.write`` (`640`_, `756`_) - Add ``GS_BLOB_CHUNK_SIZE`` setting to enable efficient uploading of large files (`757`_) Dropbox ------- - Complete migration to v2 api with file fetching and metadata fixes (`724`_) - Add ``DROPBOX_TIMEOUT`` to configure client timeout defaulting to 100 seconds to match the underlying sdk. (`419`_, `747`_) SFTP ---- - Fix reopening a file (`746`_) .. _591: jschneier/django-storages#591 .. _680: jschneier/django-storages#680 .. _684: jschneier/django-storages#684 .. _698: jschneier/django-storages#698 .. _705: jschneier/django-storages#705 .. _723: jschneier/django-storages#723 .. _727: jschneier/django-storages#727 .. _746: jschneier/django-storages#746 .. _724: jschneier/django-storages#724 .. _412: jschneier/django-storages#412 .. _718: jschneier/django-storages#718 .. _743: jschneier/django-storages#743 .. _749: jschneier/django-storages#749 .. _750: jschneier/django-storages#750 .. _609: jschneier/django-storages#609 .. _752: jschneier/django-storages#752 .. _382: jschneier/django-storages#382 .. _754: jschneier/django-storages#754 .. _419: jschneier/django-storages#419 .. _747: jschneier/django-storages#747 .. _640: jschneier/django-storages#640 .. _756: jschneier/django-storages#756 .. _757: jschneier/django-storages#757 ``` </details> <details> <summary>Links</summary> - PyPI: https://pypi.org/project/django-storages - Changelog: https://pyup.io/changelogs/django-storages/ - Repo: https://github.com/jschneier/django-storages </details> ### Update [kinto-http](https://pypi.org/project/kinto-http) from **10.4.1** to **10.5.0**. <details> <summary>Changelog</summary> ### 10.5.0 ``` =================== **New features** - Add history support (fixes 112), Thanks FlorianKuckelkorn! ``` </details> <details> <summary>Links</summary> - PyPI: https://pypi.org/project/kinto-http - Changelog: https://pyup.io/changelogs/kinto-http/ - Repo: https://github.com/Kinto/kinto-http.py/ </details> Co-authored-by: pyup-bot <github-bot@pyup.io>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Call to get_bucket results 403 Caller does not have storage.buckets.get
access to bucket. If permissions are limited.
If auto_create_bucket bucket is not True, we don't have to check if
bucket exits just in case we would want to create it - which we don't,
cause we don't have privileges anyway