dimas-b commented on code in PR #2815:
URL: https://github.com/apache/polaris/pull/2815#discussion_r2433307765
##########
polaris-core/src/main/java/org/apache/polaris/core/storage/aws/AwsCredentialsStorageIntegration.java:
##########
@@ -179,14 +179,24 @@ private IamPolicy policyString(
Map<String, IamStatement.Builder> bucketGetLocationStatementBuilder = new
HashMap<>();
String arnPrefix = arnPrefixForPartition(awsPartition);
+ boolean isEcsPartition = "ecs".equals(awsPartition);
Stream.concat(readLocations.stream(), writeLocations.stream())
.distinct()
.forEach(
location -> {
URI uri = URI.create(location);
- allowGetObjectStatementBuilder.addResource(
- IamResource.create(
- arnPrefix +
StorageUtil.concatFilePrefixes(parseS3Path(uri), "*", "/")));
+ // Some on-prem S3/STSc implementations (for example ECS) do not
accept object ARNs
+ // that include the path portion (bucket/key/*). For those,
scope object permissions
+ // to
+ // the whole bucket (bucket/*) and rely on s3:prefix conditions
for finer granularity.
+ if (isEcsPartition) {
Review Comment:
This may be worth discussing on the `dev` ML.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
