Aws S3 is accessible to all

vikas · May 8, 2020, 6:40pm

Hi ,

I recently configured aws s3 in hue 4.6. But all the users are able to access all the s3 buckets and folders that they don’t have access to.
am i missing any config ?

Below is my aws config in hue.ini

[aws]
[[aws_accounts]]
# Default AWS account
[[[default]]]
# AWS credentials
## access_key_id=
## secret_access_key=
## security_token=

  # Execute this script to produce the AWS access key ID.
  ## access_key_id_script=/path/access_key_id.sh

  # Execute this script to produce the AWS secret access key.
  ## secret_access_key_script=/path/secret_access_key.sh

  # Allow to use either environment variables or
  # EC2 InstanceProfile to retrieve AWS credentials.
   allow_environment_credentials=false

  # AWS region to use, if no region is specified, will attempt to connect to standard s3.amazonaws.com endpoint
   region=<my_region>

  # Endpoint overrides
  ## host=

  # Proxy address and port
  ## proxy_address=
  ## proxy_port=8080
  ## proxy_user=
  ## proxy_pass=

  # Secure connections are the default, but this can be explicitly overridden:
  ## is_secure=true

  # The default calling format uses https://<bucket-name>.s3.amazonaws.com but
  # this may not make sense if DNS is not configured in this way for custom endpoints.
  # e.g. Use boto.s3.connection.OrdinaryCallingFormat for https://s3.amazonaws.com/<bucket-name>
  ## calling_format=boto.s3.connection.OrdinaryCallingFormat

  # The time in seconds before a delegate key is expired. Used when filebrowser/redirect_download is used. Default to 4 Hours.

Any advice is appreciated. @Romain

BR,

Romain · May 9, 2020, 4:17am

Hue is leveraging the Knox IdBroker like in https://community.cloudera.com/t5/Community-Articles/How-to-get-AWS-access-keys-via-IDBroker-in-CDP/ta-p/295485 to provide fine grain access.

https://docs.cloudera.com/runtime/7.1.0/cdp-security-overview/topics/security_how_identity_federation_works_in_cdp.html

Without it, users needs to be Hue admin or with the Hue S3 permission and are all sharing the same keys.

vikas · May 11, 2020, 11:22am

@Romain ,

you mean to say , in order to enable access restrictions on the s3 bucket i have to use idbroker?
we are using IAM roles to manage our s3 authorizations. which is working fine on server level. can this be leveraged in HUE as well?
if yes what are the configs to use them in hue.

Thanks

Romain · May 11, 2020, 1:23pm

Hue will leverage only one set of keys for everybody, for fine grain keys automatically granted to individual users this would require to go via Knox IdBroker.