‘View Logs’ role seems to be bypassing conditional access for Grail storage. Is this true?

GosiaMurawska — Mon, 27 Jan 2025 13:10:40 GMT

Will users or the group be able to read logs from all buckets?

Re: ‘View Logs’ role seems to be bypassing conditional access for Grail storage. Is this true?

Jon2 — Mon, 27 Jan 2025 13:36:04 GMT

“View Logs” is a permission of type ‘role’, and as such, it does not adhere to attribute-based conditions. Consider, for example, that one of your user groups has been assigned:

‘View Logs’ role

‘storage:logs:read’ through a default policy like ‘Read Logs’ or through a custom policy like this:

//Grail read data

ALLOW storage:buckets:read WHERE storage:table-name = "logs";

ALLOW storage:logs:read;

and a policy boundary applied with the following condition:

storage:bucket-name = 'default_logs';

The ‘View Logs’ role assignment will bypass the attribute conditions set in the policy and boundary, when those two are applied to the group. This means users of the group will be able to read logs from all buckets.

To fix this, you can remove the role assignment and instead express it in an existing or new policy assigned to the same group, like this:

//Classic

ALLOW environment:roles:logviewer;

Do not forget to apply the policy boundary to the new policy you modified.

topic Re: ‘View Logs’ role seems to be bypassing conditional access for Grail storage. Is this true? in Open Q&A

‘View Logs’ role seems to be bypassing conditional access for Grail storage. Is this true?

Re: ‘View Logs’ role seems to be bypassing conditional access for Grail storage. Is this true?