You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@zeppelin.apache.org by Great Info <gu...@gmail.com> on 2021/07/25 16:06:04 UTC

Delete notebook in s3notebook repo is not working

I have deployed zeppelin 0.9.0 on AWS e2 and configured the s3 Notebook
store. I have IAM role created, ec2 uses that role and defined right bucket
permission for that role.
Create Notebook, modify notebook works but delete is not working, getting
403 error.

I have the right policy defined, below is my policy JSON(Camel case here
last due to some content move). How to know which action is used during
Delete notebooks



{
"version": "2012-10-17",
"id": "bucket_policy",
"statement": [{
"sid": "denyreadaccess",
"effect": "deny",
"principal": "*",
"action": ["s3:getobject", "s3:getobjectversion"],
"resource": "arn:aws:s3:::zeppelin-tes/*",
"condition": {
"arnnotlike": {
"aws:principalarn": "arn:aws:iam::985767567532:role/app/zeppelin-tes"
}
}
}, {
"sid": "denywriteaccess",
"effect": "deny",
"principal": "*",
"action": ["s3:putobject", "s3:putobjectacl"],
"resource": "arn:aws:s3:::zeppelin-tes/*",
"condition": {
"arnnotlike": {
"aws:principalarn": "arn:aws:iam::985767567532:role/app/zeppelin-tes"
}
}
}, {
"sid": "denydeleteaccess",
"effect": "deny",
"principal": "*",
"action": ["s3:deleteobject", "s3:deleteobjectversion",
"s3:abortmultipartupload"],
"resource": "arn:aws:s3:::zeppelin-tes/*",
"condition": {
"arnnotlike": {
"aws:principalarn": "arn:aws:iam::985767567532:role/app/zeppelin-tes"
}
}
}, {
"sid": "denyreplicateaccessallexceptmasterroles",
"effect": "deny",
"principal": "*",
"action": ["s3:replicateobject", "s3:replicatetags", "s3:replicatedelete"],
"resource": "arn:aws:s3:::zeppelin-tes/*",
"condition": {
"arnlike": {
"aws:principalarn": "arn:aws:iam::985767567532:role/app/zeppelin-tes"
}
}
}, {
"sid": "denyaccessexceptformasterroles",
"effect": "deny",
"principal": "*",
"action": ["s3:deletebucket", "s3:deletebucketpolicy",
"s3:deletebucketwebsite", "s3:putbucketacl", "s3:putbucketcors",
"s3:putbucketpolicy", "s3:putbucketlogging", "s3:putbucketnotification",
"s3:putbucketobjectlockconfiguration", "s3:putbucketpublicaccessblock",
"s3:putbucketrequestpayment", "s3:putbucketwebsite", "s3:restoreobject*"],
"resource": ["arn:aws:s3:::zeppelin-tes", "arn:aws:s3:::zeppelin-tes/*"],
"condition": {
"arnlike": {
"aws:principalarn": "arn:aws:iam::985767567532:role/app/zeppelin-tes"
}
}
}, {
"sid": "denynonsecuretraffic",
"effect": "deny",
"principal": "*",
"action": "s3:*",
"resource": ["arn:aws:s3:::zeppelin-tes", "arn:aws:s3:::zeppelin-tes/*"],
"condition": {
"bool": {
"aws:securetransport": "false"
}
}
}]
}

Re: Delete notebook in s3notebook repo is not working

Posted by Great Info <gu...@gmail.com>.

Hi,
Can someone help to raise a pull request for this?
Due to some official reason, I can not give the pull request.


On Tue, Jul 27, 2021 at 9:37 PM Great Info <gu...@gmail.com> wrote:

> Move method is getting called in S3NotebookRepo whenever notebook is
> deleted, in this method serverside encryption is not set, so adding the
> below code will fix the issue.
>
>  @Override
>   public void move(String noteId, String notePath, String newNotePath,
>                    AuthenticationInfo subject) throws IOException {
>     String key = rootFolder + "/" + buildNoteFileName(noteId, notePath);
>     String newKey = rootFolder + "/" + buildNoteFileName(noteId,
> newNotePath);
>     CopyObjectRequest copReq = new CopyObjectRequest(bucketName, key,
> bucketName, newKey);
>     if (useServerSideEncryption) {
>       // Request server-side encryption.
>       ObjectMetadata objectMetadata = new ObjectMetadata();
>
> objectMetadata.setSSEAlgorithm(ObjectMetadata.AES_256_SERVER_SIDE_ENCRYPTION);
>       copReq.setNewObjectMetadata(objectMetadata);
>     }
>     //s3client.copyObject(bucketName, key, bucketName, newKey);
>     s3client.copyObject(copReq);
>     s3client.deleteObject(bucketName, key);
>   }
>
>
> P.S Due to some official reason I can not give the pull request.
>
> On Mon, Jul 26, 2021 at 7:42 AM Jeff Zhang <zj...@gmail.com> wrote:
>
>> Not sure what's the root cause, do you mind to help fix it ? I am not
>> sure whether others in the community familiar with s3 and has
>> environment to test it.
>>
>> Great Info <gu...@gmail.com> 于2021年7月26日周一 上午12:06写道：
>>
>>> I have deployed zeppelin 0.9.0 on AWS e2 and configured the s3 Notebook
>>> store. I have IAM role created, ec2 uses that role and defined right bucket
>>> permission for that role.
>>> Create Notebook, modify notebook works but delete is not working,
>>> getting 403 error.
>>>
>>> I have the right policy defined, below is my policy JSON(Camel case here
>>> last due to some content move). How to know which action is used during
>>> Delete notebooks
>>>
>>>
>>>
>>> {
>>> "version": "2012-10-17",
>>> "id": "bucket_policy",
>>> "statement": [{
>>> "sid": "denyreadaccess",
>>> "effect": "deny",
>>> "principal": "*",
>>> "action": ["s3:getobject", "s3:getobjectversion"],
>>> "resource": "arn:aws:s3:::zeppelin-tes/*",
>>> "condition": {
>>> "arnnotlike": {
>>> "aws:principalarn": "arn:aws:iam::985767567532:role/app/zeppelin-tes"
>>> }
>>> }
>>> }, {
>>> "sid": "denywriteaccess",
>>> "effect": "deny",
>>> "principal": "*",
>>> "action": ["s3:putobject", "s3:putobjectacl"],
>>> "resource": "arn:aws:s3:::zeppelin-tes/*",
>>> "condition": {
>>> "arnnotlike": {
>>> "aws:principalarn": "arn:aws:iam::985767567532:role/app/zeppelin-tes"
>>> }
>>> }
>>> }, {
>>> "sid": "denydeleteaccess",
>>> "effect": "deny",
>>> "principal": "*",
>>> "action": ["s3:deleteobject", "s3:deleteobjectversion",
>>> "s3:abortmultipartupload"],
>>> "resource": "arn:aws:s3:::zeppelin-tes/*",
>>> "condition": {
>>> "arnnotlike": {
>>> "aws:principalarn": "arn:aws:iam::985767567532:role/app/zeppelin-tes"
>>> }
>>> }
>>> }, {
>>> "sid": "denyreplicateaccessallexceptmasterroles",
>>> "effect": "deny",
>>> "principal": "*",
>>> "action": ["s3:replicateobject", "s3:replicatetags",
>>> "s3:replicatedelete"],
>>> "resource": "arn:aws:s3:::zeppelin-tes/*",
>>> "condition": {
>>> "arnlike": {
>>> "aws:principalarn": "arn:aws:iam::985767567532:role/app/zeppelin-tes"
>>> }
>>> }
>>> }, {
>>> "sid": "denyaccessexceptformasterroles",
>>> "effect": "deny",
>>> "principal": "*",
>>> "action": ["s3:deletebucket", "s3:deletebucketpolicy",
>>> "s3:deletebucketwebsite", "s3:putbucketacl", "s3:putbucketcors",
>>> "s3:putbucketpolicy", "s3:putbucketlogging", "s3:putbucketnotification",
>>> "s3:putbucketobjectlockconfiguration", "s3:putbucketpublicaccessblock",
>>> "s3:putbucketrequestpayment", "s3:putbucketwebsite", "s3:restoreobject*"],
>>> "resource": ["arn:aws:s3:::zeppelin-tes", "arn:aws:s3:::zeppelin-tes/*"],
>>> "condition": {
>>> "arnlike": {
>>> "aws:principalarn": "arn:aws:iam::985767567532:role/app/zeppelin-tes"
>>> }
>>> }
>>> }, {
>>> "sid": "denynonsecuretraffic",
>>> "effect": "deny",
>>> "principal": "*",
>>> "action": "s3:*",
>>> "resource": ["arn:aws:s3:::zeppelin-tes", "arn:aws:s3:::zeppelin-tes/*"],
>>> "condition": {
>>> "bool": {
>>> "aws:securetransport": "false"
>>> }
>>> }
>>> }]
>>> }
>>>
>>
>>
>> --
>> Best Regards
>>
>> Jeff Zhang
>>
>

Re: Delete notebook in s3notebook repo is not working

Posted by Great Info <gu...@gmail.com>.

Hi,
Can someone help to raise a pull request for this?
Due to some official reason, I can not give the pull request.


On Tue, Jul 27, 2021 at 9:37 PM Great Info <gu...@gmail.com> wrote:

> Move method is getting called in S3NotebookRepo whenever notebook is
> deleted, in this method serverside encryption is not set, so adding the
> below code will fix the issue.
>
>  @Override
>   public void move(String noteId, String notePath, String newNotePath,
>                    AuthenticationInfo subject) throws IOException {
>     String key = rootFolder + "/" + buildNoteFileName(noteId, notePath);
>     String newKey = rootFolder + "/" + buildNoteFileName(noteId,
> newNotePath);
>     CopyObjectRequest copReq = new CopyObjectRequest(bucketName, key,
> bucketName, newKey);
>     if (useServerSideEncryption) {
>       // Request server-side encryption.
>       ObjectMetadata objectMetadata = new ObjectMetadata();
>
> objectMetadata.setSSEAlgorithm(ObjectMetadata.AES_256_SERVER_SIDE_ENCRYPTION);
>       copReq.setNewObjectMetadata(objectMetadata);
>     }
>     //s3client.copyObject(bucketName, key, bucketName, newKey);
>     s3client.copyObject(copReq);
>     s3client.deleteObject(bucketName, key);
>   }
>
>
> P.S Due to some official reason I can not give the pull request.
>
> On Mon, Jul 26, 2021 at 7:42 AM Jeff Zhang <zj...@gmail.com> wrote:
>
>> Not sure what's the root cause, do you mind to help fix it ? I am not
>> sure whether others in the community familiar with s3 and has
>> environment to test it.
>>
>> Great Info <gu...@gmail.com> 于2021年7月26日周一 上午12:06写道：
>>
>>> I have deployed zeppelin 0.9.0 on AWS e2 and configured the s3 Notebook
>>> store. I have IAM role created, ec2 uses that role and defined right bucket
>>> permission for that role.
>>> Create Notebook, modify notebook works but delete is not working,
>>> getting 403 error.
>>>
>>> I have the right policy defined, below is my policy JSON(Camel case here
>>> last due to some content move). How to know which action is used during
>>> Delete notebooks
>>>
>>>
>>>
>>> {
>>> "version": "2012-10-17",
>>> "id": "bucket_policy",
>>> "statement": [{
>>> "sid": "denyreadaccess",
>>> "effect": "deny",
>>> "principal": "*",
>>> "action": ["s3:getobject", "s3:getobjectversion"],
>>> "resource": "arn:aws:s3:::zeppelin-tes/*",
>>> "condition": {
>>> "arnnotlike": {
>>> "aws:principalarn": "arn:aws:iam::985767567532:role/app/zeppelin-tes"
>>> }
>>> }
>>> }, {
>>> "sid": "denywriteaccess",
>>> "effect": "deny",
>>> "principal": "*",
>>> "action": ["s3:putobject", "s3:putobjectacl"],
>>> "resource": "arn:aws:s3:::zeppelin-tes/*",
>>> "condition": {
>>> "arnnotlike": {
>>> "aws:principalarn": "arn:aws:iam::985767567532:role/app/zeppelin-tes"
>>> }
>>> }
>>> }, {
>>> "sid": "denydeleteaccess",
>>> "effect": "deny",
>>> "principal": "*",
>>> "action": ["s3:deleteobject", "s3:deleteobjectversion",
>>> "s3:abortmultipartupload"],
>>> "resource": "arn:aws:s3:::zeppelin-tes/*",
>>> "condition": {
>>> "arnnotlike": {
>>> "aws:principalarn": "arn:aws:iam::985767567532:role/app/zeppelin-tes"
>>> }
>>> }
>>> }, {
>>> "sid": "denyreplicateaccessallexceptmasterroles",
>>> "effect": "deny",
>>> "principal": "*",
>>> "action": ["s3:replicateobject", "s3:replicatetags",
>>> "s3:replicatedelete"],
>>> "resource": "arn:aws:s3:::zeppelin-tes/*",
>>> "condition": {
>>> "arnlike": {
>>> "aws:principalarn": "arn:aws:iam::985767567532:role/app/zeppelin-tes"
>>> }
>>> }
>>> }, {
>>> "sid": "denyaccessexceptformasterroles",
>>> "effect": "deny",
>>> "principal": "*",
>>> "action": ["s3:deletebucket", "s3:deletebucketpolicy",
>>> "s3:deletebucketwebsite", "s3:putbucketacl", "s3:putbucketcors",
>>> "s3:putbucketpolicy", "s3:putbucketlogging", "s3:putbucketnotification",
>>> "s3:putbucketobjectlockconfiguration", "s3:putbucketpublicaccessblock",
>>> "s3:putbucketrequestpayment", "s3:putbucketwebsite", "s3:restoreobject*"],
>>> "resource": ["arn:aws:s3:::zeppelin-tes", "arn:aws:s3:::zeppelin-tes/*"],
>>> "condition": {
>>> "arnlike": {
>>> "aws:principalarn": "arn:aws:iam::985767567532:role/app/zeppelin-tes"
>>> }
>>> }
>>> }, {
>>> "sid": "denynonsecuretraffic",
>>> "effect": "deny",
>>> "principal": "*",
>>> "action": "s3:*",
>>> "resource": ["arn:aws:s3:::zeppelin-tes", "arn:aws:s3:::zeppelin-tes/*"],
>>> "condition": {
>>> "bool": {
>>> "aws:securetransport": "false"
>>> }
>>> }
>>> }]
>>> }
>>>
>>
>>
>> --
>> Best Regards
>>
>> Jeff Zhang
>>
>

Re: Delete notebook in s3notebook repo is not working

Posted by Great Info <gu...@gmail.com>.

Move method is getting called in S3NotebookRepo whenever notebook is
deleted, in this method serverside encryption is not set, so adding the
below code will fix the issue.

 @Override
  public void move(String noteId, String notePath, String newNotePath,
                   AuthenticationInfo subject) throws IOException {
    String key = rootFolder + "/" + buildNoteFileName(noteId, notePath);
    String newKey = rootFolder + "/" + buildNoteFileName(noteId,
newNotePath);
    CopyObjectRequest copReq = new CopyObjectRequest(bucketName, key,
bucketName, newKey);
    if (useServerSideEncryption) {
      // Request server-side encryption.
      ObjectMetadata objectMetadata = new ObjectMetadata();

objectMetadata.setSSEAlgorithm(ObjectMetadata.AES_256_SERVER_SIDE_ENCRYPTION);
      copReq.setNewObjectMetadata(objectMetadata);
    }
    //s3client.copyObject(bucketName, key, bucketName, newKey);
    s3client.copyObject(copReq);
    s3client.deleteObject(bucketName, key);
  }


P.S Due to some official reason I can not give the pull request.

On Mon, Jul 26, 2021 at 7:42 AM Jeff Zhang <zj...@gmail.com> wrote:

> Not sure what's the root cause, do you mind to help fix it ? I am not sure
> whether others in the community familiar with s3 and has environment to
> test it.
>
> Great Info <gu...@gmail.com> 于2021年7月26日周一 上午12:06写道：
>
>> I have deployed zeppelin 0.9.0 on AWS e2 and configured the s3 Notebook
>> store. I have IAM role created, ec2 uses that role and defined right bucket
>> permission for that role.
>> Create Notebook, modify notebook works but delete is not working, getting
>> 403 error.
>>
>> I have the right policy defined, below is my policy JSON(Camel case here
>> last due to some content move). How to know which action is used during
>> Delete notebooks
>>
>>
>>
>> {
>> "version": "2012-10-17",
>> "id": "bucket_policy",
>> "statement": [{
>> "sid": "denyreadaccess",
>> "effect": "deny",
>> "principal": "*",
>> "action": ["s3:getobject", "s3:getobjectversion"],
>> "resource": "arn:aws:s3:::zeppelin-tes/*",
>> "condition": {
>> "arnnotlike": {
>> "aws:principalarn": "arn:aws:iam::985767567532:role/app/zeppelin-tes"
>> }
>> }
>> }, {
>> "sid": "denywriteaccess",
>> "effect": "deny",
>> "principal": "*",
>> "action": ["s3:putobject", "s3:putobjectacl"],
>> "resource": "arn:aws:s3:::zeppelin-tes/*",
>> "condition": {
>> "arnnotlike": {
>> "aws:principalarn": "arn:aws:iam::985767567532:role/app/zeppelin-tes"
>> }
>> }
>> }, {
>> "sid": "denydeleteaccess",
>> "effect": "deny",
>> "principal": "*",
>> "action": ["s3:deleteobject", "s3:deleteobjectversion",
>> "s3:abortmultipartupload"],
>> "resource": "arn:aws:s3:::zeppelin-tes/*",
>> "condition": {
>> "arnnotlike": {
>> "aws:principalarn": "arn:aws:iam::985767567532:role/app/zeppelin-tes"
>> }
>> }
>> }, {
>> "sid": "denyreplicateaccessallexceptmasterroles",
>> "effect": "deny",
>> "principal": "*",
>> "action": ["s3:replicateobject", "s3:replicatetags",
>> "s3:replicatedelete"],
>> "resource": "arn:aws:s3:::zeppelin-tes/*",
>> "condition": {
>> "arnlike": {
>> "aws:principalarn": "arn:aws:iam::985767567532:role/app/zeppelin-tes"
>> }
>> }
>> }, {
>> "sid": "denyaccessexceptformasterroles",
>> "effect": "deny",
>> "principal": "*",
>> "action": ["s3:deletebucket", "s3:deletebucketpolicy",
>> "s3:deletebucketwebsite", "s3:putbucketacl", "s3:putbucketcors",
>> "s3:putbucketpolicy", "s3:putbucketlogging", "s3:putbucketnotification",
>> "s3:putbucketobjectlockconfiguration", "s3:putbucketpublicaccessblock",
>> "s3:putbucketrequestpayment", "s3:putbucketwebsite", "s3:restoreobject*"],
>> "resource": ["arn:aws:s3:::zeppelin-tes", "arn:aws:s3:::zeppelin-tes/*"],
>> "condition": {
>> "arnlike": {
>> "aws:principalarn": "arn:aws:iam::985767567532:role/app/zeppelin-tes"
>> }
>> }
>> }, {
>> "sid": "denynonsecuretraffic",
>> "effect": "deny",
>> "principal": "*",
>> "action": "s3:*",
>> "resource": ["arn:aws:s3:::zeppelin-tes", "arn:aws:s3:::zeppelin-tes/*"],
>> "condition": {
>> "bool": {
>> "aws:securetransport": "false"
>> }
>> }
>> }]
>> }
>>
>
>
> --
> Best Regards
>
> Jeff Zhang
>

Re: Delete notebook in s3notebook repo is not working

Posted by Great Info <gu...@gmail.com>.

Move method is getting called in S3NotebookRepo whenever notebook is
deleted, in this method serverside encryption is not set, so adding the
below code will fix the issue.

 @Override
  public void move(String noteId, String notePath, String newNotePath,
                   AuthenticationInfo subject) throws IOException {
    String key = rootFolder + "/" + buildNoteFileName(noteId, notePath);
    String newKey = rootFolder + "/" + buildNoteFileName(noteId,
newNotePath);
    CopyObjectRequest copReq = new CopyObjectRequest(bucketName, key,
bucketName, newKey);
    if (useServerSideEncryption) {
      // Request server-side encryption.
      ObjectMetadata objectMetadata = new ObjectMetadata();

objectMetadata.setSSEAlgorithm(ObjectMetadata.AES_256_SERVER_SIDE_ENCRYPTION);
      copReq.setNewObjectMetadata(objectMetadata);
    }
    //s3client.copyObject(bucketName, key, bucketName, newKey);
    s3client.copyObject(copReq);
    s3client.deleteObject(bucketName, key);
  }


P.S Due to some official reason I can not give the pull request.

On Mon, Jul 26, 2021 at 7:42 AM Jeff Zhang <zj...@gmail.com> wrote:

> Not sure what's the root cause, do you mind to help fix it ? I am not sure
> whether others in the community familiar with s3 and has environment to
> test it.
>
> Great Info <gu...@gmail.com> 于2021年7月26日周一 上午12:06写道：
>
>> I have deployed zeppelin 0.9.0 on AWS e2 and configured the s3 Notebook
>> store. I have IAM role created, ec2 uses that role and defined right bucket
>> permission for that role.
>> Create Notebook, modify notebook works but delete is not working, getting
>> 403 error.
>>
>> I have the right policy defined, below is my policy JSON(Camel case here
>> last due to some content move). How to know which action is used during
>> Delete notebooks
>>
>>
>>
>> {
>> "version": "2012-10-17",
>> "id": "bucket_policy",
>> "statement": [{
>> "sid": "denyreadaccess",
>> "effect": "deny",
>> "principal": "*",
>> "action": ["s3:getobject", "s3:getobjectversion"],
>> "resource": "arn:aws:s3:::zeppelin-tes/*",
>> "condition": {
>> "arnnotlike": {
>> "aws:principalarn": "arn:aws:iam::985767567532:role/app/zeppelin-tes"
>> }
>> }
>> }, {
>> "sid": "denywriteaccess",
>> "effect": "deny",
>> "principal": "*",
>> "action": ["s3:putobject", "s3:putobjectacl"],
>> "resource": "arn:aws:s3:::zeppelin-tes/*",
>> "condition": {
>> "arnnotlike": {
>> "aws:principalarn": "arn:aws:iam::985767567532:role/app/zeppelin-tes"
>> }
>> }
>> }, {
>> "sid": "denydeleteaccess",
>> "effect": "deny",
>> "principal": "*",
>> "action": ["s3:deleteobject", "s3:deleteobjectversion",
>> "s3:abortmultipartupload"],
>> "resource": "arn:aws:s3:::zeppelin-tes/*",
>> "condition": {
>> "arnnotlike": {
>> "aws:principalarn": "arn:aws:iam::985767567532:role/app/zeppelin-tes"
>> }
>> }
>> }, {
>> "sid": "denyreplicateaccessallexceptmasterroles",
>> "effect": "deny",
>> "principal": "*",
>> "action": ["s3:replicateobject", "s3:replicatetags",
>> "s3:replicatedelete"],
>> "resource": "arn:aws:s3:::zeppelin-tes/*",
>> "condition": {
>> "arnlike": {
>> "aws:principalarn": "arn:aws:iam::985767567532:role/app/zeppelin-tes"
>> }
>> }
>> }, {
>> "sid": "denyaccessexceptformasterroles",
>> "effect": "deny",
>> "principal": "*",
>> "action": ["s3:deletebucket", "s3:deletebucketpolicy",
>> "s3:deletebucketwebsite", "s3:putbucketacl", "s3:putbucketcors",
>> "s3:putbucketpolicy", "s3:putbucketlogging", "s3:putbucketnotification",
>> "s3:putbucketobjectlockconfiguration", "s3:putbucketpublicaccessblock",
>> "s3:putbucketrequestpayment", "s3:putbucketwebsite", "s3:restoreobject*"],
>> "resource": ["arn:aws:s3:::zeppelin-tes", "arn:aws:s3:::zeppelin-tes/*"],
>> "condition": {
>> "arnlike": {
>> "aws:principalarn": "arn:aws:iam::985767567532:role/app/zeppelin-tes"
>> }
>> }
>> }, {
>> "sid": "denynonsecuretraffic",
>> "effect": "deny",
>> "principal": "*",
>> "action": "s3:*",
>> "resource": ["arn:aws:s3:::zeppelin-tes", "arn:aws:s3:::zeppelin-tes/*"],
>> "condition": {
>> "bool": {
>> "aws:securetransport": "false"
>> }
>> }
>> }]
>> }
>>
>
>
> --
> Best Regards
>
> Jeff Zhang
>

Re: Delete notebook in s3notebook repo is not working

Posted by Jeff Zhang <zj...@gmail.com>.

Not sure what's the root cause, do you mind to help fix it ? I am not sure
whether others in the community familiar with s3 and has environment to
test it.

Great Info <gu...@gmail.com> 于2021年7月26日周一 上午12:06写道：

> I have deployed zeppelin 0.9.0 on AWS e2 and configured the s3 Notebook
> store. I have IAM role created, ec2 uses that role and defined right bucket
> permission for that role.
> Create Notebook, modify notebook works but delete is not working, getting
> 403 error.
>
> I have the right policy defined, below is my policy JSON(Camel case here
> last due to some content move). How to know which action is used during
> Delete notebooks
>
>
>
> {
> "version": "2012-10-17",
> "id": "bucket_policy",
> "statement": [{
> "sid": "denyreadaccess",
> "effect": "deny",
> "principal": "*",
> "action": ["s3:getobject", "s3:getobjectversion"],
> "resource": "arn:aws:s3:::zeppelin-tes/*",
> "condition": {
> "arnnotlike": {
> "aws:principalarn": "arn:aws:iam::985767567532:role/app/zeppelin-tes"
> }
> }
> }, {
> "sid": "denywriteaccess",
> "effect": "deny",
> "principal": "*",
> "action": ["s3:putobject", "s3:putobjectacl"],
> "resource": "arn:aws:s3:::zeppelin-tes/*",
> "condition": {
> "arnnotlike": {
> "aws:principalarn": "arn:aws:iam::985767567532:role/app/zeppelin-tes"
> }
> }
> }, {
> "sid": "denydeleteaccess",
> "effect": "deny",
> "principal": "*",
> "action": ["s3:deleteobject", "s3:deleteobjectversion",
> "s3:abortmultipartupload"],
> "resource": "arn:aws:s3:::zeppelin-tes/*",
> "condition": {
> "arnnotlike": {
> "aws:principalarn": "arn:aws:iam::985767567532:role/app/zeppelin-tes"
> }
> }
> }, {
> "sid": "denyreplicateaccessallexceptmasterroles",
> "effect": "deny",
> "principal": "*",
> "action": ["s3:replicateobject", "s3:replicatetags", "s3:replicatedelete"],
> "resource": "arn:aws:s3:::zeppelin-tes/*",
> "condition": {
> "arnlike": {
> "aws:principalarn": "arn:aws:iam::985767567532:role/app/zeppelin-tes"
> }
> }
> }, {
> "sid": "denyaccessexceptformasterroles",
> "effect": "deny",
> "principal": "*",
> "action": ["s3:deletebucket", "s3:deletebucketpolicy",
> "s3:deletebucketwebsite", "s3:putbucketacl", "s3:putbucketcors",
> "s3:putbucketpolicy", "s3:putbucketlogging", "s3:putbucketnotification",
> "s3:putbucketobjectlockconfiguration", "s3:putbucketpublicaccessblock",
> "s3:putbucketrequestpayment", "s3:putbucketwebsite", "s3:restoreobject*"],
> "resource": ["arn:aws:s3:::zeppelin-tes", "arn:aws:s3:::zeppelin-tes/*"],
> "condition": {
> "arnlike": {
> "aws:principalarn": "arn:aws:iam::985767567532:role/app/zeppelin-tes"
> }
> }
> }, {
> "sid": "denynonsecuretraffic",
> "effect": "deny",
> "principal": "*",
> "action": "s3:*",
> "resource": ["arn:aws:s3:::zeppelin-tes", "arn:aws:s3:::zeppelin-tes/*"],
> "condition": {
> "bool": {
> "aws:securetransport": "false"
> }
> }
> }]
> }
>


-- 
Best Regards

Jeff Zhang

Re: Delete notebook in s3notebook repo is not working

Posted by Jeff Zhang <zj...@gmail.com>.

Not sure what's the root cause, do you mind to help fix it ? I am not sure
whether others in the community familiar with s3 and has environment to
test it.

Great Info <gu...@gmail.com> 于2021年7月26日周一 上午12:06写道：

> I have deployed zeppelin 0.9.0 on AWS e2 and configured the s3 Notebook
> store. I have IAM role created, ec2 uses that role and defined right bucket
> permission for that role.
> Create Notebook, modify notebook works but delete is not working, getting
> 403 error.
>
> I have the right policy defined, below is my policy JSON(Camel case here
> last due to some content move). How to know which action is used during
> Delete notebooks
>
>
>
> {
> "version": "2012-10-17",
> "id": "bucket_policy",
> "statement": [{
> "sid": "denyreadaccess",
> "effect": "deny",
> "principal": "*",
> "action": ["s3:getobject", "s3:getobjectversion"],
> "resource": "arn:aws:s3:::zeppelin-tes/*",
> "condition": {
> "arnnotlike": {
> "aws:principalarn": "arn:aws:iam::985767567532:role/app/zeppelin-tes"
> }
> }
> }, {
> "sid": "denywriteaccess",
> "effect": "deny",
> "principal": "*",
> "action": ["s3:putobject", "s3:putobjectacl"],
> "resource": "arn:aws:s3:::zeppelin-tes/*",
> "condition": {
> "arnnotlike": {
> "aws:principalarn": "arn:aws:iam::985767567532:role/app/zeppelin-tes"
> }
> }
> }, {
> "sid": "denydeleteaccess",
> "effect": "deny",
> "principal": "*",
> "action": ["s3:deleteobject", "s3:deleteobjectversion",
> "s3:abortmultipartupload"],
> "resource": "arn:aws:s3:::zeppelin-tes/*",
> "condition": {
> "arnnotlike": {
> "aws:principalarn": "arn:aws:iam::985767567532:role/app/zeppelin-tes"
> }
> }
> }, {
> "sid": "denyreplicateaccessallexceptmasterroles",
> "effect": "deny",
> "principal": "*",
> "action": ["s3:replicateobject", "s3:replicatetags", "s3:replicatedelete"],
> "resource": "arn:aws:s3:::zeppelin-tes/*",
> "condition": {
> "arnlike": {
> "aws:principalarn": "arn:aws:iam::985767567532:role/app/zeppelin-tes"
> }
> }
> }, {
> "sid": "denyaccessexceptformasterroles",
> "effect": "deny",
> "principal": "*",
> "action": ["s3:deletebucket", "s3:deletebucketpolicy",
> "s3:deletebucketwebsite", "s3:putbucketacl", "s3:putbucketcors",
> "s3:putbucketpolicy", "s3:putbucketlogging", "s3:putbucketnotification",
> "s3:putbucketobjectlockconfiguration", "s3:putbucketpublicaccessblock",
> "s3:putbucketrequestpayment", "s3:putbucketwebsite", "s3:restoreobject*"],
> "resource": ["arn:aws:s3:::zeppelin-tes", "arn:aws:s3:::zeppelin-tes/*"],
> "condition": {
> "arnlike": {
> "aws:principalarn": "arn:aws:iam::985767567532:role/app/zeppelin-tes"
> }
> }
> }, {
> "sid": "denynonsecuretraffic",
> "effect": "deny",
> "principal": "*",
> "action": "s3:*",
> "resource": ["arn:aws:s3:::zeppelin-tes", "arn:aws:s3:::zeppelin-tes/*"],
> "condition": {
> "bool": {
> "aws:securetransport": "false"
> }
> }
> }]
> }
>


-- 
Best Regards

Jeff Zhang