Comments (24)
AmsterdamFilho
commented on July 21, 2024
7
+1
from aws-glue-schema-registry.
dexter-mh-lee
commented on July 21, 2024
6
Once I change it to
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"glue:GetRegistry",
"glue:CreateSchema",
"glue:UpdateSchema",
"glue:GetSchema",
"glue:ListSchemas",
"glue:RegisterSchemaVersion",
"glue:GetSchemaByDefinition",
"glue:GetSchemaVersion",
"glue:GetSchemaVersionsDiff",
"glue:ListSchemaVersions",
"glue:CheckSchemaVersionValidity",
"glue:PutSchemaVersionMetadata"
],
"Resource": [
"arn:aws:glue:*:----------:schema/*",
"arn:aws:glue:us-west-2:----------:registry/demo-shared"
]
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"glue:GetSchemaVersion"
],
"Resource": [
"*"
]
}
]
}
it works
from aws-glue-schema-registry.
amcquistan
commented on July 21, 2024
1
Seriously this is needed. I thought AWS was a security first organization? Simply telling customers to use * for reading any and all schemas / data contracts isn't an acceptable solution
from aws-glue-schema-registry.
mohitpali
commented on July 21, 2024
Edited - Reviewing the document now, it says that "You can limit the registries that can read by using the Resource clause. But if access to all registries is required then it can be achieved by specifying "*" for the appropriate portions of the ARN."
https://docs.aws.amazon.com/glue/latest/dg/schema-registry-gs.html#schema-registry-gs1b
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"glue:GetSchemaVersion"
],
"Resource": [
"arn:aws:glue:aws-region:123456789012:registry/registryname-1"
]
}
Is specifying registry arn not working ?
from aws-glue-schema-registry.
dexter-mh-lee
commented on July 21, 2024
Is this something that could be fixed? Why does getSchemaVersion require access to everything?
from aws-glue-schema-registry.
mohitpali
commented on July 21, 2024
Oops, updated my comment after reviewing the document closely.
from aws-glue-schema-registry.
dexter-mh-lee
commented on July 21, 2024
No. So every other permissions, I can set to only point to the specific registry, but for getSchemaVersion, it throws an authentication error if I set the registry name.
from aws-glue-schema-registry.
mohitpali
commented on July 21, 2024
Can you please paste the error here ? I will check my resources and will get back on this.
from aws-glue-schema-registry.
dexter-mh-lee
commented on July 21, 2024
So initially used the following policy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"glue:GetRegistry",
"glue:CreateSchema",
"glue:UpdateSchema",
"glue:GetSchema",
"glue:ListSchemas",
"glue:RegisterSchemaVersion",
"glue:GetSchemaByDefinition",
"glue:GetSchemaVersion",
"glue:GetSchemaVersionsDiff",
"glue:ListSchemaVersions",
"glue:CheckSchemaVersionValidity",
"glue:PutSchemaVersionMetadata"
],
"Resource": [
"arn:aws:glue:*:---------:schema/*",
"arn:aws:glue:us-west-2:---------:registry/demo-shared"
]
}
]
}
I get the following error
Caused by: software.amazon.awssdk.services.glue.model.AccessDeniedException: User: arn:aws:sts::---------:assumed-role/EKSWorkerNodeIAM-demo/i-0672c1632cc37421e is not authorized to perform: glue:GetSchemaVersion (Service: Glue, Status Code: 400, Request ID: fb1de2eb-6b86-4f37-b13c-1b700cc2443f, Extended Request ID: null)
from aws-glue-schema-registry.
mohitpali
commented on July 21, 2024
I confirmed within the team that this is a known issue. We will look into this and will require some work.
from aws-glue-schema-registry.
dexter-mh-lee
commented on July 21, 2024
Thanks a lot!
from aws-glue-schema-registry.
dexter-mh-lee
commented on July 21, 2024
@mohitpali Any updates on this one?
from aws-glue-schema-registry.
mohitpali
commented on July 21, 2024
We are looking into this and unfortunately this would require some work. We will work on prioritizing this but we don't have a timeline as of now. As a workaround, you could continue using * permissions.
from aws-glue-schema-registry.
fr-sano
commented on July 21, 2024
@mohitpali
Actually, I faced the same problem.
My company doesn't allow me to use * permissions.
Can you take a look at this patch?
The basic idea and the actual modifications are so simple.
In this patch, when we specify the registry name and the schema name for the consumer side as we do for the producer side, instead of specifying the schema version id for GetSchemaVersion, it specifies the registry name, the schema name and the version number for it, after detecting the version number using ListSchemaVersions.
We can avoid using the full access privilege, by doing like this.
I hope you can consider to apply this once.
0001-Don-t-use-GetSchemaVersion-with-the-schema-version-i.patch.gz
from aws-glue-schema-registry.
fr-sano
commented on July 21, 2024
Actually I came up with another idea to include the version number in the Kafka messages.
If it's possible it might be better from the performance perspective.
But we cannot do it because GetSchemaByDefinition doesn't return the version number, though I don't know why.
from aws-glue-schema-registry.
blacktooth
commented on July 21, 2024
Sorry we couldn't get to this, we will prioritize this against our existing backlog items.
from aws-glue-schema-registry.
jonsinfinity1
commented on July 21, 2024
I'm experiencing the same behavior. Is this issue still not resolved?
from aws-glue-schema-registry.
rupeshmore85
commented on July 21, 2024
We are experiencing same issue! Unfortunately we cannot specify * resource
from aws-glue-schema-registry.
srikanthvpai
commented on July 21, 2024
+1
from aws-glue-schema-registry.
ciandt-andregc
commented on July 21, 2024
+1
from aws-glue-schema-registry.
chriline
commented on July 21, 2024
+1
from aws-glue-schema-registry.
kothapet
commented on July 21, 2024
Wow still not fixed after 3+ years and its security issue.. Anyways issues here are very helpful when other folks run into the same issue.
thanks @dexter-mh-lee.
from aws-glue-schema-registry.
Tr1monster
commented on July 21, 2024
+1 this should be fixed
from aws-glue-schema-registry.
polster
commented on July 21, 2024
Hey guys - same problem encountered during integration of the Glue Schema Registry, where we wanted to apply least privilege for the job principle...
Exception:
Caused by: software.amazon.awssdk.services.glue.model.AccessDeniedException: User: arn:aws:iam::XXXXXXXX:user/YYYYYYY is not authorized to perform: glue:GetSchemaVersion because no identity-based policy allows the glue:GetSchemaVersion action
Only workaround so far (terraform in our case):
statement { actions = [ "glue:GetSchemaVersion" ] resources = [ "*" ] }
As mentioned above already, we would be more than happy if this can be fixed may be in 2024 ๐
from aws-glue-schema-registry.
Related Issues (20)
- Kafka Connect converter fails when schema contains null default values for record field
- Kafka Connect Deserialized object without properties
- AWSKafkaAvroSerDe is clunky to use, create GenericRecordAWSKafkaAvroSerDe and SpecificRecordAWSKafkaAvroSerDe
- Document required AWS Permissions for `AWSKafkaAvroSerDe` HOT 3
- Dependency conflict prevents usage of this library if a project has newer kotlinx-serialization
- Unsupported type passed for serialization: com.amazonaws.services.schemaregistry.kafkaconnect.avrodata.NonRecordContainer HOT 1
- schema-registry-serde:1.1.17 transient dependency org.json:json:jar:20230227 CVE-2023-5072 HOT 3
- Please update aws sdk v2 version. schema-registry-serde:1.1.17 conflicts with latest aws-sdk libs. HOT 2
- Allow customization of ObjectMapper / registration of default modules missing HOT 1
- `NoSuchMethodError` from `GlueSchemaRegistryDeserializerDataParser` when running on JDK 8 HOT 2
- JsonDeserializer does not allow enabling/disabling a feature for Jackson Object Mapper HOT 4
- Avro deserialization fails in 1.1.18 HOT 3
- ProtobufSchemaConverter fails in v1.1.18 HOT 1
- Vulnerability CVE-2024-21634 (High Severity) HOT 1
- AWS MSK and AWS Glue Schema Registry Configuration is Wrong
- v1.1.17 to v1.1.19 fails producing messages with error "java.lang.NoSuchFieldError: IDENTITY_PROVIDERS" on SelfManaged Kafka server with no authentication HOT 2
- Production of AVRO specific record seems to be creating a Generic Record - v1.1.19/Lambda/Java 17 - Protobuf reading a typed record doesnยดt find the class to map to
- Can't enable BACKWARD_COMPATIBILTY mode in the s3 sink connector HOT 1
- New constructor for AWSSchemaRegistryClient request
- Test `GlueSchemaRegistryConfigurationTest.testBuildConfig_noRegionConfigsSupplied_throwsException` fails in some build scenarios but not others HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from aws-glue-schema-registry.