Comments (24)
+1
from aws-glue-schema-registry.
Once I change it to
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"glue:GetRegistry",
"glue:CreateSchema",
"glue:UpdateSchema",
"glue:GetSchema",
"glue:ListSchemas",
"glue:RegisterSchemaVersion",
"glue:GetSchemaByDefinition",
"glue:GetSchemaVersion",
"glue:GetSchemaVersionsDiff",
"glue:ListSchemaVersions",
"glue:CheckSchemaVersionValidity",
"glue:PutSchemaVersionMetadata"
],
"Resource": [
"arn:aws:glue:*:----------:schema/*",
"arn:aws:glue:us-west-2:----------:registry/demo-shared"
]
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"glue:GetSchemaVersion"
],
"Resource": [
"*"
]
}
]
}
it works
from aws-glue-schema-registry.
Seriously this is needed. I thought AWS was a security first organization? Simply telling customers to use * for reading any and all schemas / data contracts isn't an acceptable solution
from aws-glue-schema-registry.
Edited - Reviewing the document now, it says that "You can limit the registries that can read by using the Resource clause. But if access to all registries is required then it can be achieved by specifying "*" for the appropriate portions of the ARN."
https://docs.aws.amazon.com/glue/latest/dg/schema-registry-gs.html#schema-registry-gs1b
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"glue:GetSchemaVersion"
],
"Resource": [
"arn:aws:glue:aws-region:123456789012:registry/registryname-1"
]
}
Is specifying registry arn not working ?
from aws-glue-schema-registry.
Is this something that could be fixed? Why does getSchemaVersion require access to everything?
from aws-glue-schema-registry.
Oops, updated my comment after reviewing the document closely.
from aws-glue-schema-registry.
No. So every other permissions, I can set to only point to the specific registry, but for getSchemaVersion, it throws an authentication error if I set the registry name.
from aws-glue-schema-registry.
Can you please paste the error here ? I will check my resources and will get back on this.
from aws-glue-schema-registry.
So initially used the following policy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"glue:GetRegistry",
"glue:CreateSchema",
"glue:UpdateSchema",
"glue:GetSchema",
"glue:ListSchemas",
"glue:RegisterSchemaVersion",
"glue:GetSchemaByDefinition",
"glue:GetSchemaVersion",
"glue:GetSchemaVersionsDiff",
"glue:ListSchemaVersions",
"glue:CheckSchemaVersionValidity",
"glue:PutSchemaVersionMetadata"
],
"Resource": [
"arn:aws:glue:*:---------:schema/*",
"arn:aws:glue:us-west-2:---------:registry/demo-shared"
]
}
]
}
I get the following error
Caused by: software.amazon.awssdk.services.glue.model.AccessDeniedException: User: arn:aws:sts::---------:assumed-role/EKSWorkerNodeIAM-demo/i-0672c1632cc37421e is not authorized to perform: glue:GetSchemaVersion (Service: Glue, Status Code: 400, Request ID: fb1de2eb-6b86-4f37-b13c-1b700cc2443f, Extended Request ID: null)
from aws-glue-schema-registry.
I confirmed within the team that this is a known issue. We will look into this and will require some work.
from aws-glue-schema-registry.
Thanks a lot!
from aws-glue-schema-registry.
@mohitpali Any updates on this one?
from aws-glue-schema-registry.
We are looking into this and unfortunately this would require some work. We will work on prioritizing this but we don't have a timeline as of now. As a workaround, you could continue using * permissions.
from aws-glue-schema-registry.
@mohitpali
Actually, I faced the same problem.
My company doesn't allow me to use * permissions.
Can you take a look at this patch?
The basic idea and the actual modifications are so simple.
In this patch, when we specify the registry name and the schema name for the consumer side as we do for the producer side, instead of specifying the schema version id for GetSchemaVersion, it specifies the registry name, the schema name and the version number for it, after detecting the version number using ListSchemaVersions.
We can avoid using the full access privilege, by doing like this.
I hope you can consider to apply this once.
0001-Don-t-use-GetSchemaVersion-with-the-schema-version-i.patch.gz
from aws-glue-schema-registry.
Actually I came up with another idea to include the version number in the Kafka messages.
If it's possible it might be better from the performance perspective.
But we cannot do it because GetSchemaByDefinition doesn't return the version number, though I don't know why.
from aws-glue-schema-registry.
Sorry we couldn't get to this, we will prioritize this against our existing backlog items.
from aws-glue-schema-registry.
I'm experiencing the same behavior. Is this issue still not resolved?
from aws-glue-schema-registry.
We are experiencing same issue! Unfortunately we cannot specify * resource
from aws-glue-schema-registry.
+1
from aws-glue-schema-registry.
+1
from aws-glue-schema-registry.
+1
from aws-glue-schema-registry.
Wow still not fixed after 3+ years and its security issue.. Anyways issues here are very helpful when other folks run into the same issue.
thanks @dexter-mh-lee.
from aws-glue-schema-registry.
+1 this should be fixed
from aws-glue-schema-registry.
Hey guys - same problem encountered during integration of the Glue Schema Registry, where we wanted to apply least privilege for the job principle...
Exception:
Caused by: software.amazon.awssdk.services.glue.model.AccessDeniedException: User: arn:aws:iam::XXXXXXXX:user/YYYYYYY is not authorized to perform: glue:GetSchemaVersion because no identity-based policy allows the glue:GetSchemaVersion action
Only workaround so far (terraform in our case):
statement { actions = [ "glue:GetSchemaVersion" ] resources = [ "*" ] }
As mentioned above already, we would be more than happy if this can be fixed may be in 2024 ๐
from aws-glue-schema-registry.
Related Issues (20)
- Kafka Connect converter fails when schema contains null default values for record field
- Kafka Connect Deserialized object without properties
- AWSKafkaAvroSerDe is clunky to use, create GenericRecordAWSKafkaAvroSerDe and SpecificRecordAWSKafkaAvroSerDe
- Document required AWS Permissions for `AWSKafkaAvroSerDe` HOT 3
- Dependency conflict prevents usage of this library if a project has newer kotlinx-serialization
- Unsupported type passed for serialization: com.amazonaws.services.schemaregistry.kafkaconnect.avrodata.NonRecordContainer HOT 1
- schema-registry-serde:1.1.17 transient dependency org.json:json:jar:20230227 CVE-2023-5072 HOT 3
- Please update aws sdk v2 version. schema-registry-serde:1.1.17 conflicts with latest aws-sdk libs. HOT 2
- Allow customization of ObjectMapper / registration of default modules missing HOT 1
- `NoSuchMethodError` from `GlueSchemaRegistryDeserializerDataParser` when running on JDK 8 HOT 2
- JsonDeserializer does not allow enabling/disabling a feature for Jackson Object Mapper HOT 4
- Avro deserialization fails in 1.1.18 HOT 3
- ProtobufSchemaConverter fails in v1.1.18 HOT 1
- Vulnerability CVE-2024-21634 (High Severity) HOT 1
- AWS MSK and AWS Glue Schema Registry Configuration is Wrong
- v1.1.17 to v1.1.19 fails producing messages with error "java.lang.NoSuchFieldError: IDENTITY_PROVIDERS" on SelfManaged Kafka server with no authentication HOT 2
- Production of AVRO specific record seems to be creating a Generic Record - v1.1.19/Lambda/Java 17 - Protobuf reading a typed record doesnยดt find the class to map to
- Can't enable BACKWARD_COMPATIBILTY mode in the s3 sink connector HOT 1
- New constructor for AWSSchemaRegistryClient request
- Test `GlueSchemaRegistryConfigurationTest.testBuildConfig_noRegionConfigsSupplied_throwsException` fails in some build scenarios but not others HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from aws-glue-schema-registry.