Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Permission serviceusage.services.use required with userProject parameter included in requests by default #13745

Closed
guyarad opened this issue Sep 20, 2022 · 4 comments · Fixed by #13749
Closed

Permission serviceusage.services.use required with userProject parameter included in requests by default #13745

guyarad opened this issue Sep 20, 2022 · 4 comments · Fixed by #13749
Assignees
@dkocher
Labels
googlestorage Google Cloud Storage Protocol Implementation
Milestone
8.4.5

Comments

@guyarad
Copy link

guyarad commented Sep 20, 2022

Regression - some of the GCP projects I'm connecting to, fails with the following error:

Listing directory / failed:
user@email.com does not have serviceusage.services.use access to the Google Cloud project. Domain: global. Reason: forbidden. Forbidden. Please contact your web hosting service provider for assistance.

This is an issue introduced with 8.4.4, as downgrading to 8.4.3 disappears the issue.
I'm guessing that some of the GCP projects have a permission (serviceusage.services.use) not configured in my account.
However, this permission isn't needed for my ongoing work, so I don't see what is required for Cyberduck.

  • OS: MacOS 10.15.7 (19H1824)

Log Files
cyberduck-bug.txt
@dkocher dkocher added the googlestorage Google Cloud Storage Protocol Implementation label Sep 20, 2022
@dkocher
Copy link
Contributor

dkocher commented Sep 20, 2022

This is caused by b1dc48d as we now include the userProject query parameter in requests to allow access of buckets that have Requester Pays enabled.

@dkocher
Copy link
Contributor

dkocher commented Sep 20, 2022

This can be disabled with setting the configuration option googlestorage.bucket.requesterpays to false.

@dkocher dkocher self-assigned this Sep 20, 2022
@dkocher dkocher changed the title Version 8.4.4 breaks connection to GCS project Permission serviceusage.services.use required with userProject parameter included in requests by default Sep 20, 2022
@dkocher dkocher mentioned this issue Sep 20, 2022
Closed
@guyarad
Copy link
Author

guyarad commented Sep 21, 2022

@dkocher While this solution indeed works, I'm quite sure it's not the right one. My user has access to the projects. Why would I get access denied? in the requests, the same project is being used for both, the project and and the userProject parameters. That said, a feature should be backward compatible.
There are several reasons this feature should be OFF by default, configurable per connection and visible in the UI:

  1. It breaks existing behavior (and it's a minor update).
  2. It requires significant configuration on the bucket side (permission, bucket setup etc.).
  3. When using multiple projects, it's very plausible to have this feature on for some connections and off for others.
  4. Because it's a feature with an impact on usability, and the need for having it per connection, I believe it should be exposed in the connection configuration UI

@dkocher dkocher added this to the 8.4.5 milestone Sep 21, 2022
@dkocher
Copy link
Contributor

dkocher commented Sep 21, 2022

The documentation does not imply special permissions are required when including userProject

Buckets that have Requester Pays disabled still accept requests that include a billing project, and charges are applied to the billing project supplied in the request. Consider any billing implications prior to including a billing project in all of your requests.

but it looks like we should include it only when requester pays option is set on the bucket.

dkocher added a commit that referenced this issue Sep 21, 2022
@dkocher
Fix #13745. Only set userProject for buckets with requester pays op…
b2e3124 
…tion enabled.
@dkocher dkocher linked a pull request Sep 21, 2022 that will close this issue
Fix #13745. Only set userProject for buckets with requester pays op… #13749
Merged
dkocher added a commit that referenced this issue Sep 23, 2022
@dkocher
Merge pull request #13749 from iterate-ch/bugfix/GH-13745
1c58f20 
Fix #13745. Only set `userProject` for buckets with requester pays op…
ylangisc added a commit that referenced this issue Apr 4, 2023
@ylangisc
Merge pull request #14469 from iterate-ch/bugfix/GH-13745-addendum
9d058c9 
Addendum to b2e3124.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@dkocher dkocher

Labels
googlestorage Google Cloud Storage Protocol Implementation
Projects
None yet
Milestone
8.4.5
Development

Successfully merging a pull request may close this issue.

Fix #13745. Only set userProject for buckets with requester pays op… iterate-ch/cyberduck
2 participants
@dkocher @guyarad