Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(glue): table read permissions contain BatchDeletePartition #15116

Closed
BenChaimberg opened this issue Jun 14, 2021 · 3 comments
Closed

(glue): table read permissions contain BatchDeletePartition #15116

BenChaimberg opened this issue Jun 14, 2021 · 3 comments
Assignees
@kaizencc
Labels
@aws-cdk/aws-glue Related to AWS Glue bug This issue is a bug. effort/small Small work item – less than a day of effort p2

Comments

@BenChaimberg
Copy link
Contributor

BenChaimberg commented Jun 14, 2021
edited
Loading

The table construct's default read permissions (used in grantRead*) include "glue:BatchDeletePartition" which sounds off. Must investigate.

This is 🐛 Bug Report
@BenChaimberg BenChaimberg added bug This issue is a bug. p2 effort/small Small work item – less than a day of effort @aws-cdk/aws-glue Related to AWS Glue labels Jun 14, 2021
@BenChaimberg BenChaimberg mentioned this issue Jun 14, 2021
Merged
@BenChaimberg BenChaimberg removed their assignment Jun 14, 2021
@kaizencc kaizencc self-assigned this Dec 9, 2021
@kaizencc
Copy link
Contributor

kaizencc commented Dec 9, 2021

This looks like an oversight to me. Here is what IAM suggests are all the read permissions for Glue. The initial PR that added in the read permissions did not have any reasoning for this either: #1988.

Since Glue is experimental I think I will simply remove glue:BatchDeletePartition as a breaking change.

Screen Shot 2021-12-09 at 4 42 06 PM

@kaizencc kaizencc mentioned this issue Dec 10, 2021
Merged
mergify bot pushed a commit that referenced this issue Dec 10, 2021
@kaizencc
fix(glue): remove batchDeletePartition from grantRead() permissio…
3d64f9b 
…ns (#17941)

It is convention in the CDK to expose the underlying `grant()` API to make it simple for users to grant custom permissions to their resource. 

In addition, this PR removes 'glue:BatchDeletePartition' from `readPermissions`, which was previously erroneously added.

closes #17935 and #15116.

BREAKING CHANGE: the grantRead API previously included 'glue:BatchDeletePartition', and now it does not.


 

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@kaizencc
Copy link
Contributor

Closed by #17941

@github-actions
Copy link

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

TikiTDO pushed a commit to TikiTDO/aws-cdk that referenced this issue Feb 21, 2022
@kaizencc @TikiTDO
fix(glue): remove batchDeletePartition from grantRead() permissio…
4ea9f33 
…ns (aws#17941)

It is convention in the CDK to expose the underlying `grant()` API to make it simple for users to grant custom permissions to their resource. 

In addition, this PR removes 'glue:BatchDeletePartition' from `readPermissions`, which was previously erroneously added.

closes aws#17935 and aws#15116.

BREAKING CHANGE: the grantRead API previously included 'glue:BatchDeletePartition', and now it does not.


 

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@kaizencc kaizencc

Labels
@aws-cdk/aws-glue Related to AWS Glue bug This issue is a bug. effort/small Small work item – less than a day of effort p2
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@BenChaimberg @kaizencc