问题描述
我正在以编程方式添加和删除AWS IAM用户策略,但是从这些策略的应用中得到的结果不一致.
I'm adding and removing AWS IAM user policies programmatically, and I'm getting inconsistent results from the application of those policies.
例如,这可能成功也可能不会成功(我使用的是Java 1.6.6 SDK):
For example, this may or may not succeed (I'm using the Java 1.6.6 SDK):
- 从可以从特定存储桶读取内容的用户开始
- 清除用户策略(列出策略,然后为每个策略调用"deleteUserPolicy")
- 等待直到用户没有用户策略为止(调用"listUserPolicies",直到返回空集)
- 试图从存储桶中读取数据(这应该会失败)
如果我在#3和#4之间插入一个断点并等待几秒钟,那么用户将无法从存储桶中读取内容,这正是我所期望的.如果删除断点,则用户可以从存储桶中读取数据,这是错误的.
If I put in a breakpoint between #3 and #4 and wait a few seconds, the user cannot read from the bucket, which is what I expect. If I remove breakpoints, the user can read from the bucket, which is wrong.
(当我添加策略然后访问资源时,这也是不一致的)
(This is also inconsistent when I add a policy then access a resource)
我想知道策略更改何时对组件(S3,SQS等)产生了影响,而不仅是对IAM系统产生了影响.有什么办法可以从中获得收据或确认吗?或者也许有一定的时间等待?
I'd like to know when a policy change has had an effect on the component (S3, SQS, etc), not just on the IAM system. Is there any way to get a receipt or acknowledgement from this? Or maybe there is a certain amount of time to wait?
是否有关于政策申请内部文件的文件?
Is there any documentation on the internals of policy application?
(仅供参考,我已从 https://forums.aws复制了我的问题. amazon.com/thread.jspa?threadID=140383&tstart=0 )
推荐答案
在 IAM常见问题解答,并且当然有点主观.
The phrase "almost immediately" is used 5 times in the IAM FAQ, and is, of course, somewhat subjective.
由于AWS是全球分布的系统,因此您的更改必须传播,整个系统似乎旨在支持可用性和分区容限,而不是立即保持一致.
Since AWS is a globally-distributed system, your changes have to propagate, and the system as a whole seems to be designed to favor availability and partition tolerance as opposed to immediate consistency.
我不知道您是否考虑过,但这完全在可能性范围之内,实际上,在流程的第4步中,您会看到一系列通过,失败,通过,通过,失败,失败,失败,失败...,因为混合一致性模型,其中新对象立即一致,而覆盖和删除最终一致...因此,策略的概念已产生效果" 无论是在桶中还是在对象上,这都不是一个完全有意义的概念,因为该策略的应用本身几乎可以肯定是一个分布式事件.
I don't know whether you've considered it, but it's entirely within the bounds of possibility that you might actually, at step 4 in your flow, see a sequence of pass, fail, pass, pass, fail, fail, fail, fail... because neither a bucket nor an object in a bucket are actually a single thing in a single place, as evidenced by the mixed consistency model of different actions in S3, where new objects are immedately-consistent while overwrites and deletes are eventually consistent... so the concept of a policy having "had an effect" or not on the bucket or an object isn't an entirely meaningful concept since the application of the policy is, itself, almost certainly, a distributed event.
要确认此类策略的应用,将要求AWS公开(至少间接)询问具有该策略副本的每个实体的功能,以查看其是否具有当前版本...至少在像S3这样庞大的系统中说这可能是不切实际或难以理解的,它已经超越了惊人的 2万亿个对象,并且每秒提供超过110万个请求的峰值负载..
To confirm such an application of policies would require AWS to expose the capability of (at least indirectly) interrogating every entity that has a replicated copy of that policy to see whether it had the current version or not... which would be potentially impractical or unwieldy to say the least in a system as massive as S3, which has grown beyond a staggering 2 trillion objects, and serves peak loads in excess of 1.1 million requests per second.
AWS对此论坛帖子的官方回答提供了更多信息信息:
Official AWS answers to this forum post provide more information:
在此期间,与此对应的答案是重试".
The accompanying answer to what to do in the mean time was "try again."
我们积极监视复制系统的性能.但是像S3一样,我们只保证最终的一致性,而不保证任何特定的上限.
We actively monitor the performance of the replication system. But like S3, we guarantee only eventual consistency, not any particular upper bound.
这篇关于应用AWS IAM策略后,我应该等待多长时间才生效?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!