Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

PutObject: object acl doesn't impose restrictions for a not-owner user #904

Open
evgeniiz321 opened this issue Nov 11, 2023 · 3 comments
Open

PutObject: object acl doesn't impose restrictions for a not-owner user #904

evgeniiz321 opened this issue Nov 11, 2023 · 3 comments
Labels
bug Something isn't working I4 No visible changes S4 Routine U3 Regular

Comments

@evgeniiz321
Copy link

  1. Create bucket with public-read-write ACL
  2. Create object with public-read ACL
  3. Try to rewrite this object with a not-owner user
  4. Expected to get an error, due to lack of permissions, but in fact - no errors.

test_access_bucket_publicreadwrite_object_publicread

object acl:

{'ResponseMetadata': {'RequestId': '4fe12cb0-f7e5-4d39-9a0d-6ea4002d9d8f', 'HostId': '', 'HTTPStatusCode': 200, 'HTTPHeaders': {'x-amz-request-id': '4fe12cb0-f7e5-4d39-9a0d-6ea4002d9d8f', 'date': 'Sat, 11 Nov 2023 16:08:02 GMT', 'content-length': '766', 'content-type': 'text/xml; charset=utf-8'}, 'MaxAttemptsReached': True, 'RetryAttempts': 0}, 'Owner': {'DisplayName': 'NbUgTSFvPmsRxmGeWpuuGeJUoRoi6PErcM', 'ID': 'NbUgTSFvPmsRxmGeWpuuGeJUoRoi6PErcM'}, 'Grants': [{'Grantee': {'Type': 'Group', 'URI': 'http://acs.amazonaws.com/groups/global/AllUsers'}, 'Permission': 'READ'}, {'Grantee': {'DisplayName': 'NbUgTSFvPmsRxmGeWpuuGeJUoRoi6PErcM', 'ID': '031a6c6fbbdf02ca351745fa86b9ba5a9452d785ac4f7fc2b7548ca2a46c4fcf4a', 'Type': 'CanonicalUser'}, 'Permission': 'FULL_CONTROL'}]}

logs:

2023-11-11T16:07:56.601Z	info	api/router.go:166	call method	{"status": 200, "host": "s3.neofs.devenv:8080", "request_id": "17e0f36d-f19b-4ded-ac38-025e15aa8365", "method": "CreateBucket", "bucket": "yournamehere-gerh447uvx59bitc-1", "object": "", "description": "OK"}
2023-11-11T16:07:57.637Z	info	api/router.go:166	call method	{"status": 200, "host": "s3.neofs.devenv:8080", "request_id": "58a67c20-c73d-4914-b4fe-5f3acfad6f7a", "method": "PutBucketACL", "bucket": "yournamehere-gerh447uvx59bitc-1", "object": "", "description": "OK"}
2023-11-11T16:07:58.568Z	debug	layer/object.go:258	put object	{"reqId": "708a85d1-11f5-47ad-880b-a3b6e500f5df", "bucket": "yournamehere-gerh447uvx59bitc-1", "cid": "FRmos6PxSm2mJrjcbD8g8jE9NSZkDvucmikTDvauFVma", "object": "foo", "oid": "27JNComrq2dzQ8BzhmW3tJR5BxEeMTjLCehTCzsBnV2n"}
2023-11-11T16:07:58.619Z	info	api/router.go:166	call method	{"status": 200, "host": "s3.neofs.devenv:8080", "request_id": "708a85d1-11f5-47ad-880b-a3b6e500f5df", "method": "PutObject", "bucket": "yournamehere-gerh447uvx59bitc-1", "object": "foo", "description": "OK"}
2023-11-11T16:07:58.623Z	debug	layer/layer.go:480	get object	{"reqId": "3610650e-1125-45ba-b0b2-145d70e73764", "bucket": "yournamehere-gerh447uvx59bitc-1", "cid": "FRmos6PxSm2mJrjcbD8g8jE9NSZkDvucmikTDvauFVma", "object": "foo", "oid": "27JNComrq2dzQ8BzhmW3tJR5BxEeMTjLCehTCzsBnV2n"}
2023-11-11T16:07:59.637Z	info	api/router.go:166	call method	{"status": 200, "host": "s3.neofs.devenv:8080", "request_id": "3610650e-1125-45ba-b0b2-145d70e73764", "method": "PutObjectACL", "bucket": "yournamehere-gerh447uvx59bitc-1", "object": "foo", "description": "OK"}
2023-11-11T16:08:01.773Z	debug	layer/object.go:258	put object	{"reqId": "11fe8be8-88d9-4f17-bf5f-30c3fb3496b9", "bucket": "yournamehere-gerh447uvx59bitc-1", "cid": "FRmos6PxSm2mJrjcbD8g8jE9NSZkDvucmikTDvauFVma", "object": "bar", "oid": "FCpUThwAgKNrWBBMig1sFGi7XHPPtwBj6KPNhZ1kct1h"}
2023-11-11T16:08:02.489Z	info	api/router.go:166	call method	{"status": 200, "host": "s3.neofs.devenv:8080", "request_id": "11fe8be8-88d9-4f17-bf5f-30c3fb3496b9", "method": "PutObject", "bucket": "yournamehere-gerh447uvx59bitc-1", "object": "bar", "description": "OK"}
2023-11-11T16:08:02.530Z	debug	layer/layer.go:480	get object	{"reqId": "4fe12cb0-f7e5-4d39-9a0d-6ea4002d9d8f", "bucket": "yournamehere-gerh447uvx59bitc-1", "cid": "FRmos6PxSm2mJrjcbD8g8jE9NSZkDvucmikTDvauFVma", "object": "foo", "oid": "27JNComrq2dzQ8BzhmW3tJR5BxEeMTjLCehTCzsBnV2n"}
2023-11-11T16:08:02.530Z	info	api/router.go:166	call method	{"status": 200, "host": "s3.neofs.devenv:8080", "request_id": "4fe12cb0-f7e5-4d39-9a0d-6ea4002d9d8f", "method": "GetObjectACL", "bucket": "yournamehere-gerh447uvx59bitc-1", "object": "foo", "description": "OK"}
2023-11-11T16:08:02.543Z	debug	layer/layer.go:480	get object	{"reqId": "692b007c-c720-474f-90bf-3b16b0e6e747", "bucket": "yournamehere-gerh447uvx59bitc-1", "cid": "FRmos6PxSm2mJrjcbD8g8jE9NSZkDvucmikTDvauFVma", "object": "bar", "oid": "FCpUThwAgKNrWBBMig1sFGi7XHPPtwBj6KPNhZ1kct1h"}
2023-11-11T16:08:02.543Z	info	api/router.go:166	call method	{"status": 200, "host": "s3.neofs.devenv:8080", "request_id": "692b007c-c720-474f-90bf-3b16b0e6e747", "method": "GetObjectACL", "bucket": "yournamehere-gerh447uvx59bitc-1", "object": "bar", "description": "OK"}
2023-11-11T16:08:02.550Z	debug	layer/layer.go:480	get object	{"reqId": "522a4616-fd5d-484b-a34e-70696226221a", "bucket": "yournamehere-gerh447uvx59bitc-1", "cid": "FRmos6PxSm2mJrjcbD8g8jE9NSZkDvucmikTDvauFVma", "object": "foo", "oid": "27JNComrq2dzQ8BzhmW3tJR5BxEeMTjLCehTCzsBnV2n"}
2023-11-11T16:08:02.557Z	info	api/router.go:166	call method	{"status": 200, "host": "s3.neofs.devenv:8080", "request_id": "522a4616-fd5d-484b-a34e-70696226221a", "method": "GetObject", "bucket": "yournamehere-gerh447uvx59bitc-1", "object": "foo", "description": "OK"}
2023-11-11T16:08:03.914Z	debug	layer/object.go:258	put object	{"reqId": "45605681-2f0d-4371-9b54-ce21ccddb0d8", "bucket": "yournamehere-gerh447uvx59bitc-1", "cid": "FRmos6PxSm2mJrjcbD8g8jE9NSZkDvucmikTDvauFVma", "object": "foo", "oid": "DtTGPEB781C2YZqqU5QDQ7o8yqjyiscJQUTqg8o1Cpfa"}
2023-11-11T16:08:04.320Z	info	api/router.go:166	call method	{"status": 200, "host": "s3.neofs.devenv:8080", "request_id": "45605681-2f0d-4371-9b54-ce21ccddb0d8", "method": "PutObject", "bucket": "yournamehere-gerh447uvx59bitc-1", "object": "foo", "description": "OK"}
2023-11-11T16:08:04.325Z	debug	layer/layer.go:480	get object	{"reqId": "56c2704e-ed9e-4fb0-8aa5-87372fa1df07", "bucket": "yournamehere-gerh447uvx59bitc-1", "cid": "FRmos6PxSm2mJrjcbD8g8jE9NSZkDvucmikTDvauFVma", "object": "bar", "oid": "FCpUThwAgKNrWBBMig1sFGi7XHPPtwBj6KPNhZ1kct1h"}
2023-11-11T16:08:04.332Z	info	api/router.go:166	call method	{"status": 200, "host": "s3.neofs.devenv:8080", "request_id": "56c2704e-ed9e-4fb0-8aa5-87372fa1df07", "method": "GetObject", "bucket": "yournamehere-gerh447uvx59bitc-1", "object": "bar", "description": "OK"}
@evgeniiz321 evgeniiz321 added bug Something isn't working triage labels Nov 11, 2023
@roman-khimov roman-khimov added this to the v0.30.1 milestone Nov 11, 2023
@evgeniiz321 evgeniiz321 mentioned this issue Nov 11, 2023
Open
@roman-khimov roman-khimov added U3 Regular S4 Routine I4 No visible changes labels Dec 20, 2023
@smallhive
Copy link
Contributor

According to #906 (comment) there is a conceptual difference between s3 and NeoFS.
IIRC inside NeoFS objects inherit bucket rules, which is why setting ACL for objects doesn't make sense in case of bucket ACL not so strict

@roman-khimov
Copy link
Member

But in S3 semantics it does. And we're doing everything via S3 gateway that can check for individual object ACLs.

@roman-khimov roman-khimov modified the milestones: v0.30.1, v0.31.0 Jun 18, 2024
@roman-khimov
Copy link
Member

S3 can check for them, but the problem is to create a NeoFS request that would somehow use per-object ACL. It can't.

@roman-khimov roman-khimov removed this from the v0.31.0 milestone Jul 18, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working I4 No visible changes S4 Routine U3 Regular
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@evgeniiz321 @smallhive @roman-khimov