Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

PutObject: incorrect behavior in case of object acl equals to private #905

Closed
evgeniiz321 opened this issue Nov 11, 2023 · 2 comments
Closed

PutObject: incorrect behavior in case of object acl equals to private #905

evgeniiz321 opened this issue Nov 11, 2023 · 2 comments

Comments

@evgeniiz321
Copy link

  1. Create bucket with public-read-write ACL
  2. Create object1 with private ACL
  3. Create object2 without ACL
  4. Try to put/get object1 from different user - no access - that's correct
  5. Try to put/get object2 from different user - no access - that's incorrect, due to the bucket public-read-write ACL - access should be given

test_access_bucket_publicreadwrite_object_private

object1 acl:

{'ResponseMetadata': {'RequestId': '5a7e24a5-e65d-4832-ac74-c4d1f5f51911', 'HostId': '', 'HTTPStatusCode': 200, 'HTTPHeaders': {'x-amz-request-id': '5a7e24a5-e65d-4832-ac74-c4d1f5f51911', 'date': 'Sat, 11 Nov 2023 16:23:52 GMT', 'content-length': '574', 'content-type': 'text/xml; charset=utf-8'}, 'MaxAttemptsReached': True, 'RetryAttempts': 0}, 'Owner': {'DisplayName': 'NbUgTSFvPmsRxmGeWpuuGeJUoRoi6PErcM', 'ID': 'NbUgTSFvPmsRxmGeWpuuGeJUoRoi6PErcM'}, 'Grants': [{'Grantee': {'DisplayName': 'NbUgTSFvPmsRxmGeWpuuGeJUoRoi6PErcM', 'ID': '031a6c6fbbdf02ca351745fa86b9ba5a9452d785ac4f7fc2b7548ca2a46c4fcf4a', 'Type': 'CanonicalUser'}, 'Permission': 'FULL_CONTROL'}]}

object2 acl:

{'ResponseMetadata': {'RequestId': '42d0ecb2-1547-4ee4-948b-aa6c28fbc753', 'HostId': '', 'HTTPStatusCode': 200, 'HTTPHeaders': {'x-amz-request-id': '42d0ecb2-1547-4ee4-948b-aa6c28fbc753', 'date': 'Sat, 11 Nov 2023 16:23:52 GMT', 'content-length': '288', 'content-type': 'text/xml; charset=utf-8'}, 'MaxAttemptsReached': True, 'RetryAttempts': 0}, 'Owner': {'DisplayName': 'NbUgTSFvPmsRxmGeWpuuGeJUoRoi6PErcM', 'ID': 'NbUgTSFvPmsRxmGeWpuuGeJUoRoi6PErcM'}, 'Grants': []}

logs:

2023-11-11T16:23:48.378Z	info	api/router.go:166	call method	{"status": 200, "host": "s3.neofs.devenv:8080", "request_id": "848609c4-4e0d-40c6-8016-6cb13d0968dd", "method": "CreateBucket", "bucket": "yournamehere-epml91lk85ouga5a-1", "object": "", "description": "OK"}
2023-11-11T16:23:49.422Z	info	api/router.go:166	call method	{"status": 200, "host": "s3.neofs.devenv:8080", "request_id": "c0b7d315-9b36-4110-be83-36ca9588f071", "method": "PutBucketACL", "bucket": "yournamehere-epml91lk85ouga5a-1", "object": "", "description": "OK"}
2023-11-11T16:23:50.537Z	debug	layer/object.go:258	put object	{"reqId": "6d66a5e3-7743-41ed-ade0-2de494dc3b95", "bucket": "yournamehere-epml91lk85ouga5a-1", "cid": "DXUbY5i6CLeQhnMkZpkhD5UDxATPpGeZRqyL5DY5Ac2E", "object": "foo", "oid": "42S9uHL7U6ruLWYKbXMoQZtLWcPWLmCMpe7R2Tapjxyc"}
2023-11-11T16:23:50.696Z	info	api/router.go:166	call method	{"status": 200, "host": "s3.neofs.devenv:8080", "request_id": "6d66a5e3-7743-41ed-ade0-2de494dc3b95", "method": "PutObject", "bucket": "yournamehere-epml91lk85ouga5a-1", "object": "foo", "description": "OK"}
2023-11-11T16:23:50.704Z	debug	layer/layer.go:480	get object	{"reqId": "9d5ab0b5-012c-41dd-b5f0-6ca588504233", "bucket": "yournamehere-epml91lk85ouga5a-1", "cid": "DXUbY5i6CLeQhnMkZpkhD5UDxATPpGeZRqyL5DY5Ac2E", "object": "foo", "oid": "42S9uHL7U6ruLWYKbXMoQZtLWcPWLmCMpe7R2Tapjxyc"}
2023-11-11T16:23:51.724Z	info	api/router.go:166	call method	{"status": 200, "host": "s3.neofs.devenv:8080", "request_id": "9d5ab0b5-012c-41dd-b5f0-6ca588504233", "method": "PutObjectACL", "bucket": "yournamehere-epml91lk85ouga5a-1", "object": "foo", "description": "OK"}
2023-11-11T16:23:52.639Z	debug	layer/object.go:258	put object	{"reqId": "f5870a5e-e580-4c57-8d23-350f5af5a1d9", "bucket": "yournamehere-epml91lk85ouga5a-1", "cid": "DXUbY5i6CLeQhnMkZpkhD5UDxATPpGeZRqyL5DY5Ac2E", "object": "bar", "oid": "AcZ6YpSzfw3PKyGU77BxcbYGca5FCMvqj3KMfC9BraXR"}
2023-11-11T16:23:52.781Z	info	api/router.go:166	call method	{"status": 200, "host": "s3.neofs.devenv:8080", "request_id": "f5870a5e-e580-4c57-8d23-350f5af5a1d9", "method": "PutObject", "bucket": "yournamehere-epml91lk85ouga5a-1", "object": "bar", "description": "OK"}
2023-11-11T16:23:52.791Z	debug	layer/layer.go:480	get object	{"reqId": "5a7e24a5-e65d-4832-ac74-c4d1f5f51911", "bucket": "yournamehere-epml91lk85ouga5a-1", "cid": "DXUbY5i6CLeQhnMkZpkhD5UDxATPpGeZRqyL5DY5Ac2E", "object": "foo", "oid": "42S9uHL7U6ruLWYKbXMoQZtLWcPWLmCMpe7R2Tapjxyc"}
2023-11-11T16:23:52.791Z	info	api/router.go:166	call method	{"status": 200, "host": "s3.neofs.devenv:8080", "request_id": "5a7e24a5-e65d-4832-ac74-c4d1f5f51911", "method": "GetObjectACL", "bucket": "yournamehere-epml91lk85ouga5a-1", "object": "foo", "description": "OK"}
2023-11-11T16:23:52.799Z	debug	layer/layer.go:480	get object	{"reqId": "42d0ecb2-1547-4ee4-948b-aa6c28fbc753", "bucket": "yournamehere-epml91lk85ouga5a-1", "cid": "DXUbY5i6CLeQhnMkZpkhD5UDxATPpGeZRqyL5DY5Ac2E", "object": "bar", "oid": "AcZ6YpSzfw3PKyGU77BxcbYGca5FCMvqj3KMfC9BraXR"}
2023-11-11T16:23:52.799Z	info	api/router.go:166	call method	{"status": 200, "host": "s3.neofs.devenv:8080", "request_id": "42d0ecb2-1547-4ee4-948b-aa6c28fbc753", "method": "GetObjectACL", "bucket": "yournamehere-epml91lk85ouga5a-1", "object": "bar", "description": "OK"}
2023-11-11T16:23:52.817Z	error	handler/util.go:29	call method	{"status": 403, "request_id": "c030b369-b712-4b3a-a640-69287e18ffa4", "method": "GetObject", "bucket": "yournamehere-epml91lk85ouga5a-1", "object": "foo", "description": "could not find object", "error": "access denied: rpc error: code = Unknown desc = access to operation GET is denied by extended ACL check: DENY eACL rule"}
2023-11-11T16:23:52.824Z	error	handler/util.go:29	call method	{"status": 403, "request_id": "d8e9c484-ea59-4708-9840-65f4ecc5dd07", "method": "PutObject", "bucket": "yournamehere-epml91lk85ouga5a-1", "object": "foo", "description": "could not get bucket settings", "error": "couldn't get node: access denied: rpc error: code = Unknown desc = access to operation GET is denied by extended ACL check: DENY eACL rule"}
2023-11-11T16:23:52.834Z	error	handler/util.go:29	call method	{"status": 403, "request_id": "72fd0a78-5e3e-48fc-a54e-a1816108e468", "method": "GetObject", "bucket": "yournameh
@evgeniiz321 evgeniiz321 added bug Something isn't working triage labels Nov 11, 2023
@evgeniiz321 evgeniiz321 changed the title PutObject: incorrect behavior in case of object acl equal to private PutObject: incorrect behavior in case of object acl equals to private Nov 11, 2023
@roman-khimov
Copy link
Member

Closed because of... what?

@evgeniiz321
Copy link
Author

This is not a Bug. I've misunderstood the correct ACL behavior. The one explained in the above description is actually not correct either. I've opened another issue - #906 with a correct description.

@evgeniiz321 evgeniiz321 added invalid and removed bug Something isn't working triage labels Nov 13, 2023
@roman-khimov roman-khimov closed this as not planned Won't fix, can't repro, duplicate, stale Nov 13, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@evgeniiz321 @roman-khimov