Skip to content
This repository has been archived by the owner on Jan 25, 2022. It is now read-only.

Missing Bucket ACL READ grant, prevents using java jclouds S3 client #18

Closed
poblin-orange opened this issue Dec 5, 2014 · 4 comments
Closed

Missing Bucket ACL READ grant, prevents using java jclouds S3 client #18

poblin-orange opened this issue Dec 5, 2014 · 4 comments

Comments

@poblin-orange
Copy link

I am trying to leverage the apache jclouds blobstore lib to access RiakCS service instance (http://jclouds.apache.org/guides/aws/).

I had to tweak 3 properties on the BlobStoreContext to adapt to RiakCS S3 API
PROPERTY_TRUST_ALL_CERTS : true
PROPERTY_RELAX_HOSTNAME : true
PROPERTY_S3_VIRTUAL_HOST_BUCKETS : false

I can successfully connect, and list bucket content, but experience errors for creating blobs or directory.
The jclouds lib tries first to read the ACL of the bucket, which is denied for the service binding authKey.

2014-12-05 19:00:18,534 DEBUG [main] jclouds.headers(56) - >> GET https://p-riakcs.xxx.xxx.fr/service-instance-a8327d5a-8e80-491a-b6c0-b9ed67cca31f?acl HTTP/1.1
2014-12-05 19:00:18,544 DEBUG [main] jclouds.headers(56) - >> Date: Fri, 05 Dec 2014 18:00:16 GMT
2014-12-05 19:00:18,547 DEBUG [main] jclouds.headers(56) - >> Authorization: AWS 4ZO-BKDBAA5A1BQGIQTQ:NN5UxB2zCmWpKuAcmBTExHx5gsE=
2014-12-05 19:00:18,687 DEBUG [main] jclouds.headers(56) - << HTTP/1.1 403 Forbidden
2014-12-05 19:00:18,688 DEBUG [main] jclouds.headers(56) - << X-Cf-Requestid: b67cc89f-86a7-4823-72de-07150d6b9595
2014-12-05 19:00:18,688 DEBUG [main] jclouds.headers(56) - << Date: Fri, 05 Dec 2014 18:00:18 GMT
2014-12-05 19:00:18,689 DEBUG [main] jclouds.headers(56) - << Server: Riak CS
2014-12-05 19:00:18,689 DEBUG [main] jclouds.headers(56) - << Content-Type: application/xml
2014-12-05 19:00:18,690 DEBUG [main] jclouds.headers(56) - << Content-Length: 208
2014-12-05 19:00:18,690 DEBUG [main] jclouds.wire(56) - << "AccessDeniedAccess Denied/service-instance-a8327d5a-8e80-491a-b6c0-b9ed67cca31f"

Is there a security reason not to grant this bucket acl read right ?
@cf-gitbot
Copy link

We have created an issue in Pivotal Tracker to manage this. You can view the current status of your issue at: https://www.pivotaltracker.com/story/show/84029152.

@shalako
Copy link
Contributor

shalako commented Dec 18, 2014

It seems reasonable that the authkey created for a binding should be able to read the acl of the bucket. We'll investigate. Thank you for bringing this to our attention.

@VenkateshSub
Copy link

Just noticed this issue. We faced this one as well. I fixed it and tested. The pull request is here.

cloudfoundry-attic/cf-riak-cs-broker#2

@karlkfi
Copy link
Contributor

karlkfi commented Feb 24, 2015

Closing this issue, moving discussion to cloudfoundry-attic/cf-riak-cs-broker#2

@karlkfi karlkfi closed this as completed Feb 24, 2015
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@shalako @VenkateshSub @karlkfi @poblin-orange @cf-gitbot