Copying files requires permission to read bucket ACL

[cyberduck]

03b88bc created the issue

I have 1 file-test.zip on bucket S3 with owner user root. When I use one test-user access to the bucket, move or rename file-test.zip to a different location, Cyberduck GUI shows popup 403 forbidden access denied. But if I cancel the popup then file-test.zip may be copied to the destination and not remove the file old.

I have a bucket policy as below :

{
  "Version": "2012-10-17",
  "Id": "S3PolicyId2",
  "Statement": [
    {
      "Action": "s3:*",
      "Resource": [
        "test-s3/*"
      ],
      "Effect": "Allow",
      "Principal": [
        "testuser",
        "root"
      ],
      "Sid": "Grant full permission user"
    }
  ]
}

---

Attachments

• CyberDuck.zip (122.5 KiB)
• cyberduck.log (908.3 KiB)

[cyberduck]

@dkocher commented

Caused by: BackgroundException{class=class ch.cyberduck.core.exception.AccessDeniedException, file=Path{path='/test-s3/file-test.zip', type=[file]}, message='Cannot copy file-test.zip.', detail='Access Denied.', cause='org.apache.http.client.HttpResponseException: status code: 403, reason phrase: Access Denied.'}
5279	        at ch.cyberduck.core.http.HttpResponseExceptionMappingService.map(HttpResponseExceptionMappingService.java:55)
5280	        at ch.cyberduck.core.http.HttpResponseExceptionMappingService.map(HttpResponseExceptionMappingService.java:44)
5281	        at ch.cyberduck.core.s3.S3ExceptionMappingService.map(S3ExceptionMappingService.java:88)
5282	        at ch.cyberduck.core.s3.S3ExceptionMappingService.map(S3ExceptionMappingService.java:39)
5283	        at ch.cyberduck.core.AbstractExceptionMappingService.map(AbstractExceptionMappingService.java:52)
5284	        at ch.cyberduck.core.s3.S3CopyFeature.copy(S3CopyFeature.java:94)
5285	        at ch.cyberduck.core.s3.S3CopyFeature.copy(S3CopyFeature.java:79)
5286	        at ch.cyberduck.core.s3.S3ThresholdCopyFeature.copy(S3ThresholdCopyFeature.java:53)
5287	        at ch.cyberduck.core.s3.S3MoveFeature.move(S3MoveFeature.java:87)
5288	        at ch.cyberduck.core.vault.registry.VaultRegistryMoveFeature.move(VaultRegistryMoveFeature.java:64)
5289	        at ch.cyberduck.core.worker.MoveWorker.run(MoveWorker.java:113)
5290	        at ch.cyberduck.core.worker.MoveWorker.run(MoveWorker.java:56)
5291	        at ch.cyberduck.core.threading.WorkerBackgroundAction.run(WorkerBackgroundAction.java:77)
5292	        at ch.cyberduck.core.threading.SessionBackgroundAction.run(SessionBackgroundAction.java:121)
5293	        at ch.cyberduck.core.threading.SessionBackgroundAction$1.call(SessionBackgroundAction.java:103)
5294	        at ch.cyberduck.core.threading.DefaultRetryCallable.call(DefaultRetryCallable.java:50)
5295	        at ch.cyberduck.core.threading.SessionBackgroundAction.call(SessionBackgroundAction.java:105)
5296	        at ch.cyberduck.core.threading.BackgroundCallable.run(BackgroundCallable.java:94)
5297	        at ch.cyberduck.core.threading.BackgroundCallable.call(BackgroundCallable.java:58)
5298	        at java.util.concurrent.FutureTask.run(FutureTask.java:266)
5299	        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
5300	        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:618)
5301	        at ch.cyberduck.core.threading.NamedThreadFactory$1.run(NamedThreadFactory.java:59)
5302	        at java.lang.Thread.run(Thread.java:955)

[cyberduck]

@dkocher commented

The actual copy operation is successful

PUT /test-s3/file-test-123.zip HTTP/1.1
Date: Mon, 07 Jun 2021 15:20:28 GMT
Expect: 100-continue
x-amz-copy-source: /test-s3/file-test.zip
x-amz-metadata-directive: COPY
Authorization: ********
Content-Length: 0
Host: 172.20.2.112:80
Connection: Keep-Alive
User-Agent: Cyberduck/7.9.1.34974 (Windows 10/10.0) (amd64)
 HTTP/1.1 200 OK

but an additional request is made to copy the original ACL

2021-06-07 22:20:28,689 [background-9] DEBUG org.jets3t.service.impl.rest.httpclient.RestStorageService - Creating object with a non-canned ACL using REST, so an extra ACL Put is required
3347	2021-06-07 22:20:28,689 [background-9] DEBUG org.jets3t.service.impl.rest.httpclient.RestStorageService - Setting Access Control List for bucketName=test-s3, objectKey=file-test-123.zip

Because of the 403 for PUT /test-s3/test01/file-test.zip?acl= the source file is not deleted.

<Error><Code>AccessDenied</Code><Message>Access Denied</Message><Resource>848dc0ec80cdfdd7cd7cd078a4983cdd7d39a02b809201d200355a35a19d7de0</Resource><RequestId>ac1b3fa4:175337bc949:ab5ce:264</RequestId></Error>

[cyberduck]

03b88bc commented

Hi, I have update for issue. After The actual copy operation is successful, we have file-test-123.zip with info owner permission of file is testuser.

It is different from the original file permissions

With the original file, testuser can delete file

[cyberduck]

@dkocher commented

The server is returning the permission error when trying to apply the ACL to the copied file. Not sure if this is a configuration issue with IAM policy attached or a specific issue with Ceph.

[cyberduck]

03b88bc commented

I will try with s3cmd or GUI tools different and update info

[cyberduck]

03b88bc commented

Hi @dkocher, I have try use tools s3cmd testing move file on bucket. And it like above, file copy successful but not deleted. I have check and detect problem on ACL of file. With bucket policy, we have only copy file new with owner permission new and can not copy ACL when not yet
grant permission x-amz-grant-write-acp.

So, I have more question for tools cyberduck.

1. How can edit default header and add x-amz-grant-write-acp in custom header for all object upload ?
2. we have remove progress copy acl the object file in feature move and rename of cyberduck ?

[cyberduck]

@dkocher commented

In 9160dfa. We no longer query the bucket ACL to determine the owner.