Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Copying files requires permission to read bucket ACL #11701

Closed
cyberduck opened this issue Jun 7, 2021 · 7 comments
Closed

Copying files requires permission to read bucket ACL #11701

cyberduck opened this issue Jun 7, 2021 · 7 comments

Comments

@cyberduck
Copy link
Collaborator

@cyberduck cyberduck commented Jun 7, 2021

03b88bc created the issue

I have 1 file-test.zip on bucket S3 with owner user root. When I use one test-user access to the bucket, move or rename file-test.zip to a different location, Cyberduck GUI shows popup 403 forbidden access denied. But if I cancel the popup then file-test.zip may be copied to the destination and not remove the file old.

I have a bucket policy as below :

{
  "Version": "2012-10-17",
  "Id": "S3PolicyId2",
  "Statement": [
    {
      "Action": "s3:*",
      "Resource": [
        "test-s3/*"
      ],
      "Effect": "Allow",
      "Principal": [
        "testuser",
        "root"
      ],
      "Sid": "Grant full permission user"
    }
  ]
}

external image

external image


Attachments

@cyberduck
Copy link
Collaborator Author

@cyberduck cyberduck commented Jun 8, 2021

@dkocher commented

Caused by: BackgroundException{class=class ch.cyberduck.core.exception.AccessDeniedException, file=Path{path='/test-s3/file-test.zip', type=[file]}, message='Cannot copy file-test.zip.', detail='Access Denied.', cause='org.apache.http.client.HttpResponseException: status code: 403, reason phrase: Access Denied.'}
5279	        at ch.cyberduck.core.http.HttpResponseExceptionMappingService.map(HttpResponseExceptionMappingService.java:55)
5280	        at ch.cyberduck.core.http.HttpResponseExceptionMappingService.map(HttpResponseExceptionMappingService.java:44)
5281	        at ch.cyberduck.core.s3.S3ExceptionMappingService.map(S3ExceptionMappingService.java:88)
5282	        at ch.cyberduck.core.s3.S3ExceptionMappingService.map(S3ExceptionMappingService.java:39)
5283	        at ch.cyberduck.core.AbstractExceptionMappingService.map(AbstractExceptionMappingService.java:52)
5284	        at ch.cyberduck.core.s3.S3CopyFeature.copy(S3CopyFeature.java:94)
5285	        at ch.cyberduck.core.s3.S3CopyFeature.copy(S3CopyFeature.java:79)
5286	        at ch.cyberduck.core.s3.S3ThresholdCopyFeature.copy(S3ThresholdCopyFeature.java:53)
5287	        at ch.cyberduck.core.s3.S3MoveFeature.move(S3MoveFeature.java:87)
5288	        at ch.cyberduck.core.vault.registry.VaultRegistryMoveFeature.move(VaultRegistryMoveFeature.java:64)
5289	        at ch.cyberduck.core.worker.MoveWorker.run(MoveWorker.java:113)
5290	        at ch.cyberduck.core.worker.MoveWorker.run(MoveWorker.java:56)
5291	        at ch.cyberduck.core.threading.WorkerBackgroundAction.run(WorkerBackgroundAction.java:77)
5292	        at ch.cyberduck.core.threading.SessionBackgroundAction.run(SessionBackgroundAction.java:121)
5293	        at ch.cyberduck.core.threading.SessionBackgroundAction$1.call(SessionBackgroundAction.java:103)
5294	        at ch.cyberduck.core.threading.DefaultRetryCallable.call(DefaultRetryCallable.java:50)
5295	        at ch.cyberduck.core.threading.SessionBackgroundAction.call(SessionBackgroundAction.java:105)
5296	        at ch.cyberduck.core.threading.BackgroundCallable.run(BackgroundCallable.java:94)
5297	        at ch.cyberduck.core.threading.BackgroundCallable.call(BackgroundCallable.java:58)
5298	        at java.util.concurrent.FutureTask.run(FutureTask.java:266)
5299	        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
5300	        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:618)
5301	        at ch.cyberduck.core.threading.NamedThreadFactory$1.run(NamedThreadFactory.java:59)
5302	        at java.lang.Thread.run(Thread.java:955)

Loading

@cyberduck
Copy link
Collaborator Author

@cyberduck cyberduck commented Jun 8, 2021

@dkocher commented

The actual copy operation is successful

PUT /test-s3/file-test-123.zip HTTP/1.1
Date: Mon, 07 Jun 2021 15:20:28 GMT
Expect: 100-continue
x-amz-copy-source: /test-s3/file-test.zip
x-amz-metadata-directive: COPY
Authorization: ********
Content-Length: 0
Host: 172.20.2.112:80
Connection: Keep-Alive
User-Agent: Cyberduck/7.9.1.34974 (Windows 10/10.0) (amd64)
 HTTP/1.1 200 OK

but an additional request is made to copy the original ACL

2021-06-07 22:20:28,689 [background-9] DEBUG org.jets3t.service.impl.rest.httpclient.RestStorageService - Creating object with a non-canned ACL using REST, so an extra ACL Put is required
3347	2021-06-07 22:20:28,689 [background-9] DEBUG org.jets3t.service.impl.rest.httpclient.RestStorageService - Setting Access Control List for bucketName=test-s3, objectKey=file-test-123.zip

Because of the 403 for PUT /test-s3/test01/file-test.zip?acl= the source file is not deleted.

<Error><Code>AccessDenied</Code><Message>Access Denied</Message><Resource>848dc0ec80cdfdd7cd7cd078a4983cdd7d39a02b809201d200355a35a19d7de0</Resource><RequestId>ac1b3fa4:175337bc949:ab5ce:264</RequestId></Error>

Loading

@cyberduck
Copy link
Collaborator Author

@cyberduck cyberduck commented Jun 8, 2021

03b88bc commented

Hi, I have update for issue. After The actual copy operation is successful, we have file-test-123.zip with info owner permission of file is testuser.

external image

It is different from the original file permissions

external image

With the original file, testuser can delete file

Loading

@cyberduck
Copy link
Collaborator Author

@cyberduck cyberduck commented Jun 8, 2021

@dkocher commented

The server is returning the permission error when trying to apply the ACL to the copied file. Not sure if this is a configuration issue with IAM policy attached or a specific issue with Ceph.

Loading

@cyberduck
Copy link
Collaborator Author

@cyberduck cyberduck commented Jun 8, 2021

03b88bc commented

I will try with s3cmd or GUI tools different and update info

Loading

@cyberduck
Copy link
Collaborator Author

@cyberduck cyberduck commented Jun 8, 2021

03b88bc commented

Hi @dkocher, I have try use tools s3cmd testing move file on bucket. And it like above, file copy successful but not deleted. I have check and detect problem on ACL of file. With bucket policy, we have only copy file new with owner permission new and can not copy ACL when not yet
grant permission x-amz-grant-write-acp.

So, I have more question for tools cyberduck.

  1. How can edit default header and add x-amz-grant-write-acp in custom header for all object upload ?
  2. we have remove progress copy acl the object file in feature move and rename of cyberduck ?

Loading

@cyberduck
Copy link
Collaborator Author

@cyberduck cyberduck commented Oct 6, 2021

@dkocher commented

In 9160dfa. We no longer query the bucket ACL to determine the owner.

Loading

@cyberduck cyberduck closed this Oct 6, 2021
@iterate-ch iterate-ch locked as resolved and limited conversation to collaborators Nov 27, 2021
AliveDevil pushed a commit to AliveDevil/cyberduck that referenced this issue Nov 30, 2021
…e need to query the bucket ACL which could have a different owner and might not be allowed by the IAM policy. Fix iterate-ch#11701.
AliveDevil pushed a commit to AliveDevil/cyberduck that referenced this issue Nov 30, 2021
…D-14754 to master

* commit 'bf2c099a8103b0001f3ecc74821178561c8cf640':
  Review.
  Introduce a dedicated grantee type to store the ACL owner to avoid the need to query the bucket ACL which could have a different owner and might not be allowed by the IAM policy. Fix iterate-ch#11701.
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
2 participants