New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
object acl implementation? #4496
Comments
We will not be implementing Object ACL's @terion-name - bucket policies are the right style to do this with a much more fine grained approach. Bucket policies can be used to set policies on prefixes not just top level buckets where you can filter the necessary API calls as well say you can have prefixes like these bucket/2017/outgoing -- can be set to allow calls like GetObject(), HeadObject() (allows only reads) This is the most common requirement which is provided by bucket policies, with more control over API calls themselves. ACLs on the other hand are complex and metadata heavy (which in-turn makes your server unreliable) and as a functionality do not provide nicer set of requirements like bucket policies. |
@harshavardhana prefixes do not cover object acl. If I need to have two files — one private and one public in the same directory (example: user files |
You should structure your prefixes properly in that sense, where
From our end we are not going to implement Object ACLs anytime in near future. |
@harshavardhana hm. and what prefix should be for this case? The {id} is dynamic, obviously. Set a bucket policy for each user? |
It would be like this {
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Principal": {
"AWS": [
"*"
]
},
"Resource": [
"arn:aws:s3:::testbucket/user/*/files/public/*"
],
"Sid": ""
}
]
}
There are two types of key matches are allowed in bucket policies one is Now if you have this in your Resource
then the policies will match
Here the user is Now if you have this in your Resource
then the policies will match
Here the user is
then the policies will match
|
@harshavardhana this is very important information you wrote here, thank you, but it can't be found in docs under policy section. Please, add this to the docs. |
We will improve policy in the new UX. |
Is it possible to revisit this? The object ACLs are useful for using Minio as a runtime storage for temporarily allowing different users to upload object(by having a secure random path in the key). Since with pre-signed, multipart gets tricky with SDKs. Having assume role is another option. After thinking around how to implement the use case for a while, I had an epiphany that actually having either object ACL/assume role, makes it possible to implement this use case easily. From users point of view Object ACLs are easier, assume role is more secure to some extent. I'm not sure about the complexity that it adds on Minio implementation though. |
Object ACLs are more complex to implement and in AWS S3 it's a legacy way to provide access we will not be implementing ACLs. Instead AssumeRole API is a better alternative. |
What happens if you want to access an object created by an role from a different account? I got the following situation:
The default ACL is private. It means objects created by an entity assuming the |
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs. |
Documentation says:
But bucket policies do not cover ObjectACL functionality at all. It is a common task to have public and private files in a single bucket.
Any plans of implementing this functionality, or recommended workarounds?
The text was updated successfully, but these errors were encountered: