Looking for feedback on a bucket permissions feature

[spiegela]

I have another feature that a customer requested yesterday that it'd be helpful to get some feedback on:

A common problem among their user base is that a user will bind to a bucket, write a bunch of objects, and then decide that they need to tweak the ACL of the bound application from FULL_CONTROL to something more restrictive e.g. READ_WRITE.

Since OSBA doesn't support changing a binding, I recommended that they unbind/rebind; however, they explained that since this changes the object-user identity, when they re-bind the new user doesn't own any of the objects, leading to temporary inaccessibility until the storage-team fixes permissions for them on the back-end.

I'd like to get feedback on a couple of options:

1. We could allow the user to specify a name for the object-user. Unlike Issue-120 Provide Control over ECS Artifact Naming #123, this would have to be the full object-user-id, since the ACL would only respect an exact username.

2. We could create a new process for the broker to optionally update object permissions during a binding operation, similar to Add service-instance reclaim policy to bucket service-settings for deleting of data. #119

I've also been thinking about a way to solve this with group permission settings, but since there can be only one bucket owner I think perhaps that isn't realistic.