Cyberduck Mountain Duck CLI

#11701 closed defect (fixed)

Copying files requires permission to read bucket ACL

Reported by: duynh33 Owned by: yla
Priority: normal Milestone: 8.0
Component: s3 Version: 7.9.2
Severity: normal Keywords: Ceph-S3
Cc: Architecture:
Platform:

Description

I have 1 file-test.zip on bucket S3 with owner user root. When I use one test-user access to the bucket, move or rename file-test.zip to a different location, Cyberduck GUI shows popup 403 forbidden access denied. But if I cancel the popup then file-test.zip may be copied to the destination and not remove the file old.

I have a bucket policy as below :

{
  "Version": "2012-10-17",
  "Id": "S3PolicyId2",
  "Statement": [
    {
      "Action": "s3:*",
      "Resource": [
        "test-s3/*"
      ],
      "Effect": "Allow",
      "Principal": [
        "testuser",
        "root"
      ],
      "Sid": "Grant full permission user"
    }
  ]
}

https://pasteboard.co/K5wvBm8.jpg

https://pasteboard.co/K5wvRQC.jpg

Attachments (2)

cyberduck.log (908.3 KB) - added by duynh33 on Jun 7, 2021 at 3:47:36 PM.
Log Debug Cyberduck
CyberDuck.zip (122.5 KB) - added by duynh33 on Jun 7, 2021 at 3:48:55 PM.

Download all attachments as: .zip

Change History (13)

Changed on Jun 7, 2021 at 3:47:36 PM by duynh33

Log Debug Cyberduck

Changed on Jun 7, 2021 at 3:48:55 PM by duynh33

comment:1 Changed on Jun 7, 2021 at 4:03:42 PM by duynh33

  • Component changed from core to s3
  • Owner set to dkocher

comment:2 Changed on Jun 8, 2021 at 7:42:13 AM by dkocher

  • Summary changed from Features move and rename files in bucket s3 working not correct - show 403 forbidden to 403 Forbidden failure copying file
Caused by: BackgroundException{class=class ch.cyberduck.core.exception.AccessDeniedException, file=Path{path='/test-s3/file-test.zip', type=[file]}, message='Cannot copy file-test.zip.', detail='Access Denied.', cause='org.apache.http.client.HttpResponseException: status code: 403, reason phrase: Access Denied.'}
5279	        at ch.cyberduck.core.http.HttpResponseExceptionMappingService.map(HttpResponseExceptionMappingService.java:55)
5280	        at ch.cyberduck.core.http.HttpResponseExceptionMappingService.map(HttpResponseExceptionMappingService.java:44)
5281	        at ch.cyberduck.core.s3.S3ExceptionMappingService.map(S3ExceptionMappingService.java:88)
5282	        at ch.cyberduck.core.s3.S3ExceptionMappingService.map(S3ExceptionMappingService.java:39)
5283	        at ch.cyberduck.core.AbstractExceptionMappingService.map(AbstractExceptionMappingService.java:52)
5284	        at ch.cyberduck.core.s3.S3CopyFeature.copy(S3CopyFeature.java:94)
5285	        at ch.cyberduck.core.s3.S3CopyFeature.copy(S3CopyFeature.java:79)
5286	        at ch.cyberduck.core.s3.S3ThresholdCopyFeature.copy(S3ThresholdCopyFeature.java:53)
5287	        at ch.cyberduck.core.s3.S3MoveFeature.move(S3MoveFeature.java:87)
5288	        at ch.cyberduck.core.vault.registry.VaultRegistryMoveFeature.move(VaultRegistryMoveFeature.java:64)
5289	        at ch.cyberduck.core.worker.MoveWorker.run(MoveWorker.java:113)
5290	        at ch.cyberduck.core.worker.MoveWorker.run(MoveWorker.java:56)
5291	        at ch.cyberduck.core.threading.WorkerBackgroundAction.run(WorkerBackgroundAction.java:77)
5292	        at ch.cyberduck.core.threading.SessionBackgroundAction.run(SessionBackgroundAction.java:121)
5293	        at ch.cyberduck.core.threading.SessionBackgroundAction$1.call(SessionBackgroundAction.java:103)
5294	        at ch.cyberduck.core.threading.DefaultRetryCallable.call(DefaultRetryCallable.java:50)
5295	        at ch.cyberduck.core.threading.SessionBackgroundAction.call(SessionBackgroundAction.java:105)
5296	        at ch.cyberduck.core.threading.BackgroundCallable.run(BackgroundCallable.java:94)
5297	        at ch.cyberduck.core.threading.BackgroundCallable.call(BackgroundCallable.java:58)
5298	        at java.util.concurrent.FutureTask.run(FutureTask.java:266)
5299	        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
5300	        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:618)
5301	        at ch.cyberduck.core.threading.NamedThreadFactory$1.run(NamedThreadFactory.java:59)
5302	        at java.lang.Thread.run(Thread.java:955)

comment:3 Changed on Jun 8, 2021 at 7:51:41 AM by dkocher

The actual copy operation is successful

PUT /test-s3/file-test-123.zip HTTP/1.1
Date: Mon, 07 Jun 2021 15:20:28 GMT
Expect: 100-continue
x-amz-copy-source: /test-s3/file-test.zip
x-amz-metadata-directive: COPY
Authorization: ********
Content-Length: 0
Host: 172.20.2.112:80
Connection: Keep-Alive
User-Agent: Cyberduck/7.9.1.34974 (Windows 10/10.0) (amd64)
 HTTP/1.1 200 OK

but an additional request is made to copy the original ACL

2021-06-07 22:20:28,689 [background-9] DEBUG org.jets3t.service.impl.rest.httpclient.RestStorageService - Creating object with a non-canned ACL using REST, so an extra ACL Put is required
3347	2021-06-07 22:20:28,689 [background-9] DEBUG org.jets3t.service.impl.rest.httpclient.RestStorageService - Setting Access Control List for bucketName=test-s3, objectKey=file-test-123.zip

Because of the 403 for PUT /test-s3/test01/file-test.zip?acl= the source file is not deleted.

<Error><Code>AccessDenied</Code><Message>Access Denied</Message><Resource>848dc0ec80cdfdd7cd7cd078a4983cdd7d39a02b809201d200355a35a19d7de0</Resource><RequestId>ac1b3fa4:175337bc949:ab5ce:264</RequestId></Error>

comment:4 Changed on Jun 8, 2021 at 12:46:08 PM by duynh33

Hi, I have update for issue. After The actual copy operation is successful, we have file-test-123.zip with info owner permission of file is testuser.

https://i.ibb.co/LY10N8s/cyberduck-image-03.jpg

It is different from the original file permissions

https://i.ibb.co/nMb1DRd/cyberduck-image-04.jpg

With the original file, testuser can delete file

Last edited on Jun 8, 2021 at 12:46:46 PM by duynh33 (previous) (diff)

comment:5 Changed on Jun 8, 2021 at 12:56:18 PM by dkocher

The server is returning the permission error when trying to apply the ACL to the copied file. Not sure if this is a configuration issue with IAM policy attached or a specific issue with Ceph.

comment:6 Changed on Jun 8, 2021 at 1:02:15 PM by duynh33

I will try with s3cmd or GUI tools different and update info

comment:7 Changed on Jun 8, 2021 at 3:56:03 PM by duynh33

Hi @dkocher, I have try use tools s3cmd testing move file on bucket. And it like above, file copy successful but not deleted. I have check and detect problem on ACL of file. With bucket policy, we have only copy file new with owner permission new and can not copy ACL when not yet grant permission x-amz-grant-write-acp.

So, I have more question for tools cyberduck.

  1. How can edit default header and add x-amz-grant-write-acp in custom header for all object upload ?
  2. we have remove progress copy acl the object file in feature move and rename of cyberduck ?

comment:8 Changed on Sep 30, 2021 at 2:40:48 PM by dkocher

  • Milestone set to 8.0
  • Status changed from new to assigned

comment:9 Changed on Oct 6, 2021 at 7:08:39 AM by yla

  • Owner changed from dkocher to yla
  • Status changed from assigned to new

comment:10 Changed on Oct 6, 2021 at 10:06:37 AM by dkocher

  • Resolution set to fixed
  • Status changed from new to closed

In r52334. We no longer query the bucket ACL to determine the owner.

comment:11 Changed on Oct 11, 2021 at 12:08:37 PM by dkocher

  • Summary changed from 403 Forbidden failure copying file to Copying files requires permission to read bucket ACL
Note: See TracTickets for help on using tickets.