Cyberduck Mountain Duck CLI

#11701 closed defect (fixed)

Copying files requires permission to read bucket ACL

Reported by: duynh33 Owned by: yla
Priority: normal Milestone: 8.0
Component: s3 Version: 7.9.2
Severity: normal Keywords: Ceph-S3
Cc: Architecture:


I have 1 on bucket S3 with owner user root. When I use one test-user access to the bucket, move or rename to a different location, Cyberduck GUI shows popup 403 forbidden access denied. But if I cancel the popup then may be copied to the destination and not remove the file old.

I have a bucket policy as below :

  "Version": "2012-10-17",
  "Id": "S3PolicyId2",
  "Statement": [
      "Action": "s3:*",
      "Resource": [
      "Effect": "Allow",
      "Principal": [
      "Sid": "Grant full permission user"

Attachments (2)

cyberduck.log (908.3 KB) - added by duynh33 on Jun 7, 2021 at 3:47:36 PM.
Log Debug Cyberduck (122.5 KB) - added by duynh33 on Jun 7, 2021 at 3:48:55 PM.

Download all attachments as: .zip

Change History (13)

Changed on Jun 7, 2021 at 3:47:36 PM by duynh33

Log Debug Cyberduck

Changed on Jun 7, 2021 at 3:48:55 PM by duynh33

comment:1 Changed on Jun 7, 2021 at 4:03:42 PM by duynh33

  • Component changed from core to s3
  • Owner set to dkocher

comment:2 Changed on Jun 8, 2021 at 7:42:13 AM by dkocher

  • Summary changed from Features move and rename files in bucket s3 working not correct - show 403 forbidden to 403 Forbidden failure copying file
Caused by: BackgroundException{class=class ch.cyberduck.core.exception.AccessDeniedException, file=Path{path='/test-s3/', type=[file]}, message='Cannot copy', detail='Access Denied.', cause='org.apache.http.client.HttpResponseException: status code: 403, reason phrase: Access Denied.'}
5279	        at
5280	        at
5281	        at
5282	        at
5283	        at
5284	        at ch.cyberduck.core.s3.S3CopyFeature.copy(
5285	        at ch.cyberduck.core.s3.S3CopyFeature.copy(
5286	        at ch.cyberduck.core.s3.S3ThresholdCopyFeature.copy(
5287	        at ch.cyberduck.core.s3.S3MoveFeature.move(
5288	        at ch.cyberduck.core.vault.registry.VaultRegistryMoveFeature.move(
5289	        at
5290	        at
5291	        at
5292	        at
5293	        at ch.cyberduck.core.threading.SessionBackgroundAction$
5294	        at
5295	        at
5296	        at
5297	        at
5298	        at
5299	        at java.util.concurrent.ThreadPoolExecutor.runWorker(
5300	        at java.util.concurrent.ThreadPoolExecutor$
5301	        at ch.cyberduck.core.threading.NamedThreadFactory$
5302	        at

comment:3 Changed on Jun 8, 2021 at 7:51:41 AM by dkocher

The actual copy operation is successful

PUT /test-s3/ HTTP/1.1
Date: Mon, 07 Jun 2021 15:20:28 GMT
Expect: 100-continue
x-amz-copy-source: /test-s3/
x-amz-metadata-directive: COPY
Authorization: ********
Content-Length: 0
Connection: Keep-Alive
User-Agent: Cyberduck/ (Windows 10/10.0) (amd64)
 HTTP/1.1 200 OK

but an additional request is made to copy the original ACL

2021-06-07 22:20:28,689 [background-9] DEBUG - Creating object with a non-canned ACL using REST, so an extra ACL Put is required
3347	2021-06-07 22:20:28,689 [background-9] DEBUG - Setting Access Control List for bucketName=test-s3,

Because of the 403 for PUT /test-s3/test01/ the source file is not deleted.

<Error><Code>AccessDenied</Code><Message>Access Denied</Message><Resource>848dc0ec80cdfdd7cd7cd078a4983cdd7d39a02b809201d200355a35a19d7de0</Resource><RequestId>ac1b3fa4:175337bc949:ab5ce:264</RequestId></Error>

comment:4 Changed on Jun 8, 2021 at 12:46:08 PM by duynh33

Hi, I have update for issue. After The actual copy operation is successful, we have with info owner permission of file is testuser.

It is different from the original file permissions

With the original file, testuser can delete file

Last edited on Jun 8, 2021 at 12:46:46 PM by duynh33 (previous) (diff)

comment:5 Changed on Jun 8, 2021 at 12:56:18 PM by dkocher

The server is returning the permission error when trying to apply the ACL to the copied file. Not sure if this is a configuration issue with IAM policy attached or a specific issue with Ceph.

comment:6 Changed on Jun 8, 2021 at 1:02:15 PM by duynh33

I will try with s3cmd or GUI tools different and update info

comment:7 Changed on Jun 8, 2021 at 3:56:03 PM by duynh33

Hi @dkocher, I have try use tools s3cmd testing move file on bucket. And it like above, file copy successful but not deleted. I have check and detect problem on ACL of file. With bucket policy, we have only copy file new with owner permission new and can not copy ACL when not yet grant permission x-amz-grant-write-acp.

So, I have more question for tools cyberduck.

  1. How can edit default header and add x-amz-grant-write-acp in custom header for all object upload ?
  2. we have remove progress copy acl the object file in feature move and rename of cyberduck ?

comment:8 Changed on Sep 30, 2021 at 2:40:48 PM by dkocher

  • Milestone set to 8.0
  • Status changed from new to assigned

comment:9 Changed on Oct 6, 2021 at 7:08:39 AM by yla

  • Owner changed from dkocher to yla
  • Status changed from assigned to new

comment:10 Changed on Oct 6, 2021 at 10:06:37 AM by dkocher

  • Resolution set to fixed
  • Status changed from new to closed

In r52334. We no longer query the bucket ACL to determine the owner.

comment:11 Changed on Oct 11, 2021 at 12:08:37 PM by dkocher

  • Summary changed from 403 Forbidden failure copying file to Copying files requires permission to read bucket ACL
Note: See TracTickets for help on using tickets.