Cyberduck Mountain Duck CLI

#5711 closed enhancement (fixed)

Change default ACL to inherit

Reported by: Decker Jesse Owned by: dkocher
Priority: normal Milestone: 4.4
Component: s3 Version: Nightly Build
Severity: minor Keywords: acl, permissions, default
Cc: Architecture: Intel
Platform: Mac OS X 10.6

Description (last modified by Decker Jesse)

According to the Default ACLs in Cyberducks FAQ, if you have a default ACL specified in preferences, it will be applied to all uploaded files. However, if you turn this feature OFF, aka. uncheck the box "Change Permissions" under Preferenes >> Transfers tab >> Permissions tab >> Uploads section >> Change Permissions, the ACL that is applied is [Owner: FULL_CONTROL] only.

This behavior has been confirmed on 3.8 and current nightly build.

Private CloudFront distributions require special access, including a custom ACL. I would argue the better way would be to have the default be to apply an inherited ACL when the box is unchecked. This would eliminate the need to add a new user to the affected files after every upload.

Additionally, the functionality of forcing the upload to have [Owner: FULL_CONTROL] only would still be intact by enabling that checkbox and customizing the permissions.

On a side note, we use your software every day at work -- great stuff! Thank you so much!

Change History (6)

comment:1 Changed on Feb 19, 2011 at 7:37:29 PM by Decker Jesse

  • Description modified (diff)

comment:2 in reply to: ↑ description ; follow-up: Changed on Feb 20, 2011 at 3:25:59 PM by dkocher

Replying to Decker Jesse:

Private CloudFront distributions require special access, including a custom ACL. I would argue the better way would be to have the default be to apply an inherited ACL when the box is unchecked. This would eliminate the need to add a new user to the affected files after every upload.

Do you suggest the ACL should be inherited from the bucket?

comment:3 in reply to: ↑ 2 ; follow-up: Changed on Feb 20, 2011 at 5:37:03 PM by Decker Jesse

Replying to dkocher:

Do you suggest the ACL should be inherited from the bucket?

Yessir. Thanks for clarifying.

comment:4 in reply to: ↑ 3 Changed on Feb 27, 2011 at 10:35:29 AM by dkocher

Replying to Decker Jesse:

Replying to dkocher:

Do you suggest the ACL should be inherited from the bucket?

Yessir. Thanks for clarifying.

The issue here is that the semantics for ACLs on the bucket are not the same for the same ACL on a object in the bucket. Not sure if such a policy to copy the ACL from the bucket would always lead to the desired result.

comment:5 Changed on Feb 27, 2011 at 10:38:17 AM by dkocher

Wouldn't it be possible for this use case to apply a bucket policy? Refer to Granting Permission, Using Canonical ID, to a CloudFront Origin Identify.

comment:6 Changed on Jul 23, 2013 at 2:58:42 PM by dkocher

  • Milestone set to 4.4
  • Resolution set to fixed
  • Status changed from new to closed

In r12213. The ACL is only explicitly set if Change Permissions is checked in Preferences → Upload.

Note: See TracTickets for help on using tickets.
swiss made software