Backups to Google Cloud Storage are accessible over the Internet

[EdgarHarutyunyan02]

Having the Google Cloud integration enabled and doing backup on ControlPanel tries to put objects in the bucket with allUsers object level permission.

Tried different setups, didn't work.

• Cloud Storage Bucket with Public Access Prevention enabled - Failed with the following error.

  Google.Apis.Requests.RequestError The member bindings allUsers and allAuthenticatedUsers are not allowed since public access prevention is enforced. [412] Errors [ Message[The member bindings allUsers and allAuthenticatedUsers are not allowed since public access prevention is enforced.] Location[If-Match - header] Reason[conditionNotMet] Domain[global] ]

• Cloud Storage Bucket with Uniform Access Control and Public Access Prevention enabled - Failed with the following error.

  Google.Apis.Requests.RequestError Cannot insert legacy ACL for an object when uniform bucket-level access is enabled. Read more at https://cloud.google.com/storage/docs/uniform-bucket-level-access [400] Errors [ Message[Cannot insert legacy ACL for an object when uniform bucket-level access is enabled. Read more at https://cloud.google.com/storage/docs/uniform-bucket-level-access] Location[ - ] Reason[invalid] Domain[global] ]

The only way it works is to disable the Public Access prevention on the bucket and have Fine Grained Access Control enabled, but this results in objects being accessible over the Internet, which is not secure.

Suggesting to remove the allUsers and allAuthenticatedUsers object level permissions if there is one in the object ACL when OnlyOffice tries to upload the image to the bucket.

My Setup

• OnlyOffice Community Server - v12.5.2.1848
• Control panel - v3.5.0.516
• Document Server - v7.5.1.1

[Carazyda]

Hello @EdgarHarutyunyan02 Yes, we have this problem. At this point, I cannot provide you with any other option other than to disable Prevent Public Access. We will try to fix this in future versions.