search

basho / riak_cs

Riak CS is simple, available cloud storage built on Riak.
http://docs.basho.com/riakcs/latest/
Apache License 2.0
566 stars 95 forks source link

s3curl PUT ACL AccessDenied error #1345

Open JMLX42 opened 6 years ago

JMLX42 commented 6 years ago

Hi,

here is was I get when I fetcht he ACL:

<?xml version="1.0" encoding="UTF-8"?>
<AccessControlPolicy>
  <Owner>
    <ID>e84fe2aad407ee45651e648603b1c4ab2d97aae7d712a26099475518662a4634</ID>
    <DisplayName>admin</DisplayName>
  </Owner>
  <AccessControlList>
    <Grant>
      <Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="CanonicalUser">
        <ID>e84fe2aad407ee45651e648603b1c4ab2d97aae7d712a26099475518662a4634</ID>
        <DisplayName>admin</DisplayName>
      </Grantee>
      <Permission>FULL_CONTROL</Permission>
    </Grant>
    <Grant>
      <Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="CanonicalUser">
        <ID>4efbf4ac1c9fdf6a143e1e189f82ef95bb374f9dff57805d98804f016962a246</ID>
        <DisplayName>view3dmodel</DisplayName>
      </Grantee>
      <Permission>FULL_CONTROL</Permission>
    </Grant>
    <Grant>
      <Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="CanonicalUser">
        <ID>def0727c272dee6ac831b4a2cdb0e55255a41154daf07866c6acb8f4d0b422a1</ID>
        <DisplayName>cto</DisplayName>
      </Grantee>
      <Permission>FULL_CONTROL</Permission>
    </Grant>
  </AccessControlList>
</AccessControlPolicy>

As a test, I'm trying to set the exact same ACL on the same object.

read -d '' ACL << EOF
<?xml version="1.0" encoding="UTF-8"?>
<AccessControlPolicy>
  <Owner>
    <ID>e84fe2aad407ee45651e648603b1c4ab2d97aae7d712a26099475518662a4634</ID>
    <DisplayName>admin</DisplayName>
  </Owner>
  <AccessControlList>
    <Grant>
      <Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="CanonicalUser">
        <ID>e84fe2aad407ee45651e648603b1c4ab2d97aae7d712a26099475518662a4634</ID>
        <DisplayName>admin</DisplayName>
      </Grantee>
      <Permission>FULL_CONTROL</Permission>
    </Grant>
    <Grant>
      <Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="CanonicalUser">
        <ID>4efbf4ac1c9fdf6a143e1e189f82ef95bb374f9dff57805d98804f016962a246</ID>
        <DisplayName>view3dmodel</DisplayName>
      </Grantee>
      <Permission>FULL_CONTROL</Permission>
    </Grant>
    <Grant>
      <Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="CanonicalUser">
        <ID>def0727c272dee6ac831b4a2cdb0e55255a41154daf07866c6acb8f4d0b422a1</ID>
        <DisplayName>cto</DisplayName>
      </Grantee>
      <Permission>FULL_CONTROL</Permission>
    </Grant>
  </AccessControlList>
</AccessControlPolicy>
EOF

echo "$ACL" | ./s3curl.pl --id=admin -- -s -v -x localhost:8010 -H "Content-Type:application/xml" -X PUT -d @- http://s3.amazonaws.com/4efbf4ac1c9fdf6a/J34/J34Lot/J34Lot2xx/J34Lot227.vue.scene

Here is what I get:

* Hostname was NOT found in DNS cache
*   Trying 127.0.0.1...
* Connected to localhost (127.0.0.1) port 8010 (#0)
> PUT http://s3.amazonaws.com/4efbf4ac1c9fdf6a/J34/J34Lot/J34Lot2xx/J34Lot227.vue.scene?acl HTTP/1.1
> User-Agent: curl/7.35.0
> Host: s3.amazonaws.com
> Accept: */*
> Proxy-Connection: Keep-Alive
> Date: Mon, 27 Nov 2017 10:18:35 GMT
> Authorization: AWS 8UO4SWEIWT4TYULJAEO5:QCJ2WtreVWPUy7qczq4GlpNduT0=
> Content-Type:application/xml
> Content-Length: 1151
> Expect: 100-continue
> 
< HTTP/1.1 403 Forbidden
* Server Riak CS is not blacklisted
< Server: Riak CS
< Date: Mon, 27 Nov 2017 10:18:35 GMT
< Content-Type: application/xml
< Content-Length: 212
* HTTP error before end of send, stop sending
< 
{ [data not shown]
* Closing connection 0
<?xml version="1.0" encoding="UTF-8"?>
<Error>
  <Code>AccessDenied</Code>
  <Message>Access Denied</Message>
  <Resource>/4efbf4ac1c9fdf6a/J34/J34Lot/J34Lot2xx/J34Lot227.vue.scene</Resource>
  <RequestId/>
</Error>

Why AccessDenied when admin has FULL_CONTROL ?

JMLX42 commented 6 years ago

Forgot to mention admin also has FULL_CONTROL on the bucket:

<?xml version="1.0" encoding="UTF-8"?>
<AccessControlPolicy>
  <Owner>
    <ID>e84fe2aad407ee45651e648603b1c4ab2d97aae7d712a26099475518662a4634</ID>
    <DisplayName>admin</DisplayName>
  </Owner>
  <AccessControlList>
    <Grant>
      <Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="CanonicalUser">
        <ID>e84fe2aad407ee45651e648603b1c4ab2d97aae7d712a26099475518662a4634</ID>
        <DisplayName>admin</DisplayName>
      </Grantee>
      <Permission>FULL_CONTROL</Permission>
    </Grant>
    <Grant>
      <Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="CanonicalUser">
        <ID>4efbf4ac1c9fdf6a143e1e189f82ef95bb374f9dff57805d98804f016962a246</ID>
        <DisplayName>view3dmodel</DisplayName>
      </Grantee>
      <Permission>FULL_CONTROL</Permission>
    </Grant>
  </AccessControlList>
</AccessControlPolicy>
JMLX42 commented 6 years ago

Here are the logs:

127.0.0.1 - - [27/Nov/2017:11:18:35 +0100] "PUT /buckets/4efbf4ac1c9fdf6a/objects/J34%2FJ34Lot%2FJ34Lot2xx%2FJ34Lot227.vue.scene/acl HTTP/1.1" 403 212 "" "curl/7.35.0"
ksauzz commented 6 years ago

Hi,

How about using s3curl.pl --put <filename> --contentType application/xml ? A complete command could be:

./s3curl.pl --id=admin --put <your xml file path> --contentType application/xml -- -s -v -x localhost:8010 http://s3.amazonaws.com/4efbf4ac1c9fdf6a/J34/J34Lot/J34Lot2xx/J34Lot227.vue.scene

IIRC, s3curl.pl requires to use --put|--delete|--post and --contentType options explicitly to calculate them as a correct signature of AWS Authentication Version 2 when using such http methods except GET.

Command samples are here.

JMLX42 commented 6 years ago

About --contentType:

$ curl --contentType
curl: option --contentType: is unknown

How about using s3curl.pl --put --contentType application/xml ? A complete command could be:

So you mean put my ACL in a temporary file instead of a shell variable passed via stdin ?

ksauzz commented 6 years ago

So you mean put my ACL in a temporary file instead of a shell variable passed via stdin ?

Yes, I mean so. Perhaps, you could use --put - to read contents from stdio such as echo $ACL | ./s3curl.pl --put - --contentType application/xml -- <curl options> since s3curl.pl passes filename as a param of -T option of curl...

JMLX42 commented 6 years ago

--contentType application/xml

Again, using --contentType throws the following error:

curl: option --contentType: is unknown