Closed voa808 closed 5 months ago
I encountered the same problem you described. After revoking bucket ACL, bucket owner still has permission to write.
[root@test ~]# /root/s3curl/s3curl.pl --id sig -- http://testbucket.s3-ap-southeast-1.amazonaws.com/?acl -X GET
<?xml version="1.0" encoding="UTF-8"?>
<AccessControlPolicy xmlns="http://s3.amazonaws.com/doc/2006-03-01/"><Owner><ID>id</ID><DisplayName>name</DisplayName></Owner><AccessControlList/></AccessControlPolicy>
[root@test ~]# /root/s3curl/s3curl.pl --id sig --debug -- http://testbucket.s3-ap-southeast-1.amazonaws.com/bar -X PUT -T foo
s3curl: Found the url: host=testbucket.s3-ap-southeast-1.amazonaws.com; port=; uri=/bar; query=;
s3curl: vanity endpoint signing case
s3curl: StringToSign='PUT\n\n\nThu, 12 Apr 2018 03:34:10 +0000\n/testbucket/bar'
s3curl: exec curl -v -H 'Date: Thu, 12 Apr 2018 03:34:10 +0000' -H 'Authorization: AWS xxx' -L -H 'content-type: ' http://testbucket.s3-ap-southeast-1.amazonaws.com/bar -X PUT -T foo
* About to connect() to testbucket.s3-ap-southeast-1.amazonaws.com port 80 (#0)
* Trying 52.219.36.19...
* Connected to testbucket.s3-ap-southeast-1.amazonaws.com (52.219.36.19) port 80 (#0)
> PUT /bar HTTP/1.1
> User-Agent: curl/7.29.0
> Host: testbucket.s3-ap-southeast-1.amazonaws.com
> Accept: */*
> Date: Thu, 12 Apr 2018 03:34:10 +0000
> Authorization: AWS xxx
> Content-Length: 4
> Expect: 100-continue
>
< HTTP/1.1 100 Continue
* We are completely uploaded and fine
< HTTP/1.1 200 OK
< x-amz-id-2: xxx
< x-amz-request-id: xxx
< Date: Thu, 12 Apr 2018 03:33:12 GMT
< ETag: "xxx"
< Content-Length: 0
< Server: AmazonS3
<
* Connection #0 to host testbucket.s3-ap-southeast-1.amazonaws.com left intact
I guess that some cases in s3-tests are not following S3 API.
AWS: I find that when we create a bucket in AWS, revoke the ACL, the owner of the bucket is still able to create objects in that bucket. Ceph test: In this test- test_bucket_acl_no_grants, when the acls are revoked, when object creation is attempted it is expecting 'denied'
https://github.com/ceph/s3-tests/blob/master/s3tests/functional/test_s3.py
can't write
Could some one please suggest as I feel this is contradictory to AWS behaviour. Thanks.