s3tests.functional.test_s3:test_bucket_acl_no_grants

I encountered the same problem you described. After revoking bucket ACL, bucket owner still has permission to write.

[root@test ~]# /root/s3curl/s3curl.pl --id sig   --   http://testbucket.s3-ap-southeast-1.amazonaws.com/?acl -X GET
<?xml version="1.0" encoding="UTF-8"?>
<AccessControlPolicy xmlns="http://s3.amazonaws.com/doc/2006-03-01/"><Owner><ID>id</ID><DisplayName>name</DisplayName></Owner><AccessControlList/></AccessControlPolicy>

[root@test ~]# /root/s3curl/s3curl.pl --id sig --debug   --   http://testbucket.s3-ap-southeast-1.amazonaws.com/bar -X PUT -T foo
s3curl: Found the url: host=testbucket.s3-ap-southeast-1.amazonaws.com; port=; uri=/bar; query=;
s3curl: vanity endpoint signing case
s3curl: StringToSign='PUT\n\n\nThu, 12 Apr 2018 03:34:10 +0000\n/testbucket/bar'
s3curl: exec curl -v -H 'Date: Thu, 12 Apr 2018 03:34:10 +0000' -H 'Authorization: AWS xxx' -L -H 'content-type: ' http://testbucket.s3-ap-southeast-1.amazonaws.com/bar -X PUT -T foo
* About to connect() to testbucket.s3-ap-southeast-1.amazonaws.com port 80 (#0)
*   Trying 52.219.36.19...
* Connected to testbucket.s3-ap-southeast-1.amazonaws.com (52.219.36.19) port 80 (#0)
> PUT /bar HTTP/1.1
> User-Agent: curl/7.29.0
> Host: testbucket.s3-ap-southeast-1.amazonaws.com
> Accept: */*
> Date: Thu, 12 Apr 2018 03:34:10 +0000
> Authorization: AWS xxx
> Content-Length: 4
> Expect: 100-continue
>
< HTTP/1.1 100 Continue
* We are completely uploaded and fine
< HTTP/1.1 200 OK
< x-amz-id-2: xxx
< x-amz-request-id: xxx
< Date: Thu, 12 Apr 2018 03:33:12 GMT
< ETag: "xxx"
< Content-Length: 0
< Server: AmazonS3
<
* Connection #0 to host testbucket.s3-ap-southeast-1.amazonaws.com left intact

I guess that some cases in s3-tests are not following S3 API.

ceph / s3-tests

s3tests.functional.test_s3:test_bucket_acl_no_grants #184

can't write