Open charray opened 9 years ago
fviard
commented
9 years ago Thanks you for your report. It looks like that you are right. Could it be possible for you to propose a pull request/patch to fix these issues? As we are working on some other issues currently, that would help speed up the resolution :-)
charray
commented
9 years ago I just realised the ACL query returns at most DisplayName and CanonicalUser. Revoking an email address needs an extra lookup. As far as I know, there are not any direct ways for so. Some S3 implementations set the display names the same as the email addresses. Users revoking email addresses actually revoke with the display name. No wonder this issue has been unnoticed for so long.
By the way, what about we have another verb s3cmd getacl <url> so that users can obtain the list of grants of an particular item? With the list, they are more likely to know who they have granted and the proper canonical user IDs to revoke.
When user grants access at
S3/ACL.py:164–174, the code examines the grantee format and sets thegranteevariable accordingly.When user revokes access right at
S3/ACL.py:183–187, the code assumes the string to be a canonical ID without other possibilities. To make things worse, it does not check if anything is ever removed and return as if success.To users using anything other than canonical IDs, they can still grant access right without problem and problems appears when they revoke. The ACL update procedure finishes as if successfully and yet nothing was actually done.