Per-object public ACL in private bucket #233

New issue

Closed

opened 2025-12-28 17:36:40 +00:00 by sami · 2 comments

sami commented

2025-12-28 17:36:40 +00:00

Owner

Originally created by @alexvanin on GitHub (Jun 3, 2022).

Originally assigned to: @alexvanin on GitHub.

can't get-object from private container, even the object was put with public-read acl.
I suggest to fix the test and place it in test_s3_neofs.py.

It's more like new S3 issue to fix object ACLs, isn't it?
1. `main_wallet` creates private container -- extended ACL with 7 `deny` rules for target `OTHER`

2. `main_wallet` sets public read acl for the object -- extended ACL has one more additional `allow` rule to this object for target `OTHER`, it is a first rule in the table

3. `alt_wallet` tries to get object -- without bearer token NeoFS node applies container EACL to request => first rule allows to get object.

As @masterSplinter01 mentioned, we got access deny error because of search request. Which is fair enough, because we do search in the bucket. tree-service branch avoids extra search, so maybe the issue should be gone. Let's investigate that and fix per object public ACL in private containers.

Originally posted by @alexvanin in https://github.com/nspcc-dev/neofs-s3-gw/issues/487#issuecomment-1145696629

Originally created by @alexvanin on GitHub (Jun 3, 2022). Originally assigned to: @alexvanin on GitHub. > > can't get-object from private container, even the object was put with public-read acl. > > I suggest to fix the test and place it in test_s3_neofs.py. > > It's more like new S3 issue to fix object ACLs, isn't it? > > 1. `main_wallet` creates private container -- extended ACL with 7 `deny` rules for target `OTHER` > > 2. `main_wallet` sets public read acl for the object -- extended ACL has one more additional `allow` rule to this object for target `OTHER`, it is a first rule in the table > > 3. `alt_wallet` tries to get object -- without bearer token NeoFS node applies container EACL to request => first rule allows to get object. As @masterSplinter01 mentioned, we got access deny error because of `search` request. Which is fair enough, because we do search in the bucket. `tree-service` branch avoids extra search, so maybe the issue should be gone. Let's investigate that and fix per object public ACL in private containers. _Originally posted by @alexvanin in https://github.com/nspcc-dev/neofs-s3-gw/issues/487#issuecomment-1145696629_

sami

2025-12-28 17:36:40 +00:00

closed this issue
added the
question
label

sami commented

2025-12-28 17:36:40 +00:00

Author

Owner

@alexvanin commented on GitHub (Jul 5, 2022):

ACL support should become better after:

Consider https://github.com/nspcc-dev/neofs-s3-gw/issues/576 in the future.

@alexvanin commented on GitHub (Jul 5, 2022): ACL support should become better after: - [x] https://github.com/nspcc-dev/neofs-s3-gw/issues/571 - [x] https://github.com/nspcc-dev/neofs-s3-gw/issues/573 - [x] https://github.com/nspcc-dev/neofs-s3-gw/issues/574 - [ ] https://github.com/nspcc-dev/neofs-s3-gw/issues/575 Consider https://github.com/nspcc-dev/neofs-s3-gw/issues/576 in the future.

sami commented

2025-12-28 17:36:40 +00:00

Author

Owner

@alexvanin commented on GitHub (Jul 21, 2022):

Closed by #571 #573 #574

@alexvanin commented on GitHub (Jul 21, 2022): Closed by #571 #573 #574