PutObject: object acl doesn't impose restrictions for a not-owner user #421

New issue

Open

opened 2025-12-28 17:37:21 +00:00 by sami · 3 comments

sami commented

2025-12-28 17:37:21 +00:00

Owner

Originally created by @evgeniiz321 on GitHub (Nov 11, 2023).

Create bucket with public-read-write ACL
Create object with public-read ACL
Try to rewrite this object with a not-owner user
Expected to get an error, due to lack of permissions, but in fact - no errors.

test_access_bucket_publicreadwrite_object_publicread

object acl:

{'ResponseMetadata': {'RequestId': '4fe12cb0-f7e5-4d39-9a0d-6ea4002d9d8f', 'HostId': '', 'HTTPStatusCode': 200, 'HTTPHeaders': {'x-amz-request-id': '4fe12cb0-f7e5-4d39-9a0d-6ea4002d9d8f', 'date': 'Sat, 11 Nov 2023 16:08:02 GMT', 'content-length': '766', 'content-type': 'text/xml; charset=utf-8'}, 'MaxAttemptsReached': True, 'RetryAttempts': 0}, 'Owner': {'DisplayName': 'NbUgTSFvPmsRxmGeWpuuGeJUoRoi6PErcM', 'ID': 'NbUgTSFvPmsRxmGeWpuuGeJUoRoi6PErcM'}, 'Grants': [{'Grantee': {'Type': 'Group', 'URI': 'http://acs.amazonaws.com/groups/global/AllUsers'}, 'Permission': 'READ'}, {'Grantee': {'DisplayName': 'NbUgTSFvPmsRxmGeWpuuGeJUoRoi6PErcM', 'ID': '031a6c6fbbdf02ca351745fa86b9ba5a9452d785ac4f7fc2b7548ca2a46c4fcf4a', 'Type': 'CanonicalUser'}, 'Permission': 'FULL_CONTROL'}]}

logs:

2023-11-11T16:07:56.601Z	info	api/router.go:166	call method	{"status": 200, "host": "s3.neofs.devenv:8080", "request_id": "17e0f36d-f19b-4ded-ac38-025e15aa8365", "method": "CreateBucket", "bucket": "yournamehere-gerh447uvx59bitc-1", "object": "", "description": "OK"}
2023-11-11T16:07:57.637Z	info	api/router.go:166	call method	{"status": 200, "host": "s3.neofs.devenv:8080", "request_id": "58a67c20-c73d-4914-b4fe-5f3acfad6f7a", "method": "PutBucketACL", "bucket": "yournamehere-gerh447uvx59bitc-1", "object": "", "description": "OK"}
2023-11-11T16:07:58.568Z	debug	layer/object.go:258	put object	{"reqId": "708a85d1-11f5-47ad-880b-a3b6e500f5df", "bucket": "yournamehere-gerh447uvx59bitc-1", "cid": "FRmos6PxSm2mJrjcbD8g8jE9NSZkDvucmikTDvauFVma", "object": "foo", "oid": "27JNComrq2dzQ8BzhmW3tJR5BxEeMTjLCehTCzsBnV2n"}
2023-11-11T16:07:58.619Z	info	api/router.go:166	call method	{"status": 200, "host": "s3.neofs.devenv:8080", "request_id": "708a85d1-11f5-47ad-880b-a3b6e500f5df", "method": "PutObject", "bucket": "yournamehere-gerh447uvx59bitc-1", "object": "foo", "description": "OK"}
2023-11-11T16:07:58.623Z	debug	layer/layer.go:480	get object	{"reqId": "3610650e-1125-45ba-b0b2-145d70e73764", "bucket": "yournamehere-gerh447uvx59bitc-1", "cid": "FRmos6PxSm2mJrjcbD8g8jE9NSZkDvucmikTDvauFVma", "object": "foo", "oid": "27JNComrq2dzQ8BzhmW3tJR5BxEeMTjLCehTCzsBnV2n"}
2023-11-11T16:07:59.637Z	info	api/router.go:166	call method	{"status": 200, "host": "s3.neofs.devenv:8080", "request_id": "3610650e-1125-45ba-b0b2-145d70e73764", "method": "PutObjectACL", "bucket": "yournamehere-gerh447uvx59bitc-1", "object": "foo", "description": "OK"}
2023-11-11T16:08:01.773Z	debug	layer/object.go:258	put object	{"reqId": "11fe8be8-88d9-4f17-bf5f-30c3fb3496b9", "bucket": "yournamehere-gerh447uvx59bitc-1", "cid": "FRmos6PxSm2mJrjcbD8g8jE9NSZkDvucmikTDvauFVma", "object": "bar", "oid": "FCpUThwAgKNrWBBMig1sFGi7XHPPtwBj6KPNhZ1kct1h"}
2023-11-11T16:08:02.489Z	info	api/router.go:166	call method	{"status": 200, "host": "s3.neofs.devenv:8080", "request_id": "11fe8be8-88d9-4f17-bf5f-30c3fb3496b9", "method": "PutObject", "bucket": "yournamehere-gerh447uvx59bitc-1", "object": "bar", "description": "OK"}
2023-11-11T16:08:02.530Z	debug	layer/layer.go:480	get object	{"reqId": "4fe12cb0-f7e5-4d39-9a0d-6ea4002d9d8f", "bucket": "yournamehere-gerh447uvx59bitc-1", "cid": "FRmos6PxSm2mJrjcbD8g8jE9NSZkDvucmikTDvauFVma", "object": "foo", "oid": "27JNComrq2dzQ8BzhmW3tJR5BxEeMTjLCehTCzsBnV2n"}
2023-11-11T16:08:02.530Z	info	api/router.go:166	call method	{"status": 200, "host": "s3.neofs.devenv:8080", "request_id": "4fe12cb0-f7e5-4d39-9a0d-6ea4002d9d8f", "method": "GetObjectACL", "bucket": "yournamehere-gerh447uvx59bitc-1", "object": "foo", "description": "OK"}
2023-11-11T16:08:02.543Z	debug	layer/layer.go:480	get object	{"reqId": "692b007c-c720-474f-90bf-3b16b0e6e747", "bucket": "yournamehere-gerh447uvx59bitc-1", "cid": "FRmos6PxSm2mJrjcbD8g8jE9NSZkDvucmikTDvauFVma", "object": "bar", "oid": "FCpUThwAgKNrWBBMig1sFGi7XHPPtwBj6KPNhZ1kct1h"}
2023-11-11T16:08:02.543Z	info	api/router.go:166	call method	{"status": 200, "host": "s3.neofs.devenv:8080", "request_id": "692b007c-c720-474f-90bf-3b16b0e6e747", "method": "GetObjectACL", "bucket": "yournamehere-gerh447uvx59bitc-1", "object": "bar", "description": "OK"}
2023-11-11T16:08:02.550Z	debug	layer/layer.go:480	get object	{"reqId": "522a4616-fd5d-484b-a34e-70696226221a", "bucket": "yournamehere-gerh447uvx59bitc-1", "cid": "FRmos6PxSm2mJrjcbD8g8jE9NSZkDvucmikTDvauFVma", "object": "foo", "oid": "27JNComrq2dzQ8BzhmW3tJR5BxEeMTjLCehTCzsBnV2n"}
2023-11-11T16:08:02.557Z	info	api/router.go:166	call method	{"status": 200, "host": "s3.neofs.devenv:8080", "request_id": "522a4616-fd5d-484b-a34e-70696226221a", "method": "GetObject", "bucket": "yournamehere-gerh447uvx59bitc-1", "object": "foo", "description": "OK"}
2023-11-11T16:08:03.914Z	debug	layer/object.go:258	put object	{"reqId": "45605681-2f0d-4371-9b54-ce21ccddb0d8", "bucket": "yournamehere-gerh447uvx59bitc-1", "cid": "FRmos6PxSm2mJrjcbD8g8jE9NSZkDvucmikTDvauFVma", "object": "foo", "oid": "DtTGPEB781C2YZqqU5QDQ7o8yqjyiscJQUTqg8o1Cpfa"}
2023-11-11T16:08:04.320Z	info	api/router.go:166	call method	{"status": 200, "host": "s3.neofs.devenv:8080", "request_id": "45605681-2f0d-4371-9b54-ce21ccddb0d8", "method": "PutObject", "bucket": "yournamehere-gerh447uvx59bitc-1", "object": "foo", "description": "OK"}
2023-11-11T16:08:04.325Z	debug	layer/layer.go:480	get object	{"reqId": "56c2704e-ed9e-4fb0-8aa5-87372fa1df07", "bucket": "yournamehere-gerh447uvx59bitc-1", "cid": "FRmos6PxSm2mJrjcbD8g8jE9NSZkDvucmikTDvauFVma", "object": "bar", "oid": "FCpUThwAgKNrWBBMig1sFGi7XHPPtwBj6KPNhZ1kct1h"}
2023-11-11T16:08:04.332Z	info	api/router.go:166	call method	{"status": 200, "host": "s3.neofs.devenv:8080", "request_id": "56c2704e-ed9e-4fb0-8aa5-87372fa1df07", "method": "GetObject", "bucket": "yournamehere-gerh447uvx59bitc-1", "object": "bar", "description": "OK"}

Originally created by @evgeniiz321 on GitHub (Nov 11, 2023). 1. Create bucket with **public-read-write** ACL 2. Create object with **public-read** ACL 3. Try to rewrite this object with a not-owner user 4. Expected to get an error, due to lack of permissions, but in fact - no errors. test_access_bucket_publicreadwrite_object_publicread object acl: ``` {'ResponseMetadata': {'RequestId': '4fe12cb0-f7e5-4d39-9a0d-6ea4002d9d8f', 'HostId': '', 'HTTPStatusCode': 200, 'HTTPHeaders': {'x-amz-request-id': '4fe12cb0-f7e5-4d39-9a0d-6ea4002d9d8f', 'date': 'Sat, 11 Nov 2023 16:08:02 GMT', 'content-length': '766', 'content-type': 'text/xml; charset=utf-8'}, 'MaxAttemptsReached': True, 'RetryAttempts': 0}, 'Owner': {'DisplayName': 'NbUgTSFvPmsRxmGeWpuuGeJUoRoi6PErcM', 'ID': 'NbUgTSFvPmsRxmGeWpuuGeJUoRoi6PErcM'}, 'Grants': [{'Grantee': {'Type': 'Group', 'URI': 'http://acs.amazonaws.com/groups/global/AllUsers'}, 'Permission': 'READ'}, {'Grantee': {'DisplayName': 'NbUgTSFvPmsRxmGeWpuuGeJUoRoi6PErcM', 'ID': '031a6c6fbbdf02ca351745fa86b9ba5a9452d785ac4f7fc2b7548ca2a46c4fcf4a', 'Type': 'CanonicalUser'}, 'Permission': 'FULL_CONTROL'}]} ``` logs: ``` 2023-11-11T16:07:56.601Z info api/router.go:166 call method {"status": 200, "host": "s3.neofs.devenv:8080", "request_id": "17e0f36d-f19b-4ded-ac38-025e15aa8365", "method": "CreateBucket", "bucket": "yournamehere-gerh447uvx59bitc-1", "object": "", "description": "OK"} 2023-11-11T16:07:57.637Z info api/router.go:166 call method {"status": 200, "host": "s3.neofs.devenv:8080", "request_id": "58a67c20-c73d-4914-b4fe-5f3acfad6f7a", "method": "PutBucketACL", "bucket": "yournamehere-gerh447uvx59bitc-1", "object": "", "description": "OK"} 2023-11-11T16:07:58.568Z debug layer/object.go:258 put object {"reqId": "708a85d1-11f5-47ad-880b-a3b6e500f5df", "bucket": "yournamehere-gerh447uvx59bitc-1", "cid": "FRmos6PxSm2mJrjcbD8g8jE9NSZkDvucmikTDvauFVma", "object": "foo", "oid": "27JNComrq2dzQ8BzhmW3tJR5BxEeMTjLCehTCzsBnV2n"} 2023-11-11T16:07:58.619Z info api/router.go:166 call method {"status": 200, "host": "s3.neofs.devenv:8080", "request_id": "708a85d1-11f5-47ad-880b-a3b6e500f5df", "method": "PutObject", "bucket": "yournamehere-gerh447uvx59bitc-1", "object": "foo", "description": "OK"} 2023-11-11T16:07:58.623Z debug layer/layer.go:480 get object {"reqId": "3610650e-1125-45ba-b0b2-145d70e73764", "bucket": "yournamehere-gerh447uvx59bitc-1", "cid": "FRmos6PxSm2mJrjcbD8g8jE9NSZkDvucmikTDvauFVma", "object": "foo", "oid": "27JNComrq2dzQ8BzhmW3tJR5BxEeMTjLCehTCzsBnV2n"} 2023-11-11T16:07:59.637Z info api/router.go:166 call method {"status": 200, "host": "s3.neofs.devenv:8080", "request_id": "3610650e-1125-45ba-b0b2-145d70e73764", "method": "PutObjectACL", "bucket": "yournamehere-gerh447uvx59bitc-1", "object": "foo", "description": "OK"} 2023-11-11T16:08:01.773Z debug layer/object.go:258 put object {"reqId": "11fe8be8-88d9-4f17-bf5f-30c3fb3496b9", "bucket": "yournamehere-gerh447uvx59bitc-1", "cid": "FRmos6PxSm2mJrjcbD8g8jE9NSZkDvucmikTDvauFVma", "object": "bar", "oid": "FCpUThwAgKNrWBBMig1sFGi7XHPPtwBj6KPNhZ1kct1h"} 2023-11-11T16:08:02.489Z info api/router.go:166 call method {"status": 200, "host": "s3.neofs.devenv:8080", "request_id": "11fe8be8-88d9-4f17-bf5f-30c3fb3496b9", "method": "PutObject", "bucket": "yournamehere-gerh447uvx59bitc-1", "object": "bar", "description": "OK"} 2023-11-11T16:08:02.530Z debug layer/layer.go:480 get object {"reqId": "4fe12cb0-f7e5-4d39-9a0d-6ea4002d9d8f", "bucket": "yournamehere-gerh447uvx59bitc-1", "cid": "FRmos6PxSm2mJrjcbD8g8jE9NSZkDvucmikTDvauFVma", "object": "foo", "oid": "27JNComrq2dzQ8BzhmW3tJR5BxEeMTjLCehTCzsBnV2n"} 2023-11-11T16:08:02.530Z info api/router.go:166 call method {"status": 200, "host": "s3.neofs.devenv:8080", "request_id": "4fe12cb0-f7e5-4d39-9a0d-6ea4002d9d8f", "method": "GetObjectACL", "bucket": "yournamehere-gerh447uvx59bitc-1", "object": "foo", "description": "OK"} 2023-11-11T16:08:02.543Z debug layer/layer.go:480 get object {"reqId": "692b007c-c720-474f-90bf-3b16b0e6e747", "bucket": "yournamehere-gerh447uvx59bitc-1", "cid": "FRmos6PxSm2mJrjcbD8g8jE9NSZkDvucmikTDvauFVma", "object": "bar", "oid": "FCpUThwAgKNrWBBMig1sFGi7XHPPtwBj6KPNhZ1kct1h"} 2023-11-11T16:08:02.543Z info api/router.go:166 call method {"status": 200, "host": "s3.neofs.devenv:8080", "request_id": "692b007c-c720-474f-90bf-3b16b0e6e747", "method": "GetObjectACL", "bucket": "yournamehere-gerh447uvx59bitc-1", "object": "bar", "description": "OK"} 2023-11-11T16:08:02.550Z debug layer/layer.go:480 get object {"reqId": "522a4616-fd5d-484b-a34e-70696226221a", "bucket": "yournamehere-gerh447uvx59bitc-1", "cid": "FRmos6PxSm2mJrjcbD8g8jE9NSZkDvucmikTDvauFVma", "object": "foo", "oid": "27JNComrq2dzQ8BzhmW3tJR5BxEeMTjLCehTCzsBnV2n"} 2023-11-11T16:08:02.557Z info api/router.go:166 call method {"status": 200, "host": "s3.neofs.devenv:8080", "request_id": "522a4616-fd5d-484b-a34e-70696226221a", "method": "GetObject", "bucket": "yournamehere-gerh447uvx59bitc-1", "object": "foo", "description": "OK"} 2023-11-11T16:08:03.914Z debug layer/object.go:258 put object {"reqId": "45605681-2f0d-4371-9b54-ce21ccddb0d8", "bucket": "yournamehere-gerh447uvx59bitc-1", "cid": "FRmos6PxSm2mJrjcbD8g8jE9NSZkDvucmikTDvauFVma", "object": "foo", "oid": "DtTGPEB781C2YZqqU5QDQ7o8yqjyiscJQUTqg8o1Cpfa"} 2023-11-11T16:08:04.320Z info api/router.go:166 call method {"status": 200, "host": "s3.neofs.devenv:8080", "request_id": "45605681-2f0d-4371-9b54-ce21ccddb0d8", "method": "PutObject", "bucket": "yournamehere-gerh447uvx59bitc-1", "object": "foo", "description": "OK"} 2023-11-11T16:08:04.325Z debug layer/layer.go:480 get object {"reqId": "56c2704e-ed9e-4fb0-8aa5-87372fa1df07", "bucket": "yournamehere-gerh447uvx59bitc-1", "cid": "FRmos6PxSm2mJrjcbD8g8jE9NSZkDvucmikTDvauFVma", "object": "bar", "oid": "FCpUThwAgKNrWBBMig1sFGi7XHPPtwBj6KPNhZ1kct1h"} 2023-11-11T16:08:04.332Z info api/router.go:166 call method {"status": 200, "host": "s3.neofs.devenv:8080", "request_id": "56c2704e-ed9e-4fb0-8aa5-87372fa1df07", "method": "GetObject", "bucket": "yournamehere-gerh447uvx59bitc-1", "object": "bar", "description": "OK"} ```

sami added the

bug

blocked

labels

2025-12-28 17:37:21 +00:00

sami commented

2025-12-28 17:37:21 +00:00

Author

Owner

@smallhive commented on GitHub (Feb 9, 2024):

According to https://github.com/nspcc-dev/neofs-s3-gw/issues/906#issue-1989038954 there is a conceptual difference between s3 and NeoFS.
IIRC inside NeoFS objects inherit bucket rules, which is why setting ACL for objects doesn't make sense in case of bucket ACL not so strict

@smallhive commented on GitHub (Feb 9, 2024): According to https://github.com/nspcc-dev/neofs-s3-gw/issues/906#issue-1989038954 there is a conceptual difference between s3 and NeoFS. IIRC inside NeoFS objects inherit bucket rules, which is why setting ACL for objects doesn't make sense in case of bucket ACL not so strict

sami commented

2025-12-28 17:37:21 +00:00

Author

Owner

@roman-khimov commented on GitHub (Jun 17, 2024):

But in S3 semantics it does. And we're doing everything via S3 gateway that can check for individual object ACLs.

@roman-khimov commented on GitHub (Jun 17, 2024): But in S3 semantics it does. And we're doing everything via S3 gateway that _can_ check for individual object ACLs.

sami commented

2025-12-28 17:37:21 +00:00

Author

Owner

@roman-khimov commented on GitHub (Jun 18, 2024):

S3 can check for them, but the problem is to create a NeoFS request that would somehow use per-object ACL. It can't.

@roman-khimov commented on GitHub (Jun 18, 2024): S3 can check for them, but the problem is to create a NeoFS request that would somehow use per-object ACL. It can't.