ObjectACL, BucketACL not quite correct behavior #424

New issue

Open

opened 2025-12-28 17:37:21 +00:00 by sami · 3 comments

sami commented 2025-12-28 17:37:21 +00:00

Owner

Copy link

Originally created by @evgeniiz321 on GitHub (Nov 11, 2023).

https://docs.aws.amazon.com/AmazonS3/latest/userguide/managing-acls.html

Bucket and object permissions are independent of each other. An object does not inherit the permissions from its bucket. For example, if you create a bucket and grant write access to a user, you can't access that user’s objects unless the user explicitly grants you access.

1. Create bucket with public-read-write ACL
2. Create object1 with public-read-write ACL
3. Create object2 without ACL (by default, access should be allowed only by an object owner)
4. Try to get/put obj2 from a not owner - access allowed, but should be denied

Seems to be related to https://github.com/nspcc-dev/neofs-s3-gw/issues/904, but this one is a more general issue.

Originally created by @evgeniiz321 on GitHub (Nov 11, 2023). https://docs.aws.amazon.com/AmazonS3/latest/userguide/managing-acls.html ``` Bucket and object permissions are independent of each other. An object does not inherit the permissions from its bucket. For example, if you create a bucket and grant write access to a user, you can't access that user’s objects unless the user explicitly grants you access. ``` 1. Create bucket with public-read-write ACL 2. Create object1 with public-read-write ACL 3. Create object2 without ACL (by default, access should be allowed only by an object owner) 4. Try to get/put obj2 from a not owner - access allowed, but should be denied Seems to be related to https://github.com/nspcc-dev/neofs-s3-gw/issues/904, but this one is a more general issue.

sami added the

bug

S4

blocked

I4

U3

labels 2025-12-28 17:37:21 +00:00

sami commented 2025-12-28 17:37:22 +00:00

Author

Owner

Copy link

@smallhive commented on GitHub (Nov 20, 2023):

I consider, bucket with public-read-write leads to object2 with public-read-write by default, according to the bucket rules

@smallhive commented on GitHub (Nov 20, 2023): I consider, `bucket with public-read-write` leads to `object2 with public-read-write` by default, according to the bucket rules

sami commented 2025-12-28 17:37:22 +00:00

Author

Owner

Copy link

@roman-khimov commented on GitHub (Nov 20, 2023):

Yeah, that's somewhat strange and I'd expect object2 to be accessible. Is this behavior confirmed for AWS?

@roman-khimov commented on GitHub (Nov 20, 2023): Yeah, that's somewhat strange and I'd expect `object2` to be accessible. Is this behavior confirmed for AWS?

sami commented 2025-12-28 17:37:22 +00:00

Author

Owner

Copy link

@roman-khimov commented on GitHub (Jun 18, 2024):

Similar to #904.

@roman-khimov commented on GitHub (Jun 18, 2024): Similar to #904.

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

1255-session-token-v2

new-get

logger

experimental/unsigned-responses

experimental/get-perf

debugprint

ezayats/bump-s3-tests

955-after-a-parallel-deletion-of-versioned-objects-list-objects-returns-info-about-them

v0.42.0

v0.41.5

v0.41.4

v0.41.3

v0.41.2

v0.41.1

v0.41.0

v0.40.0

v0.39.0

v0.38.0

v0.37.0

v0.36.1

v0.36.0

v0.35.0

v0.34.1

v0.34.0

v0.33.0

v0.32.0

v0.31.1

v0.31.0

v0.30.1

v0.30.0

v0.29.0

v0.28.2

v0.28.1

v0.28.0

v0.27.1

v0.27.0

v0.26.1

v0.26.0

v0.25.1

v0.25.0

v0.24.0

v0.23.0

v0.22.0

v0.21.1

v0.21.0

v0.20.0

v0.19.0

v0.18.0

v0.17.0

v0.17.0-rc.1

v0.16.0

v0.15.1-pre

v0.15.0

v0.14.2

v0.14.1

v0.14.0

v0.13.0

v0.12.0-rc.3

v0.12.0-rc.2

v0.12.0-rc.1

Labels

Clear labels   

I2

  

I2

  

I3

  

I4

  

S2

  

S3

  

S4

  

S4

  

U0

  

U1

  

U2

  

U2

  

U3

  

U4

  

U4

  

auth-mate

  

blocked

  

bug

  

config

  

dependencies

  

discussion

  

documentation

  

enhancement

  

epic

  

feature

  

go

  

good first issue

  

help wanted

  

performance

  

question

  

security

  

test

  

tree-service

  

tree-service

No labels

I2

I2

I3

I4

S2

S3

S4

S4

U0

U1

U2

U2

U3

U4

U4

auth-mate

blocked

bug

config

dependencies

discussion

documentation

enhancement

epic

feature

go

good first issue

help wanted

performance

question

security

test

tree-service

tree-service

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

nspcc-dev/neofs-s3-gw#424

No description provided.