Shawn Would you be able to open a github issue for this? We will look into this issue for you. Thanks!
> Date: Mon, 23 Feb 2015 20:41:16 +0000 > From: Shawn Debnath <sh...@debnath.net> > To: "riak-users@lists.basho.com" <riak-users@lists.basho.com> > Subject: ACLs not being set correctly for riak-cs > Message-ID: <8ab97aa2-f38f-423a-bf8a-98f915806...@debnath.net> > Content-Type: text/plain; charset="utf-8" > > Hi there, > > I can't seem to be able to get ACLs set properly on newly created buckets > in riak-cs. I am using s3curl to push the payload up via PUT /?acl and it > returns 200 OK. However, a GET /?acl returns an xml payload with missing > IDs. Without manually pushing new ACLs, the default ACLs correctly gives > access to the owner, but as soon as I push a custom ACL set, it screws up > the grants for both the owner and the other users. > > NOTE: The keys below are for a private test environment so substitute your > values accordingly. > > Any help appreciated on pointing me to the right direction! > > Thanks, > Shawn > > > > Here are the three user IDs, keys and secrets. I want the owner to retain > full control while I want to grant WRITE privileges to publisher and READ > privileges to reader. > > > admin_id: > feab26c2fec623a34e7d60e620b42a7786eca3223b5e2faebc5d248a34f3239e > admin_key: 1049V_JJHPH7TO_QPWVC > admin_secret: lMQsnn3Cukk1UR28FAtoZiap9KEOjBRgYKiVVg== > publisher_id: > 5efc8fb59754a6d11eb1a36c501a8ef7b1be44b0300fbe3df354423b7a115ac5 > publisher_key: D-YBO-QHCHU9MEHNZR1D > publisher_secret: nin5LA4WHEuJeTuzN-qCWBXsOvTyUbdPuDQ3eg== > reader_id: > de6831d6da88df325d474f7f6c1f708596998c54fc0817685f8c67f1d8cab239 > reader_key: _QOKYEHYM6S-YDDHGSYF > reader_secret: sFc1HBhjQzfr70Yda-ke257LHkVCPNAN0chs9A== > > <!-- > INPUT ACL XML > --> > <AccessControlPolicy xmlns="http://data.basho.com/doc/2012-04-05/";> > <Owner> > > <ID>feab26c2fec623a34e7d60e620b42a7786eca3223b5e2faebc5d248a34f3239e</ID> > </Owner> > <AccessControlList> > <Grant> > <Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; > xsi:type="CanonicalUser"> > > <ID>feab26c2fec623a34e7d60e620b42a7786eca3223b5e2faebc5d248a34f3239e</ID> > </Grantee> > <Permission>FULL_CONTROL</Permission> > </Grant> > <Grant> > <Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; > xsi:type="CanonicalUser"> > > <ID>5efc8fb59754a6d11eb1a36c501a8ef7b1be44b0300fbe3df354423b7a115ac5</ID> > </Grantee> > <Permission>WRITE</Permission> > </Grant> > <Grant> > <Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; > xsi:type="CanonicalUser"> > > <ID>de6831d6da88df325d474f7f6c1f708596998c54fc0817685f8c67f1d8cab239</ID> > </Grantee> > <Permission>READ</Permission> > </Grant> > </AccessControlList> > </AccessControlPolicy> > > <!-- > CREATE BUCKET social-media VIA s3curl > > NOTE > NOTE If you are using non-standard domains, in the case below, edit the > s3curl.pl file and modify the @endpoints to contain the correct set of > domains > NOTE > --> > $ bin/s3curl.pl --debug --id ${RIAK_ADMIN_KEY} --key ${RIAK_ADMIN_SECRET} > --acl private -- -s -v -x localhost:50201 -X PUT > http://social-media.cs.domain.com/ > > s3curl: Found the url: host=social-media.cs.domain.com; port=; uri=/; > query=; > s3curl: vanity endpoint signing case > s3curl: StringToSign='PUT\n\n\nMon, 23 Feb 2015 20:03:15 > +0000\nx-amz-acl:private\n/social-media/' > s3curl: signature='v48ovqQBnqfEcBZ7kPedpbs1Xt4=' > s3curl: exec curl -H Date: Mon, 23 Feb 2015 20:03:15 +0000 -H > Authorization: AWS 1049V_JJHPH7TO_QPWVC:v48ovqQBnqfEcBZ7kPedpbs1Xt4= -H > x-amz-acl: private -L -s -v -x localhost:50201 -X PUT > http://social-media.cs.domain.com/ > * Hostname was NOT found in DNS cache > * Trying 127.0.0.1... > * Connected to localhost (127.0.0.1) port 50201 (#0) > > PUT http://social-media.cs.domain.com/ HTTP/1.1 > > User-Agent: curl/7.37.1 > > Host: social-media.cs.domain.com > > Accept: */* > > Proxy-Connection: Keep-Alive > > Date: Mon, 23 Feb 2015 20:03:15 +0000 > > Authorization: AWS 1049V_JJHPH7TO_QPWVC:v48ovqQBnqfEcBZ7kPedpbs1Xt4= > > x-amz-acl: private > > > < HTTP/1.1 200 OK > * Server Riak CS is not blacklisted > < Server: Riak CS > < Date: Mon, 23 Feb 2015 20:03:16 GMT > < Content-Type: application/xml > < Content-Length: 0 > < > * Connection #0 to host localhost left intact > > > <!-- > SET ACLs ON BUCKET social-media VIA s3curl > > NOTE > NOTE If you are using non-standard domains, in the case below, edit the > s3curl.pl file and modify the @endpoints to contain the correct set of > domains > NOTE > --> > $ bin/s3curl.pl --debug --id ${RIAK_ADMIN_KEY} --key > ${RIAK_ADMIN_SECRET} --put /tmp/riak-cs-bucket-policy.xml -- -s -v -x > localhost:50201 -X PUT http://social-media.cs.domain.com/?acl > > s3curl: Found the url: host=social-media.cs.domain.com; port=; uri=/; > query=acl; > s3curl: vanity endpoint signing case > s3curl: StringToSign='PUT\n\n\nMon, 23 Feb 2015 20:03:21 > +0000\n/social-media/?acl' > s3curl: signature='QAcPGgB1tZO2+U4M0TvP4Q4uyxQ=' > s3curl: exec curl -H Date: Mon, 23 Feb 2015 20:03:21 +0000 -H > Authorization: AWS 1049V_JJHPH7TO_QPWVC:QAcPGgB1tZO2+U4M0TvP4Q4uyxQ= -L -T > /tmp/riak-cs-bucket-policy.xml -s -v -x localhost:50201 -X PUT > http://social-media.cs.domain.com/?acl > * Hostname was NOT found in DNS cache > * Trying 127.0.0.1... > * Connected to localhost (127.0.0.1) port 50201 (#0) > > PUT http://social-media.cs.domain.com/?acl HTTP/1.1 > > User-Agent: curl/7.37.1 > > Host: social-media.cs.domain.com > > Accept: */* > > Proxy-Connection: Keep-Alive > > Date: Mon, 23 Feb 2015 20:03:21 +0000 > > Authorization: AWS 1049V_JJHPH7TO_QPWVC:QAcPGgB1tZO2+U4M0TvP4Q4uyxQ= > > Content-Length: 1003 > > Expect: 100-continue > > > < HTTP/1.1 100 Continue > * We are completely uploaded and fine > < HTTP/1.1 200 OK > * Server Riak CS is not blacklisted > < Server: Riak CS > < Date: Mon, 23 Feb 2015 20:03:21 GMT > < Content-Type: application/xml > < Content-Length: 0 > < > * Connection #0 to host localhost left intact > > > <!-- > VERIFY ACLs USING ADMIN KEY/SECRET > > As you can see, IDs in the grants are missing, and even the owner now > cannot put/get files. > --> > bin/s3curl.pl --debug --id ${RIAK_ADMIN_KEY} --key ${RIAK_ADMIN_SECRET} > -- -s -v -x localhost:50201 -X GET http://social-media.cs.domain.com/?acl > > <?xml version="1.0" encoding="UTF-8"?> > <AccessControlPolicy> > <Owner> > > <ID>feab26c2fec623a34e7d60e620b42a7786eca3223b5e2faebc5d248a34f3239e</ID> > <DisplayName>riak-cs-admin</DisplayName> > </Owner> > <AccessControlList> > <Grant> > <Grantee > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; > xsi:type="CanonicalUser"> > <ID></ID> > <DisplayName></DisplayName> > </Grantee> > <Permission>FULL_CONTROL</Permission> > </Grant> > <Grant> > <Grantee > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; > xsi:type="CanonicalUser"> > <ID></ID> > <DisplayName></DisplayName> > </Grantee> > <Permission>READ</Permission> > </Grant> > <Grant> > <Grantee > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; > xsi:type="CanonicalUser"> > <ID></ID> > <DisplayName></DisplayName> > </Grantee> > <Permission>WRITE</Permission> > </Grant> > </AccessControlList> > </AccessControlPolicy> > > <!-- > DUMP USERS TO VERIFY > --> > s3curl: Found the url: host=riak-cs.cs.domain.com; port=; uri=/users; > query=; > s3curl: vanity endpoint signing case > s3curl: StringToSign='GET\n\n\nMon, 23 Feb 2015 20:30:30 > +0000\n/riak-cs/users' > s3curl: signature='mOcYNLzS/3PFkXhU8tnM14HQVoI=' > s3curl: exec curl -H Date: Mon, 23 Feb 2015 20:30:30 +0000 -H > Authorization: AWS 1049V_JJHPH7TO_QPWVC:mOcYNLzS/3PFkXhU8tnM14HQVoI= -L -s > -v -x localhost:50201 -X GET http://riak-cs.cs.domain.com/users > * Hostname was NOT found in DNS cache > * Trying 127.0.0.1... > * Connected to localhost (127.0.0.1) port 50201 (#0) > > GET http://riak-cs.cs.domain.com/users HTTP/1.1 > > User-Agent: curl/7.37.1 > > Host: riak-cs.cs.domain.com > > Accept: */* > > Proxy-Connection: Keep-Alive > > Date: Mon, 23 Feb 2015 20:30:30 +0000 > > Authorization: AWS 1049V_JJHPH7TO_QPWVC:mOcYNLzS/3PFkXhU8tnM14HQVoI= > > > < HTTP/1.1 200 OK > < Vary: Accept > < Transfer-Encoding: chunked > * Server Riak CS is not blacklisted > < Server: Riak CS > < Date: Mon, 23 Feb 2015 20:30:30 GMT > < Content-Type: multipart/mixed; boundary=TCW5KE8FRZPTJ9HK2PL896Q8A5V2F9O > < > --TCW5KE8FRZPTJ9HK2PL896Q8A5V2F9O > Content-Type: application/xml > > > <?xml version="1.0" encoding="UTF-8"?> > <Users> > <User> > <Email>riak-cs-publis...@domain.com</Email> > <DisplayName>riak-cs-publisher</DisplayName> > <Name>publisher</Name> > <KeyId>D-YBO-QHCHU9MEHNZR1D</KeyId> > <KeySecret>nin5LA4WHEuJeTuzN-qCWBXsOvTyUbdPuDQ3eg==</KeySecret> > > <Id>5efc8fb59754a6d11eb1a36c501a8ef7b1be44b0300fbe3df354423b7a115ac5</Id> > <Status>enabled</Status> > </User> > <User> > <Email>riak-cs-rea...@domain.com</Email> > <DisplayName>riak-cs-reader</DisplayName> > <Name>reader</Name> > <KeyId>_QOKYEHYM6S-YDDHGSYF</KeyId> > <KeySecret>sFc1HBhjQzfr70Yda-ke257LHkVCPNAN0chs9A==</KeySecret> > > <Id>de6831d6da88df325d474f7f6c1f708596998c54fc0817685f8c67f1d8cab239</Id> > <Status>enabled</Status> > </User> > </Users> > --TCW5KE8FRZPTJ9HK2PL896Q8A5V2F9O > Content-Type: application/xml > > > <?xml version="1.0" encoding="UTF-8"?> > <Users> > <User> > <Email>riak-cs-ad...@domain.com</Email> > <DisplayName>riak-cs-admin</DisplayName> > <Name>admin</Name> > <KeyId>1049V_JJHPH7TO_QPWVC</KeyId> > <KeySecret>lMQsnn3Cukk1UR28FAtoZiap9KEOjBRgYKiVVg==</KeySecret> > > <Id>feab26c2fec623a34e7d60e620b42a7786eca3223b5e2faebc5d248a34f3239e</Id> > <Status>enabled</Status> > </User> > </Users> > --TCW5KE8FRZPTJ9HK2PL896Q8A5V2F9O > Content-Type: application/xml > > > <?xml version="1.0" encoding="UTF-8"?> > <Users/> > * Connection #0 to host localhost left intact > --TCW5KE8FRZPTJ9HK2PL896Q8A5V2F9O-- > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: < > http://lists.basho.com/pipermail/riak-users_lists.basho.com/attachments/20150223/e9e70db8/attachment-0001.html > > > > > -- Seema Jethani Director of Product Management, Basho <http://basho.com> 4083455739 | @seemaj <http://twitter.com/seemaj>
_______________________________________________ riak-users mailing list riak-users@lists.basho.com http://lists.basho.com/mailman/listinfo/riak-users_lists.basho.com
