Filed https://github.com/basho/riak_cs/issues/1081
Thanks, Shawn On 2/27/15, 2:18 PM, "Seema Jethani" <se...@basho.com<mailto:se...@basho.com>> wrote: Shawn Would you be able to open a github issue for this? We will look into this issue for you. Thanks! Date: Mon, 23 Feb 2015 20:41:16 +0000 From: Shawn Debnath <sh...@debnath.net<mailto:sh...@debnath.net>> To: "riak-users@lists.basho.com<mailto:riak-users@lists.basho.com>" <riak-users@lists.basho.com<mailto:riak-users@lists.basho.com>> Subject: ACLs not being set correctly for riak-cs Message-ID: <8ab97aa2-f38f-423a-bf8a-98f915806...@debnath.net<mailto:8ab97aa2-f38f-423a-bf8a-98f915806...@debnath.net>> Content-Type: text/plain; charset="utf-8" Hi there, I can't seem to be able to get ACLs set properly on newly created buckets in riak-cs. I am using s3curl to push the payload up via PUT /?acl and it returns 200 OK. However, a GET /?acl returns an xml payload with missing IDs. Without manually pushing new ACLs, the default ACLs correctly gives access to the owner, but as soon as I push a custom ACL set, it screws up the grants for both the owner and the other users. NOTE: The keys below are for a private test environment so substitute your values accordingly. Any help appreciated on pointing me to the right direction! Thanks, Shawn Here are the three user IDs, keys and secrets. I want the owner to retain full control while I want to grant WRITE privileges to publisher and READ privileges to reader. admin_id: feab26c2fec623a34e7d60e620b42a7786eca3223b5e2faebc5d248a34f3239e admin_key: 1049V_JJHPH7TO_QPWVC admin_secret: lMQsnn3Cukk1UR28FAtoZiap9KEOjBRgYKiVVg== publisher_id: 5efc8fb59754a6d11eb1a36c501a8ef7b1be44b0300fbe3df354423b7a115ac5 publisher_key: D-YBO-QHCHU9MEHNZR1D publisher_secret: nin5LA4WHEuJeTuzN-qCWBXsOvTyUbdPuDQ3eg== reader_id: de6831d6da88df325d474f7f6c1f708596998c54fc0817685f8c67f1d8cab239 reader_key: _QOKYEHYM6S-YDDHGSYF reader_secret: sFc1HBhjQzfr70Yda-ke257LHkVCPNAN0chs9A== <!-- INPUT ACL XML --> <AccessControlPolicy xmlns="http://data.basho.com/doc/2012-04-05/";> <Owner> <ID>feab26c2fec623a34e7d60e620b42a7786eca3223b5e2faebc5d248a34f3239e</ID> </Owner> <AccessControlList> <Grant> <Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:type="CanonicalUser"> <ID>feab26c2fec623a34e7d60e620b42a7786eca3223b5e2faebc5d248a34f3239e</ID> </Grantee> <Permission>FULL_CONTROL</Permission> </Grant> <Grant> <Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:type="CanonicalUser"> <ID>5efc8fb59754a6d11eb1a36c501a8ef7b1be44b0300fbe3df354423b7a115ac5</ID> </Grantee> <Permission>WRITE</Permission> </Grant> <Grant> <Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:type="CanonicalUser"> <ID>de6831d6da88df325d474f7f6c1f708596998c54fc0817685f8c67f1d8cab239</ID> </Grantee> <Permission>READ</Permission> </Grant> </AccessControlList> </AccessControlPolicy> <!-- CREATE BUCKET social-media VIA s3curl NOTE NOTE If you are using non-standard domains, in the case below, edit the s3curl.pl<http://s3curl.pl> file and modify the @endpoints to contain the correct set of domains NOTE --> $ bin/s3curl.pl<http://s3curl.pl> --debug --id ${RIAK_ADMIN_KEY} --key ${RIAK_ADMIN_SECRET} --acl private -- -s -v -x localhost:50201 -X PUT http://social-media.cs.domain.com/ s3curl: Found the url: host=social-media.cs.domain.com<http://social-media.cs.domain.com>; port=; uri=/; query=; s3curl: vanity endpoint signing case s3curl: StringToSign='PUT\n\n\nMon, 23 Feb 2015 20:03:15 +0000\nx-amz-acl:private\n/social-media/' s3curl: signature='v48ovqQBnqfEcBZ7kPedpbs1Xt4=' s3curl: exec curl -H Date: Mon, 23 Feb 2015 20:03:15 +0000 -H Authorization: AWS 1049V_JJHPH7TO_QPWVC:v48ovqQBnqfEcBZ7kPedpbs1Xt4= -H x-amz-acl: private -L -s -v -x localhost:50201 -X PUT http://social-media.cs.domain.com/ * Hostname was NOT found in DNS cache * Trying 127.0.0.1... * Connected to localhost (127.0.0.1) port 50201 (#0) > PUT http://social-media.cs.domain.com/ HTTP/1.1 > User-Agent: curl/7.37.1 > Host: social-media.cs.domain.com<http://social-media.cs.domain.com> > Accept: */* > Proxy-Connection: Keep-Alive > Date: Mon, 23 Feb 2015 20:03:15 +0000 > Authorization: AWS 1049V_JJHPH7TO_QPWVC:v48ovqQBnqfEcBZ7kPedpbs1Xt4= > x-amz-acl: private > < HTTP/1.1 200 OK * Server Riak CS is not blacklisted < Server: Riak CS < Date: Mon, 23 Feb 2015 20:03:16 GMT < Content-Type: application/xml < Content-Length: 0 < * Connection #0 to host localhost left intact <!-- SET ACLs ON BUCKET social-media VIA s3curl NOTE NOTE If you are using non-standard domains, in the case below, edit the s3curl.pl<http://s3curl.pl> file and modify the @endpoints to contain the correct set of domains NOTE --> $ bin/s3curl.pl<http://s3curl.pl> --debug --id ${RIAK_ADMIN_KEY} --key ${RIAK_ADMIN_SECRET} --put /tmp/riak-cs-bucket-policy.xml -- -s -v -x localhost:50201 -X PUT http://social-media.cs.domain.com/?acl s3curl: Found the url: host=social-media.cs.domain.com<http://social-media.cs.domain.com>; port=; uri=/; query=acl; s3curl: vanity endpoint signing case s3curl: StringToSign='PUT\n\n\nMon, 23 Feb 2015 20:03:21 +0000\n/social-media/?acl' s3curl: signature='QAcPGgB1tZO2+U4M0TvP4Q4uyxQ=' s3curl: exec curl -H Date: Mon, 23 Feb 2015 20:03:21 +0000 -H Authorization: AWS 1049V_JJHPH7TO_QPWVC:QAcPGgB1tZO2+U4M0TvP4Q4uyxQ= -L -T /tmp/riak-cs-bucket-policy.xml -s -v -x localhost:50201 -X PUT http://social-media.cs.domain.com/?acl * Hostname was NOT found in DNS cache * Trying 127.0.0.1... * Connected to localhost (127.0.0.1) port 50201 (#0) > PUT http://social-media.cs.domain.com/?acl HTTP/1.1 > User-Agent: curl/7.37.1 > Host: social-media.cs.domain.com<http://social-media.cs.domain.com> > Accept: */* > Proxy-Connection: Keep-Alive > Date: Mon, 23 Feb 2015 20:03:21 +0000 > Authorization: AWS 1049V_JJHPH7TO_QPWVC:QAcPGgB1tZO2+U4M0TvP4Q4uyxQ= > Content-Length: 1003 > Expect: 100-continue > < HTTP/1.1 100 Continue * We are completely uploaded and fine < HTTP/1.1 200 OK * Server Riak CS is not blacklisted < Server: Riak CS < Date: Mon, 23 Feb 2015 20:03:21 GMT < Content-Type: application/xml < Content-Length: 0 < * Connection #0 to host localhost left intact <!-- VERIFY ACLs USING ADMIN KEY/SECRET As you can see, IDs in the grants are missing, and even the owner now cannot put/get files. --> bin/s3curl.pl<http://s3curl.pl> --debug --id ${RIAK_ADMIN_KEY} --key ${RIAK_ADMIN_SECRET} -- -s -v -x localhost:50201 -X GET http://social-media.cs.domain.com/?acl <?xml version="1.0" encoding="UTF-8"?> <AccessControlPolicy> <Owner> <ID>feab26c2fec623a34e7d60e620b42a7786eca3223b5e2faebc5d248a34f3239e</ID> <DisplayName>riak-cs-admin</DisplayName> </Owner> <AccessControlList> <Grant> <Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:type="CanonicalUser"> <ID></ID> <DisplayName></DisplayName> </Grantee> <Permission>FULL_CONTROL</Permission> </Grant> <Grant> <Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:type="CanonicalUser"> <ID></ID> <DisplayName></DisplayName> </Grantee> <Permission>READ</Permission> </Grant> <Grant> <Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:type="CanonicalUser"> <ID></ID> <DisplayName></DisplayName> </Grantee> <Permission>WRITE</Permission> </Grant> </AccessControlList> </AccessControlPolicy> <!-- DUMP USERS TO VERIFY --> s3curl: Found the url: host=riak-cs.cs.domain.com<http://riak-cs.cs.domain.com>; port=; uri=/users; query=; s3curl: vanity endpoint signing case s3curl: StringToSign='GET\n\n\nMon, 23 Feb 2015 20:30:30 +0000\n/riak-cs/users' s3curl: signature='mOcYNLzS/3PFkXhU8tnM14HQVoI=' s3curl: exec curl -H Date: Mon, 23 Feb 2015 20:30:30 +0000 -H Authorization: AWS 1049V_JJHPH7TO_QPWVC:mOcYNLzS/3PFkXhU8tnM14HQVoI= -L -s -v -x localhost:50201 -X GET http://riak-cs.cs.domain.com/users * Hostname was NOT found in DNS cache * Trying 127.0.0.1... * Connected to localhost (127.0.0.1) port 50201 (#0) > GET http://riak-cs.cs.domain.com/users HTTP/1.1 > User-Agent: curl/7.37.1 > Host: riak-cs.cs.domain.com<http://riak-cs.cs.domain.com> > Accept: */* > Proxy-Connection: Keep-Alive > Date: Mon, 23 Feb 2015 20:30:30 +0000 > Authorization: AWS 1049V_JJHPH7TO_QPWVC:mOcYNLzS/3PFkXhU8tnM14HQVoI= > < HTTP/1.1 200 OK < Vary: Accept < Transfer-Encoding: chunked * Server Riak CS is not blacklisted < Server: Riak CS < Date: Mon, 23 Feb 2015 20:30:30 GMT < Content-Type: multipart/mixed; boundary=TCW5KE8FRZPTJ9HK2PL896Q8A5V2F9O < --TCW5KE8FRZPTJ9HK2PL896Q8A5V2F9O Content-Type: application/xml <?xml version="1.0" encoding="UTF-8"?> <Users> <User> <Email>riak-cs-publis...@domain.com<mailto:riak-cs-publis...@domain.com></Email> <DisplayName>riak-cs-publisher</DisplayName> <Name>publisher</Name> <KeyId>D-YBO-QHCHU9MEHNZR1D</KeyId> <KeySecret>nin5LA4WHEuJeTuzN-qCWBXsOvTyUbdPuDQ3eg==</KeySecret> <Id>5efc8fb59754a6d11eb1a36c501a8ef7b1be44b0300fbe3df354423b7a115ac5</Id> <Status>enabled</Status> </User> <User> <Email>riak-cs-rea...@domain.com<mailto:riak-cs-rea...@domain.com></Email> <DisplayName>riak-cs-reader</DisplayName> <Name>reader</Name> <KeyId>_QOKYEHYM6S-YDDHGSYF</KeyId> <KeySecret>sFc1HBhjQzfr70Yda-ke257LHkVCPNAN0chs9A==</KeySecret> <Id>de6831d6da88df325d474f7f6c1f708596998c54fc0817685f8c67f1d8cab239</Id> <Status>enabled</Status> </User> </Users> --TCW5KE8FRZPTJ9HK2PL896Q8A5V2F9O Content-Type: application/xml <?xml version="1.0" encoding="UTF-8"?> <Users> <User> <Email>riak-cs-ad...@domain.com<mailto:riak-cs-ad...@domain.com></Email> <DisplayName>riak-cs-admin</DisplayName> <Name>admin</Name> <KeyId>1049V_JJHPH7TO_QPWVC</KeyId> <KeySecret>lMQsnn3Cukk1UR28FAtoZiap9KEOjBRgYKiVVg==</KeySecret> <Id>feab26c2fec623a34e7d60e620b42a7786eca3223b5e2faebc5d248a34f3239e</Id> <Status>enabled</Status> </User> </Users> --TCW5KE8FRZPTJ9HK2PL896Q8A5V2F9O Content-Type: application/xml <?xml version="1.0" encoding="UTF-8"?> <Users/> * Connection #0 to host localhost left intact --TCW5KE8FRZPTJ9HK2PL896Q8A5V2F9O-- -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.basho.com/pipermail/riak-users_lists.basho.com/attachments/20150223/e9e70db8/attachment-0001.html> -- Seema Jethani Director of Product Management, Basho<http://basho.com> 4083455739 | @seemaj<http://twitter.com/seemaj>
_______________________________________________ riak-users mailing list riak-users@lists.basho.com http://lists.basho.com/mailman/listinfo/riak-users_lists.basho.com
