ACLs not being set correctly for riak-cs

Seema Jethani seema at basho.com
Fri Feb 27 17:18:27 EST 2015


Shawn

Would you be able to open a github issue for this? We will look into this
issue for you. Thanks!



> Date: Mon, 23 Feb 2015 20:41:16 +0000
> From: Shawn Debnath <shawn at debnath.net>
> To: "riak-users at lists.basho.com" <riak-users at lists.basho.com>
> Subject: ACLs not being set correctly for riak-cs
> Message-ID: <8AB97AA2-F38F-423A-BF8A-98F915806D58 at debnath.net>
> Content-Type: text/plain; charset="utf-8"
>
> Hi there,
>
> I can't seem to be able to get ACLs set properly on newly created buckets
> in riak-cs. I am using s3curl to push the payload up  via PUT /?acl and it
> returns 200 OK. However, a GET /?acl returns an xml payload with missing
> IDs. Without manually pushing new ACLs, the default ACLs correctly gives
> access to the owner, but as soon as I push a custom ACL set, it screws up
> the grants for both the owner and the other users.
>
> NOTE: The keys below are for a private test environment so substitute your
> values accordingly.
>
> Any help appreciated on pointing me to the right direction!
>
> Thanks,
> Shawn
>
>
>
> Here are the three user IDs, keys and secrets. I want the owner to retain
> full control while I want to grant WRITE privileges to publisher and READ
> privileges to reader.
>
>
>     admin_id:
> feab26c2fec623a34e7d60e620b42a7786eca3223b5e2faebc5d248a34f3239e
>     admin_key: 1049V_JJHPH7TO_QPWVC
>     admin_secret: lMQsnn3Cukk1UR28FAtoZiap9KEOjBRgYKiVVg==
>     publisher_id:
> 5efc8fb59754a6d11eb1a36c501a8ef7b1be44b0300fbe3df354423b7a115ac5
>     publisher_key: D-YBO-QHCHU9MEHNZR1D
>     publisher_secret: nin5LA4WHEuJeTuzN-qCWBXsOvTyUbdPuDQ3eg==
>     reader_id:
> de6831d6da88df325d474f7f6c1f708596998c54fc0817685f8c67f1d8cab239
>     reader_key: _QOKYEHYM6S-YDDHGSYF
>     reader_secret: sFc1HBhjQzfr70Yda-ke257LHkVCPNAN0chs9A==
>
> <!--
>   INPUT ACL XML
> -->
> <AccessControlPolicy xmlns="http://data.basho.com/doc/2012-04-05/">
>   <Owner>
>
> <ID>feab26c2fec623a34e7d60e620b42a7786eca3223b5e2faebc5d248a34f3239e</ID>
>   </Owner>
>   <AccessControlList>
>     <Grant>
>       <Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> xsi:type="CanonicalUser">
>
> <ID>feab26c2fec623a34e7d60e620b42a7786eca3223b5e2faebc5d248a34f3239e</ID>
>      </Grantee>
>      <Permission>FULL_CONTROL</Permission>
>     </Grant>
>     <Grant>
>       <Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> xsi:type="CanonicalUser">
>
> <ID>5efc8fb59754a6d11eb1a36c501a8ef7b1be44b0300fbe3df354423b7a115ac5</ID>
>      </Grantee>
>      <Permission>WRITE</Permission>
>     </Grant>
>     <Grant>
>       <Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> xsi:type="CanonicalUser">
>
> <ID>de6831d6da88df325d474f7f6c1f708596998c54fc0817685f8c67f1d8cab239</ID>
>      </Grantee>
>      <Permission>READ</Permission>
>     </Grant>
>   </AccessControlList>
> </AccessControlPolicy>
>
> <!--
>   CREATE BUCKET social-media VIA s3curl
>
>   NOTE
>   NOTE If you are using non-standard domains, in the case below, edit the
> s3curl.pl file and modify the @endpoints to contain the correct set of
> domains
>   NOTE
> -->
> $ bin/s3curl.pl --debug --id ${RIAK_ADMIN_KEY} --key ${RIAK_ADMIN_SECRET}
> --acl private -- -s -v -x localhost:50201 -X PUT
> http://social-media.cs.domain.com/
>
> s3curl: Found the url: host=social-media.cs.domain.com; port=; uri=/;
> query=;
> s3curl: vanity endpoint signing case
> s3curl: StringToSign='PUT\n\n\nMon, 23 Feb 2015 20:03:15
> +0000\nx-amz-acl:private\n/social-media/'
> s3curl: signature='v48ovqQBnqfEcBZ7kPedpbs1Xt4='
> s3curl: exec curl -H Date: Mon, 23 Feb 2015 20:03:15 +0000 -H
> Authorization: AWS 1049V_JJHPH7TO_QPWVC:v48ovqQBnqfEcBZ7kPedpbs1Xt4= -H
> x-amz-acl: private -L -s -v -x localhost:50201 -X PUT
> http://social-media.cs.domain.com/
> * Hostname was NOT found in DNS cache
> *   Trying 127.0.0.1...
> * Connected to localhost (127.0.0.1) port 50201 (#0)
> > PUT http://social-media.cs.domain.com/ HTTP/1.1
> > User-Agent: curl/7.37.1
> > Host: social-media.cs.domain.com
> > Accept: */*
> > Proxy-Connection: Keep-Alive
> > Date: Mon, 23 Feb 2015 20:03:15 +0000
> > Authorization: AWS 1049V_JJHPH7TO_QPWVC:v48ovqQBnqfEcBZ7kPedpbs1Xt4=
> > x-amz-acl: private
> >
> < HTTP/1.1 200 OK
> * Server Riak CS is not blacklisted
> < Server: Riak CS
> < Date: Mon, 23 Feb 2015 20:03:16 GMT
> < Content-Type: application/xml
> < Content-Length: 0
> <
> * Connection #0 to host localhost left intact
>
>
> <!--
>   SET ACLs ON BUCKET social-media VIA s3curl
>
>   NOTE
>   NOTE If you are using non-standard domains, in the case below, edit the
> s3curl.pl file and modify the @endpoints to contain the correct set of
> domains
>   NOTE
> -->
> $  bin/s3curl.pl --debug --id ${RIAK_ADMIN_KEY} --key
> ${RIAK_ADMIN_SECRET} --put /tmp/riak-cs-bucket-policy.xml -- -s -v -x
> localhost:50201 -X PUT http://social-media.cs.domain.com/?acl
>
> s3curl: Found the url: host=social-media.cs.domain.com; port=; uri=/;
> query=acl;
> s3curl: vanity endpoint signing case
> s3curl: StringToSign='PUT\n\n\nMon, 23 Feb 2015 20:03:21
> +0000\n/social-media/?acl'
> s3curl: signature='QAcPGgB1tZO2+U4M0TvP4Q4uyxQ='
> s3curl: exec curl -H Date: Mon, 23 Feb 2015 20:03:21 +0000 -H
> Authorization: AWS 1049V_JJHPH7TO_QPWVC:QAcPGgB1tZO2+U4M0TvP4Q4uyxQ= -L -T
> /tmp/riak-cs-bucket-policy.xml -s -v -x localhost:50201 -X PUT
> http://social-media.cs.domain.com/?acl
> * Hostname was NOT found in DNS cache
> *   Trying 127.0.0.1...
> * Connected to localhost (127.0.0.1) port 50201 (#0)
> > PUT http://social-media.cs.domain.com/?acl HTTP/1.1
> > User-Agent: curl/7.37.1
> > Host: social-media.cs.domain.com
> > Accept: */*
> > Proxy-Connection: Keep-Alive
> > Date: Mon, 23 Feb 2015 20:03:21 +0000
> > Authorization: AWS 1049V_JJHPH7TO_QPWVC:QAcPGgB1tZO2+U4M0TvP4Q4uyxQ=
> > Content-Length: 1003
> > Expect: 100-continue
> >
> < HTTP/1.1 100 Continue
> * We are completely uploaded and fine
> < HTTP/1.1 200 OK
> * Server Riak CS is not blacklisted
> < Server: Riak CS
> < Date: Mon, 23 Feb 2015 20:03:21 GMT
> < Content-Type: application/xml
> < Content-Length: 0
> <
> * Connection #0 to host localhost left intact
>
>
> <!--
>   VERIFY ACLs USING ADMIN KEY/SECRET
>
>   As you can see, IDs in the grants are missing, and even the owner now
> cannot put/get files.
> -->
> bin/s3curl.pl --debug --id ${RIAK_ADMIN_KEY} --key ${RIAK_ADMIN_SECRET}
> -- -s -v -x localhost:50201 -X GET http://social-media.cs.domain.com/?acl
>
> <?xml version="1.0" encoding="UTF-8"?>
> <AccessControlPolicy>
>     <Owner>
>
> <ID>feab26c2fec623a34e7d60e620b42a7786eca3223b5e2faebc5d248a34f3239e</ID>
>         <DisplayName>riak-cs-admin</DisplayName>
>     </Owner>
>     <AccessControlList>
>         <Grant>
>             <Grantee
>                 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> xsi:type="CanonicalUser">
>                 <ID></ID>
>                 <DisplayName></DisplayName>
>             </Grantee>
>             <Permission>FULL_CONTROL</Permission>
>         </Grant>
>         <Grant>
>             <Grantee
>                 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> xsi:type="CanonicalUser">
>                 <ID></ID>
>                 <DisplayName></DisplayName>
>             </Grantee>
>             <Permission>READ</Permission>
>         </Grant>
>         <Grant>
>             <Grantee
>                 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> xsi:type="CanonicalUser">
>                 <ID></ID>
>                 <DisplayName></DisplayName>
>             </Grantee>
>             <Permission>WRITE</Permission>
>         </Grant>
>     </AccessControlList>
> </AccessControlPolicy>
>
> <!--
>   DUMP USERS TO VERIFY
> -->
> s3curl: Found the url: host=riak-cs.cs.domain.com; port=; uri=/users;
> query=;
> s3curl: vanity endpoint signing case
> s3curl: StringToSign='GET\n\n\nMon, 23 Feb 2015 20:30:30
> +0000\n/riak-cs/users'
> s3curl: signature='mOcYNLzS/3PFkXhU8tnM14HQVoI='
> s3curl: exec curl -H Date: Mon, 23 Feb 2015 20:30:30 +0000 -H
> Authorization: AWS 1049V_JJHPH7TO_QPWVC:mOcYNLzS/3PFkXhU8tnM14HQVoI= -L -s
> -v -x localhost:50201 -X GET http://riak-cs.cs.domain.com/users
> * Hostname was NOT found in DNS cache
> *   Trying 127.0.0.1...
> * Connected to localhost (127.0.0.1) port 50201 (#0)
> > GET http://riak-cs.cs.domain.com/users HTTP/1.1
> > User-Agent: curl/7.37.1
> > Host: riak-cs.cs.domain.com
> > Accept: */*
> > Proxy-Connection: Keep-Alive
> > Date: Mon, 23 Feb 2015 20:30:30 +0000
> > Authorization: AWS 1049V_JJHPH7TO_QPWVC:mOcYNLzS/3PFkXhU8tnM14HQVoI=
> >
> < HTTP/1.1 200 OK
> < Vary: Accept
> < Transfer-Encoding: chunked
> * Server Riak CS is not blacklisted
> < Server: Riak CS
> < Date: Mon, 23 Feb 2015 20:30:30 GMT
> < Content-Type: multipart/mixed; boundary=TCW5KE8FRZPTJ9HK2PL896Q8A5V2F9O
> <
> --TCW5KE8FRZPTJ9HK2PL896Q8A5V2F9O
> Content-Type: application/xml
>
>
> <?xml version="1.0" encoding="UTF-8"?>
> <Users>
>     <User>
>         <Email>riak-cs-publisher at domain.com</Email>
>         <DisplayName>riak-cs-publisher</DisplayName>
>         <Name>publisher</Name>
>         <KeyId>D-YBO-QHCHU9MEHNZR1D</KeyId>
>         <KeySecret>nin5LA4WHEuJeTuzN-qCWBXsOvTyUbdPuDQ3eg==</KeySecret>
>
> <Id>5efc8fb59754a6d11eb1a36c501a8ef7b1be44b0300fbe3df354423b7a115ac5</Id>
>         <Status>enabled</Status>
>     </User>
>     <User>
>         <Email>riak-cs-reader at domain.com</Email>
>         <DisplayName>riak-cs-reader</DisplayName>
>         <Name>reader</Name>
>         <KeyId>_QOKYEHYM6S-YDDHGSYF</KeyId>
>         <KeySecret>sFc1HBhjQzfr70Yda-ke257LHkVCPNAN0chs9A==</KeySecret>
>
> <Id>de6831d6da88df325d474f7f6c1f708596998c54fc0817685f8c67f1d8cab239</Id>
>         <Status>enabled</Status>
>     </User>
> </Users>
> --TCW5KE8FRZPTJ9HK2PL896Q8A5V2F9O
> Content-Type: application/xml
>
>
> <?xml version="1.0" encoding="UTF-8"?>
> <Users>
>     <User>
>         <Email>riak-cs-admin at domain.com</Email>
>         <DisplayName>riak-cs-admin</DisplayName>
>         <Name>admin</Name>
>         <KeyId>1049V_JJHPH7TO_QPWVC</KeyId>
>         <KeySecret>lMQsnn3Cukk1UR28FAtoZiap9KEOjBRgYKiVVg==</KeySecret>
>
> <Id>feab26c2fec623a34e7d60e620b42a7786eca3223b5e2faebc5d248a34f3239e</Id>
>         <Status>enabled</Status>
>     </User>
> </Users>
> --TCW5KE8FRZPTJ9HK2PL896Q8A5V2F9O
> Content-Type: application/xml
>
>
> <?xml version="1.0" encoding="UTF-8"?>
> <Users/>
> * Connection #0 to host localhost left intact
> --TCW5KE8FRZPTJ9HK2PL896Q8A5V2F9O--
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <
> http://lists.basho.com/pipermail/riak-users_lists.basho.com/attachments/20150223/e9e70db8/attachment-0001.html
> >
>
>
>


-- 
Seema Jethani
Director of Product Management, Basho <http://basho.com>
4083455739 | @seemaj <http://twitter.com/seemaj>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.basho.com/pipermail/riak-users_lists.basho.com/attachments/20150227/a90a0ee0/attachment-0002.html>


More information about the riak-users mailing list