Problem Getting/Setting ACL with Boto or RiakCSClient

Anthony Valenti anthony.valenti at
Tue Jun 27 10:15:12 EDT 2017

We started having an unusual problem last week and I'm not sure what
happened to change anything, but it our automated process isn't working now.

The process normally is that we get files in a Riak CS bucket and we have
an automated program that processes the file and then puts it in another
bucket and sets the ACL to the same as the parent directory.  The process
is now getting an error when it tries to get the parent directory ACL and
set the object ACL (copy the ACL).
But the account has full control over the parent directory and the object
that it just wrote to the directory.
Here is the really strange part.  This is only a problem with our programs
that use the boto client for python or the RiakCSClient for java.  If we
use Cloudberry, with the same account (access and secret keys), we can get
the parent directory ACL and set the object ACL.  No errors.

We versions that we are using are
Riak-CS - 1.5.3
Riak - 1.4.12
Stanchion - 1.5.0

Here is a test python script that we wrote to check the functionality with

import boto3
from boto3.session import Config

accesskey = '*****************'
secretkey = '*******************************'
bucketname = 'analytics'
key = 'clients/inbound/Tlog_20170626.gz'
pathing = 'clients/inbound/'

client = boto3.client('s3', endpoint_url='',
config=Config(s3={'addressing_style': 'virtual'}),
aws_access_key_id=accesskey, aws_secret_access_key=secretkey)
response = client.list_objects(Bucket=bucketname)

response = client.get_bucket_acl(Bucket=bucketname)

response = client.get_object_acl(Bucket=bucketname, Key=key)


This is the error that we get:
botocore.exceptions.ClientError: An error occurred (AccessDenied) when
calling the GetBucketAcl operation: Access Denied

This is an excerpt of the automated java program that copies the ACL and
gets a a similar error.

import com.basho.riakcs.client.api.RiakCSClient;
csClient= new RiakCSClient(accesskey, secretkey, "ourserver:8080", false);
csClient.copyACLToObject(bucketName, key,
RiakCSClient.Permission.FULL_CONTROL, pathing);



*Anthony Valenti*




*Inmar Confidentiality Note*:  This e-mail and any attachments are 
confidential and intended to be viewed and used solely by the intended 
recipient.  If you are not the intended recipient, be aware that any 
disclosure, dissemination, distribution, copying or use of this e-mail or 
any attachment is prohibited.  If you received this e-mail in error, please 
notify us immediately by returning it to the sender and delete this copy 
and all attachments from your system and destroy any printed copies.  Thank 
you for your cooperation.


*Notice of Protected Rights*:  The removal of any copyright, trademark, or 
proprietary legend contained in this e-mail or any attachment is prohibited 
without the express, written permission of Inmar, Inc.  Furthermore, the 
intended recipient must maintain all copyright notices, trademarks, and 
proprietary legends within this e-mail and any attachments in their 
original form and location if the e-mail or any attachments are reproduced, 
printed or distributed.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the riak-users mailing list