<div dir="ltr">Shawn<div><br></div><div>Would you be able to open a github issue for this? We will look into this issue for you. Thanks!<br><div class="gmail_extra"><br><div class="gmail_quote"><br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><br>
Date: Mon, 23 Feb 2015 20:41:16 +0000<br>
From: Shawn Debnath <<a href="mailto:shawn@debnath.net">shawn@debnath.net</a>><br>
To: "<a href="mailto:riak-users@lists.basho.com">riak-users@lists.basho.com</a>" <<a href="mailto:riak-users@lists.basho.com">riak-users@lists.basho.com</a>><br>
Subject: ACLs not being set correctly for riak-cs<br>
Message-ID: <<a href="mailto:8AB97AA2-F38F-423A-BF8A-98F915806D58@debnath.net">8AB97AA2-F38F-423A-BF8A-98F915806D58@debnath.net</a>><br>
Content-Type: text/plain; charset="utf-8"<br>
<br>
Hi there,<br>
<br>
I can't seem to be able to get ACLs set properly on newly created buckets in riak-cs. I am using s3curl to push the payload up  via PUT /?acl and it returns 200 OK. However, a GET /?acl returns an xml payload with missing IDs. Without manually pushing new ACLs, the default ACLs correctly gives access to the owner, but as soon as I push a custom ACL set, it screws up the grants for both the owner and the other users.<br>
<br>
NOTE: The keys below are for a private test environment so substitute your values accordingly.<br>
<br>
Any help appreciated on pointing me to the right direction!<br>
<br>
Thanks,<br>
Shawn<br>
<br>
<br>
<br>
Here are the three user IDs, keys and secrets. I want the owner to retain full control while I want to grant WRITE privileges to publisher and READ privileges to reader.<br>
<br>
<br>
    admin_id: feab26c2fec623a34e7d60e620b42a7786eca3223b5e2faebc5d248a34f3239e<br>
    admin_key: 1049V_JJHPH7TO_QPWVC<br>
    admin_secret: lMQsnn3Cukk1UR28FAtoZiap9KEOjBRgYKiVVg==<br>
    publisher_id: 5efc8fb59754a6d11eb1a36c501a8ef7b1be44b0300fbe3df354423b7a115ac5<br>
    publisher_key: D-YBO-QHCHU9MEHNZR1D<br>
    publisher_secret: nin5LA4WHEuJeTuzN-qCWBXsOvTyUbdPuDQ3eg==<br>
    reader_id: de6831d6da88df325d474f7f6c1f708596998c54fc0817685f8c67f1d8cab239<br>
    reader_key: _QOKYEHYM6S-YDDHGSYF<br>
    reader_secret: sFc1HBhjQzfr70Yda-ke257LHkVCPNAN0chs9A==<br>
<br>
<!--<br>
  INPUT ACL XML<br>
--><br>
<AccessControlPolicy xmlns="<a href="http://data.basho.com/doc/2012-04-05/" target="_blank">http://data.basho.com/doc/2012-04-05/</a>"><br>
  <Owner><br>
    <ID>feab26c2fec623a34e7d60e620b42a7786eca3223b5e2faebc5d248a34f3239e</ID><br>
  </Owner><br>
  <AccessControlList><br>
    <Grant><br>
      <Grantee xmlns:xsi="<a href="http://www.w3.org/2001/XMLSchema-instance" target="_blank">http://www.w3.org/2001/XMLSchema-instance</a>" xsi:type="CanonicalUser"><br>
        <ID>feab26c2fec623a34e7d60e620b42a7786eca3223b5e2faebc5d248a34f3239e</ID><br>
     </Grantee><br>
     <Permission>FULL_CONTROL</Permission><br>
    </Grant><br>
    <Grant><br>
      <Grantee xmlns:xsi="<a href="http://www.w3.org/2001/XMLSchema-instance" target="_blank">http://www.w3.org/2001/XMLSchema-instance</a>" xsi:type="CanonicalUser"><br>
        <ID>5efc8fb59754a6d11eb1a36c501a8ef7b1be44b0300fbe3df354423b7a115ac5</ID><br>
     </Grantee><br>
     <Permission>WRITE</Permission><br>
    </Grant><br>
    <Grant><br>
      <Grantee xmlns:xsi="<a href="http://www.w3.org/2001/XMLSchema-instance" target="_blank">http://www.w3.org/2001/XMLSchema-instance</a>" xsi:type="CanonicalUser"><br>
        <ID>de6831d6da88df325d474f7f6c1f708596998c54fc0817685f8c67f1d8cab239</ID><br>
     </Grantee><br>
     <Permission>READ</Permission><br>
    </Grant><br>
  </AccessControlList><br>
</AccessControlPolicy><br>
<br>
<!--<br>
  CREATE BUCKET social-media VIA s3curl<br>
<br>
  NOTE<br>
  NOTE If you are using non-standard domains, in the case below, edit the <a href="http://s3curl.pl" target="_blank">s3curl.pl</a> file and modify the @endpoints to contain the correct set of domains<br>
  NOTE<br>
--><br>
$ bin/<a href="http://s3curl.pl" target="_blank">s3curl.pl</a> --debug --id ${RIAK_ADMIN_KEY} --key ${RIAK_ADMIN_SECRET} --acl private -- -s -v -x localhost:50201 -X PUT <a href="http://social-media.cs.domain.com/" target="_blank">http://social-media.cs.domain.com/</a><br>
<br>
s3curl: Found the url: host=<a href="http://social-media.cs.domain.com" target="_blank">social-media.cs.domain.com</a>; port=; uri=/; query=;<br>
s3curl: vanity endpoint signing case<br>
s3curl: StringToSign='PUT\n\n\nMon, 23 Feb 2015 20:03:15 +0000\nx-amz-acl:private\n/social-media/'<br>
s3curl: signature='v48ovqQBnqfEcBZ7kPedpbs1Xt4='<br>
s3curl: exec curl -H Date: Mon, 23 Feb 2015 20:03:15 +0000 -H Authorization: AWS 1049V_JJHPH7TO_QPWVC:v48ovqQBnqfEcBZ7kPedpbs1Xt4= -H x-amz-acl: private -L -s -v -x localhost:50201 -X PUT <a href="http://social-media.cs.domain.com/" target="_blank">http://social-media.cs.domain.com/</a><br>
* Hostname was NOT found in DNS cache<br>
*   Trying 127.0.0.1...<br>
* Connected to localhost (127.0.0.1) port 50201 (#0)<br>
> PUT <a href="http://social-media.cs.domain.com/" target="_blank">http://social-media.cs.domain.com/</a> HTTP/1.1<br>
> User-Agent: curl/7.37.1<br>
> Host: <a href="http://social-media.cs.domain.com" target="_blank">social-media.cs.domain.com</a><br>
> Accept: */*<br>
> Proxy-Connection: Keep-Alive<br>
> Date: Mon, 23 Feb 2015 20:03:15 +0000<br>
> Authorization: AWS 1049V_JJHPH7TO_QPWVC:v48ovqQBnqfEcBZ7kPedpbs1Xt4=<br>
> x-amz-acl: private<br>
><br>
< HTTP/1.1 200 OK<br>
* Server Riak CS is not blacklisted<br>
< Server: Riak CS<br>
< Date: Mon, 23 Feb 2015 20:03:16 GMT<br>
< Content-Type: application/xml<br>
< Content-Length: 0<br>
<<br>
* Connection #0 to host localhost left intact<br>
<br>
<br>
<!--<br>
  SET ACLs ON BUCKET social-media VIA s3curl<br>
<br>
  NOTE<br>
  NOTE If you are using non-standard domains, in the case below, edit the <a href="http://s3curl.pl" target="_blank">s3curl.pl</a> file and modify the @endpoints to contain the correct set of domains<br>
  NOTE<br>
--><br>
$  bin/<a href="http://s3curl.pl" target="_blank">s3curl.pl</a> --debug --id ${RIAK_ADMIN_KEY} --key ${RIAK_ADMIN_SECRET} --put /tmp/riak-cs-bucket-policy.xml -- -s -v -x localhost:50201 -X PUT <a href="http://social-media.cs.domain.com/?acl" target="_blank">http://social-media.cs.domain.com/?acl</a><br>
<br>
s3curl: Found the url: host=<a href="http://social-media.cs.domain.com" target="_blank">social-media.cs.domain.com</a>; port=; uri=/; query=acl;<br>
s3curl: vanity endpoint signing case<br>
s3curl: StringToSign='PUT\n\n\nMon, 23 Feb 2015 20:03:21 +0000\n/social-media/?acl'<br>
s3curl: signature='QAcPGgB1tZO2+U4M0TvP4Q4uyxQ='<br>
s3curl: exec curl -H Date: Mon, 23 Feb 2015 20:03:21 +0000 -H Authorization: AWS 1049V_JJHPH7TO_QPWVC:QAcPGgB1tZO2+U4M0TvP4Q4uyxQ= -L -T /tmp/riak-cs-bucket-policy.xml -s -v -x localhost:50201 -X PUT <a href="http://social-media.cs.domain.com/?acl" target="_blank">http://social-media.cs.domain.com/?acl</a><br>
* Hostname was NOT found in DNS cache<br>
*   Trying 127.0.0.1...<br>
* Connected to localhost (127.0.0.1) port 50201 (#0)<br>
> PUT <a href="http://social-media.cs.domain.com/?acl" target="_blank">http://social-media.cs.domain.com/?acl</a> HTTP/1.1<br>
> User-Agent: curl/7.37.1<br>
> Host: <a href="http://social-media.cs.domain.com" target="_blank">social-media.cs.domain.com</a><br>
> Accept: */*<br>
> Proxy-Connection: Keep-Alive<br>
> Date: Mon, 23 Feb 2015 20:03:21 +0000<br>
> Authorization: AWS 1049V_JJHPH7TO_QPWVC:QAcPGgB1tZO2+U4M0TvP4Q4uyxQ=<br>
> Content-Length: 1003<br>
> Expect: 100-continue<br>
><br>
< HTTP/1.1 100 Continue<br>
* We are completely uploaded and fine<br>
< HTTP/1.1 200 OK<br>
* Server Riak CS is not blacklisted<br>
< Server: Riak CS<br>
< Date: Mon, 23 Feb 2015 20:03:21 GMT<br>
< Content-Type: application/xml<br>
< Content-Length: 0<br>
<<br>
* Connection #0 to host localhost left intact<br>
<br>
<br>
<!--<br>
  VERIFY ACLs USING ADMIN KEY/SECRET<br>
<br>
  As you can see, IDs in the grants are missing, and even the owner now cannot put/get files.<br>
--><br>
bin/<a href="http://s3curl.pl" target="_blank">s3curl.pl</a> --debug --id ${RIAK_ADMIN_KEY} --key ${RIAK_ADMIN_SECRET}  -- -s -v -x localhost:50201 -X GET <a href="http://social-media.cs.domain.com/?acl" target="_blank">http://social-media.cs.domain.com/?acl</a><br>
<br>
<?xml version="1.0" encoding="UTF-8"?><br>
<AccessControlPolicy><br>
    <Owner><br>
        <ID>feab26c2fec623a34e7d60e620b42a7786eca3223b5e2faebc5d248a34f3239e</ID><br>
        <DisplayName>riak-cs-admin</DisplayName><br>
    </Owner><br>
    <AccessControlList><br>
        <Grant><br>
            <Grantee<br>
                xmlns:xsi="<a href="http://www.w3.org/2001/XMLSchema-instance" target="_blank">http://www.w3.org/2001/XMLSchema-instance</a>" xsi:type="CanonicalUser"><br>
                <ID></ID><br>
                <DisplayName></DisplayName><br>
            </Grantee><br>
            <Permission>FULL_CONTROL</Permission><br>
        </Grant><br>
        <Grant><br>
            <Grantee<br>
                xmlns:xsi="<a href="http://www.w3.org/2001/XMLSchema-instance" target="_blank">http://www.w3.org/2001/XMLSchema-instance</a>" xsi:type="CanonicalUser"><br>
                <ID></ID><br>
                <DisplayName></DisplayName><br>
            </Grantee><br>
            <Permission>READ</Permission><br>
        </Grant><br>
        <Grant><br>
            <Grantee<br>
                xmlns:xsi="<a href="http://www.w3.org/2001/XMLSchema-instance" target="_blank">http://www.w3.org/2001/XMLSchema-instance</a>" xsi:type="CanonicalUser"><br>
                <ID></ID><br>
                <DisplayName></DisplayName><br>
            </Grantee><br>
            <Permission>WRITE</Permission><br>
        </Grant><br>
    </AccessControlList><br>
</AccessControlPolicy><br>
<br>
<!--<br>
  DUMP USERS TO VERIFY<br>
--><br>
s3curl: Found the url: host=<a href="http://riak-cs.cs.domain.com" target="_blank">riak-cs.cs.domain.com</a>; port=; uri=/users; query=;<br>
s3curl: vanity endpoint signing case<br>
s3curl: StringToSign='GET\n\n\nMon, 23 Feb 2015 20:30:30 +0000\n/riak-cs/users'<br>
s3curl: signature='mOcYNLzS/3PFkXhU8tnM14HQVoI='<br>
s3curl: exec curl -H Date: Mon, 23 Feb 2015 20:30:30 +0000 -H Authorization: AWS 1049V_JJHPH7TO_QPWVC:mOcYNLzS/3PFkXhU8tnM14HQVoI= -L -s -v -x localhost:50201 -X GET <a href="http://riak-cs.cs.domain.com/users" target="_blank">http://riak-cs.cs.domain.com/users</a><br>
* Hostname was NOT found in DNS cache<br>
*   Trying 127.0.0.1...<br>
* Connected to localhost (127.0.0.1) port 50201 (#0)<br>
> GET <a href="http://riak-cs.cs.domain.com/users" target="_blank">http://riak-cs.cs.domain.com/users</a> HTTP/1.1<br>
> User-Agent: curl/7.37.1<br>
> Host: <a href="http://riak-cs.cs.domain.com" target="_blank">riak-cs.cs.domain.com</a><br>
> Accept: */*<br>
> Proxy-Connection: Keep-Alive<br>
> Date: Mon, 23 Feb 2015 20:30:30 +0000<br>
> Authorization: AWS 1049V_JJHPH7TO_QPWVC:mOcYNLzS/3PFkXhU8tnM14HQVoI=<br>
><br>
< HTTP/1.1 200 OK<br>
< Vary: Accept<br>
< Transfer-Encoding: chunked<br>
* Server Riak CS is not blacklisted<br>
< Server: Riak CS<br>
< Date: Mon, 23 Feb 2015 20:30:30 GMT<br>
< Content-Type: multipart/mixed; boundary=TCW5KE8FRZPTJ9HK2PL896Q8A5V2F9O<br>
<<br>
--TCW5KE8FRZPTJ9HK2PL896Q8A5V2F9O<br>
Content-Type: application/xml<br>
<br>
<br>
<?xml version="1.0" encoding="UTF-8"?><br>
<Users><br>
    <User><br>
        <Email><a href="mailto:riak-cs-publisher@domain.com">riak-cs-publisher@domain.com</a></Email><br>
        <DisplayName>riak-cs-publisher</DisplayName><br>
        <Name>publisher</Name><br>
        <KeyId>D-YBO-QHCHU9MEHNZR1D</KeyId><br>
        <KeySecret>nin5LA4WHEuJeTuzN-qCWBXsOvTyUbdPuDQ3eg==</KeySecret><br>
        <Id>5efc8fb59754a6d11eb1a36c501a8ef7b1be44b0300fbe3df354423b7a115ac5</Id><br>
        <Status>enabled</Status><br>
    </User><br>
    <User><br>
        <Email><a href="mailto:riak-cs-reader@domain.com">riak-cs-reader@domain.com</a></Email><br>
        <DisplayName>riak-cs-reader</DisplayName><br>
        <Name>reader</Name><br>
        <KeyId>_QOKYEHYM6S-YDDHGSYF</KeyId><br>
        <KeySecret>sFc1HBhjQzfr70Yda-ke257LHkVCPNAN0chs9A==</KeySecret><br>
        <Id>de6831d6da88df325d474f7f6c1f708596998c54fc0817685f8c67f1d8cab239</Id><br>
        <Status>enabled</Status><br>
    </User><br>
</Users><br>
--TCW5KE8FRZPTJ9HK2PL896Q8A5V2F9O<br>
Content-Type: application/xml<br>
<br>
<br>
<?xml version="1.0" encoding="UTF-8"?><br>
<Users><br>
    <User><br>
        <Email><a href="mailto:riak-cs-admin@domain.com">riak-cs-admin@domain.com</a></Email><br>
        <DisplayName>riak-cs-admin</DisplayName><br>
        <Name>admin</Name><br>
        <KeyId>1049V_JJHPH7TO_QPWVC</KeyId><br>
        <KeySecret>lMQsnn3Cukk1UR28FAtoZiap9KEOjBRgYKiVVg==</KeySecret><br>
        <Id>feab26c2fec623a34e7d60e620b42a7786eca3223b5e2faebc5d248a34f3239e</Id><br>
        <Status>enabled</Status><br>
    </User><br>
</Users><br>
--TCW5KE8FRZPTJ9HK2PL896Q8A5V2F9O<br>
Content-Type: application/xml<br>
<br>
<br>
<?xml version="1.0" encoding="UTF-8"?><br>
<Users/><br>
* Connection #0 to host localhost left intact<br>
--TCW5KE8FRZPTJ9HK2PL896Q8A5V2F9O--<br>
<br>
-------------- next part --------------<br>
An HTML attachment was scrubbed...<br>
URL: <<a href="http://lists.basho.com/pipermail/riak-users_lists.basho.com/attachments/20150223/e9e70db8/attachment-0001.html" target="_blank">http://lists.basho.com/pipermail/riak-users_lists.basho.com/attachments/20150223/e9e70db8/attachment-0001.html</a>><br>
<br><br>
</blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><font color="#999999">Seema Jethani</font><div><font color="#999999">Director of Product Management, <a href="http://basho.com" target="_blank">Basho</a></font></div><div><font color="#999999">4083455739 | <a href="http://twitter.com/seemaj" target="_blank">@seemaj</a> </font></div></div></div></div></div>
</div></div></div>