Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

s3curl PUT ACL AccessDenied error #1345

Open
JMLX42 opened this issue Nov 27, 2017 · 6 comments
Open

s3curl PUT ACL AccessDenied error #1345

JMLX42 opened this issue Nov 27, 2017 · 6 comments

Comments

@JMLX42
Copy link

JMLX42 commented Nov 27, 2017

Hi,

here is was I get when I fetcht he ACL:

<?xml version="1.0" encoding="UTF-8"?>
<AccessControlPolicy>
  <Owner>
    <ID>e84fe2aad407ee45651e648603b1c4ab2d97aae7d712a26099475518662a4634</ID>
    <DisplayName>admin</DisplayName>
  </Owner>
  <AccessControlList>
    <Grant>
      <Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="CanonicalUser">
        <ID>e84fe2aad407ee45651e648603b1c4ab2d97aae7d712a26099475518662a4634</ID>
        <DisplayName>admin</DisplayName>
      </Grantee>
      <Permission>FULL_CONTROL</Permission>
    </Grant>
    <Grant>
      <Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="CanonicalUser">
        <ID>4efbf4ac1c9fdf6a143e1e189f82ef95bb374f9dff57805d98804f016962a246</ID>
        <DisplayName>view3dmodel</DisplayName>
      </Grantee>
      <Permission>FULL_CONTROL</Permission>
    </Grant>
    <Grant>
      <Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="CanonicalUser">
        <ID>def0727c272dee6ac831b4a2cdb0e55255a41154daf07866c6acb8f4d0b422a1</ID>
        <DisplayName>cto</DisplayName>
      </Grantee>
      <Permission>FULL_CONTROL</Permission>
    </Grant>
  </AccessControlList>
</AccessControlPolicy>

As a test, I'm trying to set the exact same ACL on the same object.

read -d '' ACL << EOF
<?xml version="1.0" encoding="UTF-8"?>
<AccessControlPolicy>
  <Owner>
    <ID>e84fe2aad407ee45651e648603b1c4ab2d97aae7d712a26099475518662a4634</ID>
    <DisplayName>admin</DisplayName>
  </Owner>
  <AccessControlList>
    <Grant>
      <Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="CanonicalUser">
        <ID>e84fe2aad407ee45651e648603b1c4ab2d97aae7d712a26099475518662a4634</ID>
        <DisplayName>admin</DisplayName>
      </Grantee>
      <Permission>FULL_CONTROL</Permission>
    </Grant>
    <Grant>
      <Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="CanonicalUser">
        <ID>4efbf4ac1c9fdf6a143e1e189f82ef95bb374f9dff57805d98804f016962a246</ID>
        <DisplayName>view3dmodel</DisplayName>
      </Grantee>
      <Permission>FULL_CONTROL</Permission>
    </Grant>
    <Grant>
      <Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="CanonicalUser">
        <ID>def0727c272dee6ac831b4a2cdb0e55255a41154daf07866c6acb8f4d0b422a1</ID>
        <DisplayName>cto</DisplayName>
      </Grantee>
      <Permission>FULL_CONTROL</Permission>
    </Grant>
  </AccessControlList>
</AccessControlPolicy>
EOF

echo "$ACL" | ./s3curl.pl --id=admin -- -s -v -x localhost:8010 -H "Content-Type:application/xml" -X PUT -d @- http://s3.amazonaws.com/4efbf4ac1c9fdf6a/J34/J34Lot/J34Lot2xx/J34Lot227.vue.scene

Here is what I get:

* Hostname was NOT found in DNS cache
*   Trying 127.0.0.1...
* Connected to localhost (127.0.0.1) port 8010 (#0)
> PUT http://s3.amazonaws.com/4efbf4ac1c9fdf6a/J34/J34Lot/J34Lot2xx/J34Lot227.vue.scene?acl HTTP/1.1
> User-Agent: curl/7.35.0
> Host: s3.amazonaws.com
> Accept: */*
> Proxy-Connection: Keep-Alive
> Date: Mon, 27 Nov 2017 10:18:35 GMT
> Authorization: AWS 8UO4SWEIWT4TYULJAEO5:QCJ2WtreVWPUy7qczq4GlpNduT0=
> Content-Type:application/xml
> Content-Length: 1151
> Expect: 100-continue
> 
< HTTP/1.1 403 Forbidden
* Server Riak CS is not blacklisted
< Server: Riak CS
< Date: Mon, 27 Nov 2017 10:18:35 GMT
< Content-Type: application/xml
< Content-Length: 212
* HTTP error before end of send, stop sending
< 
{ [data not shown]
* Closing connection 0
<?xml version="1.0" encoding="UTF-8"?>
<Error>
  <Code>AccessDenied</Code>
  <Message>Access Denied</Message>
  <Resource>/4efbf4ac1c9fdf6a/J34/J34Lot/J34Lot2xx/J34Lot227.vue.scene</Resource>
  <RequestId/>
</Error>

Why AccessDenied when admin has FULL_CONTROL ?
@JMLX42
Copy link
Author

JMLX42 commented Nov 27, 2017

Forgot to mention admin also has FULL_CONTROL on the bucket:

<?xml version="1.0" encoding="UTF-8"?>
<AccessControlPolicy>
  <Owner>
    <ID>e84fe2aad407ee45651e648603b1c4ab2d97aae7d712a26099475518662a4634</ID>
    <DisplayName>admin</DisplayName>
  </Owner>
  <AccessControlList>
    <Grant>
      <Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="CanonicalUser">
        <ID>e84fe2aad407ee45651e648603b1c4ab2d97aae7d712a26099475518662a4634</ID>
        <DisplayName>admin</DisplayName>
      </Grantee>
      <Permission>FULL_CONTROL</Permission>
    </Grant>
    <Grant>
      <Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="CanonicalUser">
        <ID>4efbf4ac1c9fdf6a143e1e189f82ef95bb374f9dff57805d98804f016962a246</ID>
        <DisplayName>view3dmodel</DisplayName>
      </Grantee>
      <Permission>FULL_CONTROL</Permission>
    </Grant>
  </AccessControlList>
</AccessControlPolicy>

@JMLX42
Copy link
Author

JMLX42 commented Nov 27, 2017

Here are the logs:

127.0.0.1 - - [27/Nov/2017:11:18:35 +0100] "PUT /buckets/4efbf4ac1c9fdf6a/objects/J34%2FJ34Lot%2FJ34Lot2xx%2FJ34Lot227.vue.scene/acl HTTP/1.1" 403 212 "" "curl/7.35.0"

@ksauzz
Copy link
Contributor

ksauzz commented Nov 27, 2017

Hi,

How about using s3curl.pl --put <filename> --contentType application/xml ? A complete command could be:

./s3curl.pl --id=admin --put <your xml file path> --contentType application/xml -- -s -v -x localhost:8010 http://s3.amazonaws.com/4efbf4ac1c9fdf6a/J34/J34Lot/J34Lot2xx/J34Lot227.vue.scene

IIRC, s3curl.pl requires to use --put|--delete|--post and --contentType options explicitly to calculate them as a correct signature of AWS Authentication Version 2 when using such http methods except GET.

Command samples are here.

@JMLX42
Copy link
Author

JMLX42 commented Nov 27, 2017

About --contentType:

$ curl --contentType
curl: option --contentType: is unknown

How about using s3curl.pl --put --contentType application/xml ? A complete command could be:

So you mean put my ACL in a temporary file instead of a shell variable passed via stdin ?

@ksauzz
Copy link
Contributor

ksauzz commented Nov 27, 2017

So you mean put my ACL in a temporary file instead of a shell variable passed via stdin ?

Yes, I mean so. Perhaps, you could use --put - to read contents from stdio such as echo $ACL | ./s3curl.pl --put - --contentType application/xml -- <curl options> since s3curl.pl passes filename as a param of -T option of curl...

@JMLX42
Copy link
Author

JMLX42 commented Nov 27, 2017

--contentType application/xml

Again, using --contentType throws the following error:

curl: option --contentType: is unknown

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ksauzz @JMLX42