We have a Ceph filesystem we’re accessing via Ceph/S3 interface. We have a bucket owner user user-00 and multiple individual user accounts user-01, user-02, etc.
When user-02 uploads a file we’re seeing the following from get-object-acl:
{
"Owner": {
"DisplayName": "User 02",
"ID": "user-02"
},
"Grants": [
{
"Grantee": {
"DisplayName": "User 02",
"ID": "user-02",
"Type": "CanonicalUser"
},
"Permission": "FULL_CONTROL"
}
]
}
When user-01 attempts to copy that file they’re getting the error:
An error occurred (AccessDenied) when calling the UploadPartCopy operation: Unknown
Our bucket policy aims to be full access for all authenticated users:
{
"Policy": {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowAllForAuthenticatedUsers",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "*",
"Resource": [
"arn:aws:s3:::mybucket",
"arn:aws:s3:::mybucket/*"
]
}
]
}
}
user-02 originally uploaded the file via normal means using aws cli, no per-object ACL was set. We need a solution that ensures that when an object is uploaded by one user other users have ability to access it (hopefully without a service that edits per-object ACLs as they go up).