On Tue, Sep 3, 2013 at 2:30 PM, Derek Yarnell <derek@xxxxxxxxxxxxxx> wrote: > Hi, > > So say a usera has full control (and is the owner) of a bucket in s3 and > gives userb 'FULL_CONTROL' on the bucket. Userb writes a file and it > seems that by default the ACL for that key is going to be 'FULL_CONTROL' > for userb. When usera iterates the key even just over the ACL for the > key, they get a 403. > > I would think that 'FULL_CONTROL' at the bucket level gives the user at > least the ability to see the ACL. They can list the key itself and the > size and last modified. > > Is this by design? Is there any chance that the default behavior would > be able to changed to by default (without specifying a canned acl) that > the bucket acl would be applied for a key? > > We are looking to provide some secure s3 collaboration space. Groups in > the ACLs would be like pie in the sky but right now just being able to > get sticky ACLs from the bucket would be huge. > The Swift acls provide that, but there's no way to set it through the S3 api. Basically, if you set the bucket permissions through the Swift api it'll be 'sticky' and apply also on the objects. Yehuda _______________________________________________ ceph-users mailing list ceph-users@xxxxxxxxxxxxxx http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
 |