s3tests.functional.test_s3:test_bucket_acl_no_grants

[voa808]

AWS: I find that when we create a bucket in AWS, revoke the ACL, the owner of the bucket is still able to create objects in that bucket.
Ceph test: In this test- test_bucket_acl_no_grants, when the acls are revoked, when object creation is attempted it is expecting 'denied'

https://github.com/ceph/s3-tests/blob/master/s3tests/functional/test_s3.py

can't write

key = bucket.new_key('baz')
check_access_denied(key.set_contents_from_string, 'bar')

Could some one please suggest as I feel this is contradictory to AWS behaviour. Thanks.

[kevin-wyx]

I encountered the same problem you described. After revoking bucket ACL, bucket owner still has permission to write.

[root@test ~]# /root/s3curl/s3curl.pl --id sig   --   http://testbucket.s3-ap-southeast-1.amazonaws.com/?acl -X GET
<?xml version="1.0" encoding="UTF-8"?>
<AccessControlPolicy xmlns="http://s3.amazonaws.com/doc/2006-03-01/"><Owner><ID>id</ID><DisplayName>name</DisplayName></Owner><AccessControlList/></AccessControlPolicy>

[root@test ~]# /root/s3curl/s3curl.pl --id sig --debug   --   http://testbucket.s3-ap-southeast-1.amazonaws.com/bar -X PUT -T foo
s3curl: Found the url: host=testbucket.s3-ap-southeast-1.amazonaws.com; port=; uri=/bar; query=;
s3curl: vanity endpoint signing case
s3curl: StringToSign='PUT\n\n\nThu, 12 Apr 2018 03:34:10 +0000\n/testbucket/bar'
s3curl: exec curl -v -H 'Date: Thu, 12 Apr 2018 03:34:10 +0000' -H 'Authorization: AWS xxx' -L -H 'content-type: ' http://testbucket.s3-ap-southeast-1.amazonaws.com/bar -X PUT -T foo
* About to connect() to testbucket.s3-ap-southeast-1.amazonaws.com port 80 (#0)
*   Trying 52.219.36.19...
* Connected to testbucket.s3-ap-southeast-1.amazonaws.com (52.219.36.19) port 80 (#0)
> PUT /bar HTTP/1.1
> User-Agent: curl/7.29.0
> Host: testbucket.s3-ap-southeast-1.amazonaws.com
> Accept: */*
> Date: Thu, 12 Apr 2018 03:34:10 +0000
> Authorization: AWS xxx
> Content-Length: 4
> Expect: 100-continue
>
< HTTP/1.1 100 Continue
* We are completely uploaded and fine
< HTTP/1.1 200 OK
< x-amz-id-2: xxx
< x-amz-request-id: xxx
< Date: Thu, 12 Apr 2018 03:33:12 GMT
< ETag: "xxx"
< Content-Length: 0
< Server: AmazonS3
<
* Connection #0 to host testbucket.s3-ap-southeast-1.amazonaws.com left intact

I guess that some cases in s3-tests are not following S3 API.