Bug #49135
openPublicAccessBlockConfiguration prevents upload of objects with private ACL
0%
Description
A customer of ours created a bucket on our RGW and had it configured by OpenShift. Part of this setup is the following PublicAccessBlockConfiguration:
$ aws s3api --bucket=foo get-public-access-block
{
"PublicAccessBlockConfiguration": {
"BlockPublicAcls": true,
"IgnorePublicAcls": true,
"BlockPublicPolicy": true,
"RestrictPublicBuckets": true
}
}
The full set of configuration steps applied by OpenShift can be found here:
https://github.com/openshift/cluster-image-registry-operator/blob/dec4ffeb7d84f6d7ec3fd222b82b8747d112528e/pkg/storage/s3/s3.go#L423-L447
With this configuration, it should not be possible to put objects whose ACL is private. That works.
However, putting objects with a private ACL should still work, but it does not:
$ aws s3api put-object --bucket=foo --key=bar --body=baz --acl=private
An error occurred (AccessDenied) when calling the PutObject operation: Unknown
If I set BlockPublicAcls to False, everything works as expected.
I checked this against an AWS bucket and there, the same public access block configuration works. I checked for other differences, but haven't found anything significant, though my understanding of this option is somewhat limited. Maybe there is a configuration that plays into this that I don't see.
From the looks of it though, it is as if the "private" ACL is not recognised as private.
If there's anything you'd like me to check, please let me know. I'm also happy to provide you with any kind of debug log that you need. This issue is easily reproducible for us.
Updated by Denis Krienbühl over 5 years ago
Denis Krienbühl wrote:
With this configuration, it should not be possible to put objects whose ACL is private. That works.
This should read
With this configuration, it should not be possible to put objects whose ACL is public. That works.
Updated by Casey Bodley over 5 years ago
- Status changed from New to Triaged
- Backport set to pacific octopus
Updated by Denis Krienbühl about 3 years ago
I just verified that this still happens on Pacific, and can be tested easily as follows:
$ aws s3api --bucket=test put-public-access-block --public-access-block-configuration BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true
$ echo foo > bar
$ aws s3api --bucket=test put-object --key=foo --body=bar --acl=private
An error occurred (AccessDenied) when calling the PutObject operation: Unknown
Updated by Konstantin Shalygin over 2 years ago
- Source set to Community (user)
- Backport deleted (
pacific octopus)
Updated by Casey Bodley 10 months ago
- Status changed from Triaged to Fix Under Review
- Pull request ID set to 64290
Updated by Casey Bodley 10 months ago
- Status changed from Fix Under Review to Pending Backport
Updated by Upkeep Bot 10 months ago
- Copied to Backport #72079: tentacle: PublicAccessBlockConfiguration prevents upload of objects with private ACL added
Updated by Upkeep Bot 10 months ago
- Copied to Backport #72080: squid: PublicAccessBlockConfiguration prevents upload of objects with private ACL added
Updated by Upkeep Bot 10 months ago
- Merge Commit set to 6db03692f6545e4d33cb249c9191e9afd77e1932
- Fixed In set to v20.3.0-1520-g6db03692f65
- Upkeep Timestamp set to 2025-07-10T15:40:56+00:00
Updated by Upkeep Bot 10 months ago
- Fixed In changed from v20.3.0-1520-g6db03692f65 to v20.3.0-1520-g6db03692f6
- Upkeep Timestamp changed from 2025-07-10T15:40:56+00:00 to 2025-07-14T20:11:24+00:00