Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Customize upload ACL when uploading in object storage #4850

Closed
dougluce opened this issue Mar 11, 2022 · 9 comments · Fixed by #4861
Closed

Customize upload ACL when uploading in object storage #4850

dougluce opened this issue Mar 11, 2022 · 9 comments · Fixed by #4861
Labels
Component: Object storage Type: Feature Request ✨

Comments

@dougluce
Copy link
Contributor

I'm using S3 object storage with a bucket that is not publicly readable. Instead, it feeds a CloudFront distribution. This works smashingly well and I'm very grateful that the ability to store videos to S3 was added to the code base.

After upgrading to 4.1.0, attempts to upload to the bucket result in an error:

2022-03-11 09:55:59.076 error: Cannot move video https://candidates-viz.ligo.org/videos/watch/9b938c28-9fe1-4726-8a0b-d84785d40cb3 to object storage. {
  "err": {
    "stack": "AccessDenied: Access Denied\n    at deserializeAws_restXmlPutObjectCommandError (/var/www/peertube/versions/peertube-v4.1.0/node_modules/@aws-sdk/client-s3/dist-cjs/protocols/Aws_restXml.js:8266:41)\n    at processTicksAndRejections (node:internal/process/task_queues:96:5)\n    at async /var/www/peertube/versions/peertube-v4.1.0/node_modules/@aws-sdk/middleware-serde/dist-cjs/deserializerMiddleware.js:7:24\n    at async /var/www/peertube/versions/peertube-v4.1.0/node_modules/@aws-sdk/middleware-signing/dist-cjs/middleware.js:11:20\n    at async StandardRetryStrategy.retry (/var/www/peertube/versions/peertube-v4.1.0/node_modules/@aws-sdk/middleware-retry/dist-cjs/StandardRetryStrategy.js:51:46)\n    at async /var/www/peertube/versions/peertube-v4.1.0/node_modules/@aws-sdk/middleware-logger/dist-cjs/loggerMiddleware.js:6:22",
    "message": "Access Denied",
    "Code": "AccessDenied",
    ...

This is due to ACL being set to public-read in the PutObjectCommand in server/lib/object-storage/shared/object-storage-helpers.ts. If I remove that option in code the upload works just fine.

What was the motivation for adding that to the S3 call? Would an addition to the config of an explicit ACL be the best way to mitigate this issue?
@aldy120 aldy120 mentioned this issue Mar 12, 2022
Closed
@aldy120
Copy link

aldy120 commented Mar 12, 2022

I got errors AccessDenied or AccessControlListNotSupported and finally I solve it with S3 configuration.

Uploading with ACL: 'public-read' caused unexpected 403 error if the S3 bucket is created with default settings in AWS console.

To mitigate this issue in Amazon S3 side without modifying peertube source code, here are the steps we can do in S3 permission tab:

  • Disable Block Public Access
  • Enable ACLs

@gsugambit
Copy link

I'm having this same issue with Google Cloud Storage

@gsugambit gsugambit mentioned this issue Mar 14, 2022
Closed
@dougluce
Copy link
Contributor Author

@aldy120 That is not an appropriate solution as uploaded objects are then publicly readable from the S3 bucket.

@dougluce
Copy link
Contributor Author

@gsugambit I believe the problem you've described in #4855 is not the same as this one.

@gsugambit
Copy link

@dougluce i had to make all objects in my storage public because of the ACL defined public-read in the source code. It's same exact issue. There are just other things that came up after making the bucket public

@Chocobozzz
Copy link
Owner

Hello,

See the discussion: #4290 (comment)

I'm not sure to understand this issue: video files uploaded in the bucket should be publicly readable by anyone so why should we remove this ACL?

@Chocobozzz Chocobozzz added the Status: Waiting for answer Waiting issue author answer label Mar 14, 2022
@gsugambit
Copy link

@Chocobozzz If the bucket is public, even the files marked private in Peertube can be browsed if address is known.

@dougluce
Copy link
Contributor Author

@Chocobozzz I'm using CloudFront for the actual video distribution and an AWS S3 bucket as the store for CloudFront. The bucket doesn't need to be public for CloudFront to access it. While it's not a given that public access is transitive in this scenario, even in cases where it is open S3 access can show up as a red flag on over-enthusiastic AWS audits (whereas CloudFront is commonly assumed to be public).

From that linked discussion it appears that the public ACL was added as a convenience for people who have the alternative to properly configure their bucket. Unfortunately it leaves no alternative for some of us who have properly configured our buckets.

How does dougluce@3301e0c look?

@Chocobozzz
Copy link
Owner

If the bucket is public, even the files marked private in Peertube can be browsed if address is known.

See #4417

I'm using CloudFront for the actual video distribution and an AWS S3 bucket as the store for CloudFront.

Thanks for the explanations, I understand now.

How does dougluce@3301e0c look?

It seems good, you can do a PR!

@Chocobozzz Chocobozzz changed the title Access Denied when uploading to S3 bucket Customize upload ACL when uploading in object storage Mar 15, 2022
@dougluce dougluce mentioned this issue Mar 15, 2022
Merged
Chocobozzz pushed a commit that referenced this issue Mar 16, 2022
@dougluce @Chocobozzz
Make object storage ACL configurable
f9915ef 
Override this value to allow uploads to non-public S3
buckets. Otherwise "AccessDenied: Access Denied" errors will end up in
the log.

Fixes #4850
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Component: Object storage Type: Feature Request ✨
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Make object storage ACL configurable
4 participants
@dougluce @Chocobozzz @aldy120 @gsugambit