-
Notifications
You must be signed in to change notification settings - Fork 146
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Error: "Cannot insert legacy ACL for an object when uniform bucket-level access is enabled." #537
Comments
@jywarren so this looks like something on server-side, at least to me, from the docs:
Can you post the output of:
|
Hi!
We can't change the Uniform Bucket Level access unless we clone the bucket, but that's our plan B. |
@icarito then in this case the problem is indeed because of the Uniform Bucket Level access. You should still be able to manage ACL's for files in the bucket, but paperclip needs to use the new ACL model, not a legacy one. In theory the support for Can you try deleting the XML credentials from the config (thus forcing the JSON driver) and let me know how it goes?
|
We tried deleting those creds but still got this, unfortunately:
Is there any way to turn off fog's setting of ACL, and just push the file up respecting whatever the bucket setting is? |
i.e. |
Sorry, busy week. @icco can you take a look into it? IIRC you know the storage part of things a bit better than me. |
Hmm, we currently don't have that functionality... but lemme see how hard it would be. |
This issue has been marked inactive and will be closed if no further activity occurs. |
@icco any luck? |
@Temikus Hello, I have same problems when using CarrierWave. Do you have some good ideas to resolve this. |
@guppy0356 I had the same issue.
My solution is ...
Thanks. |
In SAP we are using fog-google CF Cloud Controller Blobstore to access Google storage buckets. The missing uniformBucketLevelAccess support in fog-google has been known for some time but never has been a blocker for us. With the Sovereign Cloud Restrictions the uniformBucketLevelAccess becomes hot topic for everyone who would like to use the offering. Therefore, could you please update the status of uniformBucketLevelAccess support. Appreciate your support. |
As @div-co has brought to our attention, with the Restrictions and limitations in EU Regions Sovereignty Controls, fog-google's missing uniformBucketLevelAccess support is a blocker for those who would like to use Sovereign cloud offering. Hence really appreciate your support, if you can provide an update here. Thanks in advance. |
@div-co @harinigunabalan is there a chance you folks can provide a PR for this or collaborate? Happy to review and help. I'm asking since both myself and @icco are pretty short on time right now and don't have an active CarrierWave/PaperClip app we maintain, which I assume you do. |
Thanks @cwjenkins - merged and released 🙌 Do we need to wait for paperclip fork to change as well or is this enough to work around things? 🤔 |
Thanks @cwjenkins, @Temikus! |
@Temikus this is enough to work around things. If one uses paperclip, setting Currently one can set |
Hi @cwjenkins , @Temikus -
Example meta of an ACL bucket that works with
Detection activity: migration of CloudFoundry blobstore from ACL to IAM (UBLA). I must note that support-both-accesses effect nicely serves the zero-downtime migration of CF blobstore ACL <-> UBLA, hence the concern on the stability( |
Hey @nikolaydrm, did you read kreeti/kt-paperclip#121 referenced in the above comment? Not sure I'm following the 'detection activity' comment. Could you elaborate? |
Hi @cwjenkins -
Yes, however I don't use kreeti/kt-paperclip (no experience configuring, deploying and using it, sorry!) but fog-google for https://github.tools.sap/cloudfoundry/cloud_controller_ng#blobstore. PR #600 nicely supports the case of CF consuming Uniform buckets when uniform support is enabled at fog-google:
I got surprised that enabling the access to uniform buckets ( uniform: true in fog-google config) would accept ACL buckets as well. Hence the questions: "is it the expected behavior?" and "are there security concerns?". Can't tell if these concern kreeti/kt-paperclip, my understanding is the PR was driven by the piperclip usecase ...
The motivation to ask for clarification is the usecase of migrating existing CF buckets from ACL to uniform access. By setting
|
Thanks @nikolaydrm for the clarification. When you say 'would accept ACL buckets as well', are you meaning you'd expect the code to look something like...
If so, I think that better aligns with the server side given they state they disable ACL when uniform is enabled. If you are concerned from a security standpoint that the client, fog-google, can pass ACLs to a GCS bucket with uniform access control and ignore the uniform control then that isn't the case. |
@cwjenkins - thanks! If there are no concerns that fog-google configured for uniform access plays fine with ACL buckets as well (seems to be the case, per your input) then it's "case closed" for me. Otherwise I'd expect the psudo flow:
|
We're using this via Paperclip and seeing this error on upload:
Google::Apis::ClientError
invalid: Cannot insert legacy ACL for an object when uniform bucket-level access is enabled. Read more at https://cloud.google.com/storage/docs/uniform-bucket-level-access
https://sentry.io/share/issue/393f9e2786b543be9b2061a933268129/
Our config is:
Has anyone seen this error? I can't find any mention of uniform bucket level access in this repository.
https://cloud.google.com/storage/docs/uniform-bucket-level-access
Thank you very much!! cc @icarito
The text was updated successfully, but these errors were encountered: