ECS S3 bucket public access

ECS S3 public accessSometimes we need to provide READ ONLY access to S3 bucket for all not authenticated users. That post describes how to configure such public access.

  • Create a bucket

ECS S3 public access

  • Edit ACL

ECS S3 public access2

  • Add new Group ACL

ECS S3 public access3

  • Select pre-defined “public” group

ECS S3 public access4

These group names can be used:

Group

Description

public All users, authenticated or not
all users All authenticated users
other Authenticated users but not the bucket owner
log delivery Not supported
  • Provide READ permissions only

ECS S3 public access5ECS S3 public access6

  • Let’s create an object by the bucket’s owner
# s3curl.pl --id=ecsid -- -X PUT -T object1 -s http://10.0.0.1:9020/publicbucket/object1
# s3curl.pl --id=ecsid -- -s http://10.0.0.1:9020/publicbucket/object1
=== Object created by the Bucket Owner ====
  • Сheck if we can list the file by the anonymous, not authenticated user

Note: We use curl instead of s3curl to send anonymous request

# curl -s http://10.0.0.1:9020/publicbucket | xmllint --format -
<?xml version="1.0"?>
<Error>
<Code>AccessDenied</Code>
<Message>Could not determine namespace from anonymous request. Please use a namespace BaseURL or include an x-emc-namespace header</Message>
<RequestId>0a015333:15f0b3deaa6:1880a:375</RequestId>
</Error>
  • We must specify namespace in the “x-emc-namespace” header
  • Objects in the bucket are listed
# curl -s -H "x-emc-namespace: ns1" http://10.0.0.1:9020/publicbucket/ | xmllint --format -
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<ListBucketResult xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
<Name>publicbucket</Name>
<Prefix/>
<Marker/>
<MaxKeys>1000</MaxKeys>
<IsTruncated>false</IsTruncated>
<ServerSideEncryptionEnabled>false</ServerSideEncryptionEnabled>
<Contents>
   <Key>object1</Key>
   <LastModified>2017-11-02T13:31:58Z</LastModified>
   <ETag>"b7d6199f4b0eafe00596dd0616b3c0c4"</ETag>
   <Size>44</Size>
   <StorageClass>STANDARD</StorageClass>
   <Owner>
     <ID>objuser2</ID>
     <DisplayName>objuser2</DisplayName>
   </Owner>
</Contents>
</ListBucketResult>
  • Can we write to the bucket?
  • Of course not. Public Group has READ only permissions.
# curl -s -X PUT -T object2 -H "x-emc-namespace: ns1" http://10.0.0.1:9020/publicbucket/object2 | xmllint --format -
<?xml version="1.0"?>
<Error>
<Code>AccessDenied</Code>
<Message>Access Denied</Message>
<Resource>publicbucket/object2</Resource>
<RequestId>0a015333:15f0b3deaa6:18847:9</RequestId>
</Error>
  • Can we read the object created by the bucket’s owner?
  • Hmm… access is denied. Why?
# curl -s -H "x-emc-namespace: ns1" http://10.0.0.1:9020/publicbucket/object1 | xmllint --format -
<?xml version="1.0"?>
<Error>
<Code>AccessDenied</Code>
<Message>Access Denied</Message>
<Resource>publicbucket/object1</Resource>
<RequestId>0a015333:15f0b3deaa6:18839:159</RequestId>
</Error>
  • We applied ACL on top of the bucket, but not objects.
  • To make objects readable for anonymous users we should apply ACL for corresponding objects.
  • x-amz-acl: public-read” header should be used.

Note: that is not something ECS specific but defined by AWS S3 protocol.

# echo "=== Object created for public READ access ====" > object3

# s3curl.pl --id=ecsid -- -X PUT -T object3 -H 'x-amz-acl: public-read' -s http://10.0.0.1:9020/publicbucket/object3
  • Object created by the bucket’s owner is readable publicly.
# curl -s -H "x-emc-namespace: ns1" http://10.0.0.1:9020/publicbucket/object3
=== Object created for public READ access ====
  • READ only access is granted to anonymous users
# curl -s -X DELETE -H "x-emc-namespace: ns1" http://10.0.0.1:9020/publicbucket/object3 | xmllint --format -
<?xml version="1.0"?>
<Error>
<Code>AccessDenied</Code>
<Message>Access Denied</Message>
<Resource>publicbucket/object3</Resource>
<RequestId>0a015333:15f0b3deaa6:188e9:bb</RequestId>
</Error>

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: