S3 ACL objects result sometimes does not return acl

Question

S3 ACL objects result sometimes does not return acl

Closed this issue 2 months ago · 5 comments

We have an unstable bug appearing in ACL tests - get-object-acl does not return the acl of the object

For example, here's the same code, two test runs.

This test run has a bug:
https://http.fs.neo.org/7ZVSQHtioVRiDT2btN9xEmQhczXV9vryCEAHUawfD8Sc/124-1700206041/index.html#suites/5ce6aa05e800f910fce1d43aa230519d/9e716c2eb6d4c48/

Logs (only for this failed test):
266dd51c0383ea5.zip

And this test run does not have the bug:
https://http.fs.neo.org/7ZVSQHtioVRiDT2btN9xEmQhczXV9vryCEAHUawfD8Sc/126-1700220863/index.html#suites/5ce6aa05e800f910fce1d43aa230519d/1a79739c13417884/

Logs:
e3af9c448c36ce0b.zip

Important note - this happens with any of the s3 acl tests, not just test_s3_put_object_object_acl.

Possible Solution

Maybe the issue is related to the ticking of epochs?
But the logs show that the object exists:

2023-11-16T19:20:08.342Z	info	api/router.go:166	call method	{"status": 200, "host": "s3.neofs.devenv:8080", "request_id": "5b408353-8728-4e85-b56b-71799b26dd12", "method": "GetObjectACL", "bucket": "1ab9b181-cf07-437a-907a-7796e1383c9a", "object": "ef6cc8cc-8e51-421a-b8b9-e434b5aeef15", "description": "OK"}
2023-11-16T19:20:08.345Z	debug	layer/layer.go:480	get object	{"reqId": "8c409e63-6e74-44f9-b568-6cbdd52071ce", "bucket": "1ab9b181-cf07-437a-907a-7796e1383c9a", "cid": "AhL8rE98ksZMBWCapr1DxyowEAwgvdQFEbZ1Ait3bVky", "object": "ef6cc8cc-8e51-421a-b8b9-e434b5aeef15", "oid": "2VDRGye7hLbVUTYutzTvkzJ7hkGXQAxqGRj6yksQruz5"}
2023-11-16T19:20:09.355Z	info	api/router.go:166	call method	{"status": 200, "host": "s3.neofs.devenv:8080", "request_id": "8c409e63-6e74-44f9-b568-6cbdd52071ce", "method": "PutObjectACL", "bucket": "1ab9b181-cf07-437a-907a-7796e1383c9a", "object": "ef6cc8cc-8e51-421a-b8b9-e434b5aeef15", "description": "OK"}
2023-11-16T19:20:09.359Z	debug	layer/layer.go:480	get object	{"reqId": "e5df95b5-f910-4213-96af-f69f32b3829b", "bucket": "1ab9b181-cf07-437a-907a-7796e1383c9a", "cid": "AhL8rE98ksZMBWCapr1DxyowEAwgvdQFEbZ1Ait3bVky", "object": "ef6cc8cc-8e51-421a-b8b9-e434b5aeef15", "oid": "2VDRGye7hLbVUTYutzTvkzJ7hkGXQAxqGRj6yksQruz5"}
2023-11-16T19:20:09.359Z	info	api/router.go:166	call method	{"status": 200, "host": "s3.neofs.devenv:8080", "request_id": "e5df95b5-f910-4213-96af-f69f32b3829b", "method": "GetObjectACL", "bucket": "1ab9b181-cf07-437a-907a-7796e1383c9a", "object": "ef6cc8cc-8e51-421a-b8b9-e434b5aeef15", "description": "OK"}
2023-11-16T19:20:09.441Z	info	api/router.go:166	call method	{"status": 200, "host": "s3.neofs.devenv:8080", "request_id": "86af6101-267e-416e-a348-57cb0d1b6ba2", "method": "GetBucketVersioning", "bucket": "1ab9b181-cf07-437a-907a-7796e1383c9a", "object": "", "description": "OK"}
2023-11-16T19:20:09.446Z	info	api/router.go:166	call method	{"status": 200, "host": "s3.neofs.devenv:8080", "request_id": "19840d04-68dd-459f-bb51-d334f5b7c14d", "method": "ListObjectsV1", "bucket": "1ab9b181-cf07-437a-907a-7796e1383c9a", "object": "", "description": "OK"}
2023-11-16T19:20:09.450Z	debug	layer/tagging.go:182	target details	{"reqId": "238f8607-b160-4264-bb92-e0a66d05803f", "bucket": "1ab9b181-cf07-437a-907a-7796e1383c9a", "cid": "AhL8rE98ksZMBWCapr1DxyowEAwgvdQFEbZ1Ait3bVky", "object": "ef6cc8cc-8e51-421a-b8b9-e434b5aeef15", "oid": "2VDRGye7hLbVUTYutzTvkzJ7hkGXQAxqGRj6yksQruz5"}

Steps to Reproduce

Run s3 acl tests

Your Environment

neo-go 0.102.0
neofs-s3-authmate bf1902c - https://github.com/nspcc-dev/neofs-s3-gw/tree/014a5bf493d00b8cce478e2c96c84ad9de8fe617
neofs-cli 0.38.1
neofs-adm 0.38.1
AWS aws-cli/2.13.30
Python/3.11.6 Linux/6.2.0-1015-azure exe/x86_64.ubuntu.22 prompt/off

Answer 1 · 2023-11-18T19:41:09.000Z

Pool block sync, @smallhive?

Answer 2 · 2023-11-20T06:28:08.000Z

I consider this problem connected to the object ownership and #859

If an object was created like a container owner, we don't need to set extended EACL rules, the owner has the maximum possible access to the object
if an object was created by someone with a token, we put EACL rules to the container and as a result, we have some data in get-object-acl response

Answer 3 · 2024-09-03T14:33:47.000Z

What's the status of this, @smallhive?

Answer 4 · 2024-09-03T14:55:09.000Z

A check is required one more time. We did many changes for accounts and ACLs

Answer 5 · 2024-09-04T07:51:35.000Z

I've checked about 10 pipelines. All of them had green tests connected to ACLs. My assumption is the problem is gone