Actions
Bug #56129
closedStill able to delete object [and its version] with S3 Object Lock
Status:
Duplicate
Priority:
Normal
Assignee:
-
Target version:
-
% Done:
0%
Source:
Tags:
Backport:
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
Pull request ID:
Crash signature (v1):
Crash signature (v2):
Description
The following sequence works at Pacific 16.2.9 despite object locked in COMPLIANCE retention mode:
- On Ceph Pacific 16.2.9:
aws s3api create-bucket --bucket test-bucket --object-lock-enabled-for-bucket
aws s3api put-object-lock-configuration --bucket test-bucket --object-lock-configuration '{"ObjectLockEnabled":"Enabled","Rule":{"DefaultRetention":{"Mode":"COMPLIANCE","Days":90}}}'
aws s3api put-object --bucket test-bucket --body
aws s3api put-object --bucket test-bucket --body test --key test {
"ETag": "\"d8e8fca2dc0f896fd7cb4cb0031ba249\"",
"VersionId": "7w87yIzrlhfuSjk0WXEepYwTjCccj.o"
}
aws s3api get-object-retention --bucket test-bucket --key test {
"Retention": {
"Mode": "COMPLIANCE",
"RetainUntilDate": "2022-09-18T14:24:22.162530+00:00"
}
} - While specifying the version-id, it behaves as expected for the first time
aws s3api delete-object --bucket test-bucket --key test --version-id 7w87yIzrlhfuSjk0WXEepYwTjCccj.o
An error occurred (AccessDenied) when calling the DeleteObject operation: forbidden by object lock
- While omitting the version-id, it creates a delete-marker
aws s3api delete-object --bucket test-bucket --key test {
"DeleteMarker": true,
"VersionId": "rSQ7bqeVK6vGFdFtyvbJDLHRGqiZSsm"
} - Specifying the version-id again, allows for the deletion of the object
aws s3api delete-object --bucket test-bucket --key test --version-id 7w87yIzrlhfuSjk0WXEepYwTjCccj.o {
"VersionId": "7w87yIzrlhfuSjk0WXEepYwTjCccj.o"
}
aws s3api create-bucket --bucket test-bucket --object-lock-enabled-for-bucket --create-bucket-configuration LocationConstraint=us-west-1 {
"Location": "http://test-bucket.s3.amazonaws.com/"
}
aws s3api put-object-lock-configuration --bucket test-bucket --object-lock-configuration '{"ObjectLockEnabled":"Enabled","Rule":{"DefaultRetention":{"Mode":"COMPLIANCE","Days":90}}}'
aws s3api put-object --bucket test-bucket --body test --key test{
"ETag": "\"c86a2cdc3faa3b074363f08624ea7ed8\"",
"VersionId": "AzK1HMbvTRe.ykK8Eo7bwwn1Cq.cF0hQ"
}
aws s3api get-object-retention --bucket test-bucket --key test --version-id AzK1HMbvTRe.ykK8Eo7bwwn1Cq.cF0hQ {
"Retention": {
"Mode": "COMPLIANCE",
"RetainUntilDate": "2022-09-18T12:03:22.086000+00:00"
}
}
- On AWS both specifying and omitting the version-id behaves as expected
aws s3api delete-object --bucket test-bucket --key test
An error occurred (AccessDenied) when calling the DeleteObject operation: Access Denied
aws s3api delete-object --bucket test-bucket --key test --version-id AzK1HMbvTRe.ykK8Eo7bwwn1Cq.cF0hQ
An error occurred (AccessDenied) when calling the DeleteObject operation: Access Denied
Updated by Igor Fedotov almost 2 years ago
- Has duplicate Bug #55766: S3 Object Lock not Working added
Actions