Make object storage ACL configurable

author Doug Luce <doug@github.con.com>

Tue, 15 Mar 2022 15:57:12 +0000 (08:57 -0700)

committer Chocobozzz <chocobozzz@cpy.re>

Wed, 16 Mar 2022 09:58:01 +0000 (10:58 +0100)
author Doug Luce <doug@github.con.com>
Tue, 15 Mar 2022 15:57:12 +0000 (08:57 -0700)
committer Chocobozzz <chocobozzz@cpy.re>
Wed, 16 Mar 2022 09:58:01 +0000 (10:58 +0100)
diff --git a/config/default.yaml b/config/default.yaml

index 42ce12c18809b9c8bc0f91a67124eecd720c18f2..6db8d3803b58f6e7bf1f0e5e741bbdfeffdbe23d 100644 (file)
--- a/config/default.yaml
+++ b/config/default.yaml
@@ -138,6 +138,9 @@ object_storage:
  
    region: 'us-east-1'
  
+  # Set this ACL on each uploaded object
+  upload_acl: 'public-read'
+
    credentials:
      # You can also use AWS_ACCESS_KEY_ID env variable
      access_key_id: ''
diff --git a/config/production.yaml.example b/config/production.yaml.example

index bb1b4615bb412faa45fbdf877fdc4701ec3cf0fb..e6e85da1246c453d379abe6287d163dd810304db 100644 (file)
--- a/config/production.yaml.example
+++ b/config/production.yaml.example
@@ -134,6 +134,9 @@ object_storage:
  
    region: 'us-east-1'
  
+  # Set this ACL on each uploaded object
+  upload_acl: 'public'
+
    credentials:
      # You can also use AWS_ACCESS_KEY_ID env variable
      access_key_id: ''
diff --git a/server/initializers/config.ts b/server/initializers/config.ts

index 3aadd9cbd6845499a75bda0b75bc4f0237f40666..1658298c53e16fc2827b42b920aa2577b3e90aa5 100644 (file)
--- a/server/initializers/config.ts
+++ b/server/initializers/config.ts
@@ -114,6 +114,7 @@ const CONFIG = {
      MAX_UPLOAD_PART: bytes.parse(config.get<string>('object_storage.max_upload_part')),
      ENDPOINT: config.get<string>('object_storage.endpoint'),
      REGION: config.get<string>('object_storage.region'),
+    UPLOAD_ACL: config.get<string>('object_storage.upload_acl'),
      CREDENTIALS: {
        ACCESS_KEY_ID: config.get<string>('object_storage.credentials.access_key_id'),
        SECRET_ACCESS_KEY: config.get<string>('object_storage.credentials.secret_access_key')
diff --git a/server/lib/object-storage/shared/object-storage-helpers.ts b/server/lib/object-storage/shared/object-storage-helpers.ts

index 47c37ffda2aa783bbedd9f4c7ea113f66a825680..ecb82856e7da4348cdefae7484cf2b830bca4470 100644 (file)
--- a/server/lib/object-storage/shared/object-storage-helpers.ts
+++ b/server/lib/object-storage/shared/object-storage-helpers.ts
@@ -6,10 +6,12 @@ import {
    CompletedPart,
    CompleteMultipartUploadCommand,
    CreateMultipartUploadCommand,
+  CreateMultipartUploadCommandInput,
    DeleteObjectCommand,
    GetObjectCommand,
    ListObjectsV2Command,
    PutObjectCommand,
+  PutObjectCommandInput,
    UploadPartCommand
  } from '@aws-sdk/client-s3'
  import { pipelinePromise } from '@server/helpers/core-utils'
@@ -143,12 +145,17 @@ async function objectStoragePut (options: {
  }) {
    const { objectStorageKey, content, bucketInfo } = options
  
-  const command = new PutObjectCommand({
+  const input: PutObjectCommandInput = {
      Bucket: bucketInfo.BUCKET_NAME,
      Key: buildKey(objectStorageKey, bucketInfo),
-    Body: content,
-    ACL: 'public-read'
-  })
+    Body: content
+  }
+
+  if (CONFIG.OBJECT_STORAGE.UPLOAD_ACL) {
+    input.ACL = CONFIG.OBJECT_STORAGE.UPLOAD_ACL
+  }
+
+  const command = new PutObjectCommand(input)
  
    await getClient().send(command)
  
@@ -167,11 +174,16 @@ async function multiPartUpload (options: {
  
    const statResult = await stat(inputPath)
  
-  const createMultipartCommand = new CreateMultipartUploadCommand({
+  const input: CreateMultipartUploadCommandInput = {
      Bucket: bucketInfo.BUCKET_NAME,
-    Key: key,
-    ACL: 'public-read'
-  })
+    Key: buildKey(objectStorageKey, bucketInfo)
+  }
+
+  if (CONFIG.OBJECT_STORAGE.UPLOAD_ACL) {
+    input.ACL = CONFIG.OBJECT_STORAGE.UPLOAD_ACL
+  }
+
+  const createMultipartCommand = new CreateMultipartUploadCommand(input)
    const createResponse = await s3Client.send(createMultipartCommand)
  
    const fd = await open(inputPath, 'r')
diff --git a/support/docker/production/config/custom-environment-variables.yaml b/support/docker/production/config/custom-environment-variables.yaml

index 32552964d76973c9991ca899678b34849d8132be..9c84428b78621e5b1bee7ad7c9bac6504f248d82 100644 (file)
--- a/support/docker/production/config/custom-environment-variables.yaml
+++ b/support/docker/production/config/custom-environment-variables.yaml
@@ -66,6 +66,7 @@ object_storage:
      bucket_name: "PEERTUBE_OBJECT_STORAGE_STREAMING_PLAYLISTS_BUCKET_NAME"
      prefix: "PEERTUBE_OBJECT_STORAGE_STREAMING_PLAYLISTS_PREFIX"
      base_url: "PEERTUBE_OBJECT_STORAGE_STREAMING_PLAYLISTS_BASE_URL"
+    upload_acl: "PEERTUBE_OBJECT_STORAGE_UPLOAD_ACL"
  
    videos:
      bucket_name: "PEERTUBE_OBJECT_STORAGE_VIDEOS_BUCKET_NAME"
author	Doug Luce <doug@github.con.com>
	Tue, 15 Mar 2022 15:57:12 +0000 (08:57 -0700)
committer	Chocobozzz <chocobozzz@cpy.re>
	Wed, 16 Mar 2022 09:58:01 +0000 (10:58 +0100)
config/default.yaml		patch \| blob \| blame \| history
config/production.yaml.example		patch \| blob \| blame \| history
server/initializers/config.ts		patch \| blob \| blame \| history
server/lib/object-storage/shared/object-storage-helpers.ts		patch \| blob \| blame \| history
support/docker/production/config/custom-environment-variables.yaml		patch \| blob \| blame \| history