diff options
author | Chocobozzz <me@florianbigard.com> | 2023-01-12 08:41:16 +0100 |
---|---|---|
committer | Chocobozzz <me@florianbigard.com> | 2023-01-12 08:41:16 +0100 |
commit | 8180f60477e99c4fd70ce25729d1ca65155a6686 (patch) | |
tree | 60f0d2f5c10e2302578c3742dfec4d30e14d6baf | |
parent | 2cb9f8b9c7b9b6707240171addf2bf015356007b (diff) | |
download | PeerTube-8180f60477e99c4fd70ce25729d1ca65155a6686.tar.gz PeerTube-8180f60477e99c4fd70ce25729d1ca65155a6686.tar.zst PeerTube-8180f60477e99c4fd70ce25729d1ca65155a6686.zip |
Fix ACL incompatibility with some s3 providers
We'll move to another method in the future
See https://github.com/Chocobozzz/PeerTube/issues/5497
-rw-r--r-- | config/default.yaml | 2 | ||||
-rw-r--r-- | config/production.yaml.example | 2 | ||||
-rw-r--r-- | server/initializers/checker-after-init.ts | 8 | ||||
-rw-r--r-- | server/lib/object-storage/shared/object-storage-helpers.ts | 20 | ||||
-rw-r--r-- | server/lib/object-storage/videos.ts | 8 |
5 files changed, 22 insertions, 18 deletions
diff --git a/config/default.yaml b/config/default.yaml index 1b7c3314d..20094ae8f 100644 --- a/config/default.yaml +++ b/config/default.yaml | |||
@@ -154,9 +154,11 @@ object_storage: | |||
154 | 154 | ||
155 | upload_acl: | 155 | upload_acl: |
156 | # Set this ACL on each uploaded object of public/unlisted videos | 156 | # Set this ACL on each uploaded object of public/unlisted videos |
157 | # Use null if your S3 provider does not support object ACL | ||
157 | public: 'public-read' | 158 | public: 'public-read' |
158 | # Set this ACL on each uploaded object of private/internal videos | 159 | # Set this ACL on each uploaded object of private/internal videos |
159 | # PeerTube can proxify requests to private objects so your users can access them | 160 | # PeerTube can proxify requests to private objects so your users can access them |
161 | # Use null if your S3 provider does not support object ACL | ||
160 | private: 'private' | 162 | private: 'private' |
161 | 163 | ||
162 | proxy: | 164 | proxy: |
diff --git a/config/production.yaml.example b/config/production.yaml.example index da067b3b5..e8b354d01 100644 --- a/config/production.yaml.example +++ b/config/production.yaml.example | |||
@@ -152,9 +152,11 @@ object_storage: | |||
152 | 152 | ||
153 | upload_acl: | 153 | upload_acl: |
154 | # Set this ACL on each uploaded object of public/unlisted videos | 154 | # Set this ACL on each uploaded object of public/unlisted videos |
155 | # Use null if your S3 provider does not support object ACL | ||
155 | public: 'public-read' | 156 | public: 'public-read' |
156 | # Set this ACL on each uploaded object of private/internal videos | 157 | # Set this ACL on each uploaded object of private/internal videos |
157 | # PeerTube can proxify requests to private objects so your users can access them | 158 | # PeerTube can proxify requests to private objects so your users can access them |
159 | # Use null if your S3 provider does not support object ACL | ||
158 | private: 'private' | 160 | private: 'private' |
159 | 161 | ||
160 | proxy: | 162 | proxy: |
diff --git a/server/initializers/checker-after-init.ts b/server/initializers/checker-after-init.ts index 09e878eee..c83fef425 100644 --- a/server/initializers/checker-after-init.ts +++ b/server/initializers/checker-after-init.ts | |||
@@ -278,14 +278,6 @@ function checkObjectStorageConfig () { | |||
278 | 'Object storage bucket prefixes should be set to different values when the same bucket is used for both types of video.' | 278 | 'Object storage bucket prefixes should be set to different values when the same bucket is used for both types of video.' |
279 | ) | 279 | ) |
280 | } | 280 | } |
281 | |||
282 | if (!CONFIG.OBJECT_STORAGE.UPLOAD_ACL.PUBLIC) { | ||
283 | throw new Error('object_storage.upload_acl.public must be set') | ||
284 | } | ||
285 | |||
286 | if (!CONFIG.OBJECT_STORAGE.UPLOAD_ACL.PRIVATE) { | ||
287 | throw new Error('object_storage.upload_acl.private must be set') | ||
288 | } | ||
289 | } | 281 | } |
290 | } | 282 | } |
291 | 283 | ||
diff --git a/server/lib/object-storage/shared/object-storage-helpers.ts b/server/lib/object-storage/shared/object-storage-helpers.ts index 8dff08ab4..be94b01a8 100644 --- a/server/lib/object-storage/shared/object-storage-helpers.ts +++ b/server/lib/object-storage/shared/object-storage-helpers.ts | |||
@@ -61,13 +61,16 @@ async function storeObject (options: { | |||
61 | 61 | ||
62 | // --------------------------------------------------------------------------- | 62 | // --------------------------------------------------------------------------- |
63 | 63 | ||
64 | function updateObjectACL (options: { | 64 | async function updateObjectACL (options: { |
65 | objectStorageKey: string | 65 | objectStorageKey: string |
66 | bucketInfo: BucketInfo | 66 | bucketInfo: BucketInfo |
67 | isPrivate: boolean | 67 | isPrivate: boolean |
68 | }) { | 68 | }) { |
69 | const { objectStorageKey, bucketInfo, isPrivate } = options | 69 | const { objectStorageKey, bucketInfo, isPrivate } = options |
70 | 70 | ||
71 | const acl = getACL(isPrivate) | ||
72 | if (!acl) return | ||
73 | |||
71 | const key = buildKey(objectStorageKey, bucketInfo) | 74 | const key = buildKey(objectStorageKey, bucketInfo) |
72 | 75 | ||
73 | logger.debug('Updating ACL file %s in bucket %s', key, bucketInfo.BUCKET_NAME, lTags()) | 76 | logger.debug('Updating ACL file %s in bucket %s', key, bucketInfo.BUCKET_NAME, lTags()) |
@@ -75,10 +78,10 @@ function updateObjectACL (options: { | |||
75 | const command = new PutObjectAclCommand({ | 78 | const command = new PutObjectAclCommand({ |
76 | Bucket: bucketInfo.BUCKET_NAME, | 79 | Bucket: bucketInfo.BUCKET_NAME, |
77 | Key: key, | 80 | Key: key, |
78 | ACL: getACL(isPrivate) | 81 | ACL: acl |
79 | }) | 82 | }) |
80 | 83 | ||
81 | return getClient().send(command) | 84 | await getClient().send(command) |
82 | } | 85 | } |
83 | 86 | ||
84 | function updatePrefixACL (options: { | 87 | function updatePrefixACL (options: { |
@@ -88,6 +91,9 @@ function updatePrefixACL (options: { | |||
88 | }) { | 91 | }) { |
89 | const { prefix, bucketInfo, isPrivate } = options | 92 | const { prefix, bucketInfo, isPrivate } = options |
90 | 93 | ||
94 | const acl = getACL(isPrivate) | ||
95 | if (!acl) return | ||
96 | |||
91 | logger.debug('Updating ACL of files in prefix %s in bucket %s', prefix, bucketInfo.BUCKET_NAME, lTags()) | 97 | logger.debug('Updating ACL of files in prefix %s in bucket %s', prefix, bucketInfo.BUCKET_NAME, lTags()) |
92 | 98 | ||
93 | return applyOnPrefix({ | 99 | return applyOnPrefix({ |
@@ -99,7 +105,7 @@ function updatePrefixACL (options: { | |||
99 | return new PutObjectAclCommand({ | 105 | return new PutObjectAclCommand({ |
100 | Bucket: bucketInfo.BUCKET_NAME, | 106 | Bucket: bucketInfo.BUCKET_NAME, |
101 | Key: obj.Key, | 107 | Key: obj.Key, |
102 | ACL: getACL(isPrivate) | 108 | ACL: acl |
103 | }) | 109 | }) |
104 | } | 110 | } |
105 | }) | 111 | }) |
@@ -227,10 +233,12 @@ async function uploadToStorage (options: { | |||
227 | const input: PutObjectCommandInput = { | 233 | const input: PutObjectCommandInput = { |
228 | Body: content, | 234 | Body: content, |
229 | Bucket: bucketInfo.BUCKET_NAME, | 235 | Bucket: bucketInfo.BUCKET_NAME, |
230 | Key: buildKey(objectStorageKey, bucketInfo), | 236 | Key: buildKey(objectStorageKey, bucketInfo) |
231 | ACL: getACL(isPrivate) | ||
232 | } | 237 | } |
233 | 238 | ||
239 | const acl = getACL(isPrivate) | ||
240 | if (acl) input.ACL = acl | ||
241 | |||
234 | const parallelUploads3 = new Upload({ | 242 | const parallelUploads3 = new Upload({ |
235 | client: getClient(), | 243 | client: getClient(), |
236 | queueSize: 4, | 244 | queueSize: 4, |
diff --git a/server/lib/object-storage/videos.ts b/server/lib/object-storage/videos.ts index b764e4b22..bfdef94fd 100644 --- a/server/lib/object-storage/videos.ts +++ b/server/lib/object-storage/videos.ts | |||
@@ -55,16 +55,16 @@ function storeWebTorrentFile (video: MVideo, file: MVideoFile) { | |||
55 | 55 | ||
56 | // --------------------------------------------------------------------------- | 56 | // --------------------------------------------------------------------------- |
57 | 57 | ||
58 | function updateWebTorrentFileACL (video: MVideo, file: MVideoFile) { | 58 | async function updateWebTorrentFileACL (video: MVideo, file: MVideoFile) { |
59 | return updateObjectACL({ | 59 | await updateObjectACL({ |
60 | objectStorageKey: generateWebTorrentObjectStorageKey(file.filename), | 60 | objectStorageKey: generateWebTorrentObjectStorageKey(file.filename), |
61 | bucketInfo: CONFIG.OBJECT_STORAGE.VIDEOS, | 61 | bucketInfo: CONFIG.OBJECT_STORAGE.VIDEOS, |
62 | isPrivate: video.hasPrivateStaticPath() | 62 | isPrivate: video.hasPrivateStaticPath() |
63 | }) | 63 | }) |
64 | } | 64 | } |
65 | 65 | ||
66 | function updateHLSFilesACL (playlist: MStreamingPlaylistVideo) { | 66 | async function updateHLSFilesACL (playlist: MStreamingPlaylistVideo) { |
67 | return updatePrefixACL({ | 67 | await updatePrefixACL({ |
68 | prefix: generateHLSObjectBaseStorageKey(playlist), | 68 | prefix: generateHLSObjectBaseStorageKey(playlist), |
69 | bucketInfo: CONFIG.OBJECT_STORAGE.STREAMING_PLAYLISTS, | 69 | bucketInfo: CONFIG.OBJECT_STORAGE.STREAMING_PLAYLISTS, |
70 | isPrivate: playlist.Video.hasPrivateStaticPath() | 70 | isPrivate: playlist.Video.hasPrivateStaticPath() |