aboutsummaryrefslogtreecommitdiffhomepage
path: root/server
diff options
context:
space:
mode:
authorDoug Luce <doug@github.con.com>2022-03-15 08:57:12 -0700
committerChocobozzz <chocobozzz@cpy.re>2022-03-16 10:58:01 +0100
commitf9915efa5ea0714178fc60d11a0d5434e7b1e600 (patch)
treecf2e7249a64a4af73a89aa19c755d5eec0ab9fe2 /server
parent60233e90d280eb865d396b30b63c0e88d13ca7db (diff)
downloadPeerTube-f9915efa5ea0714178fc60d11a0d5434e7b1e600.tar.gz
PeerTube-f9915efa5ea0714178fc60d11a0d5434e7b1e600.tar.zst
PeerTube-f9915efa5ea0714178fc60d11a0d5434e7b1e600.zip
Make object storage ACL configurable
Override this value to allow uploads to non-public S3 buckets. Otherwise "AccessDenied: Access Denied" errors will end up in the log. Fixes #4850
Diffstat (limited to 'server')
-rw-r--r--server/initializers/config.ts1
-rw-r--r--server/lib/object-storage/shared/object-storage-helpers.ts28
2 files changed, 21 insertions, 8 deletions
diff --git a/server/initializers/config.ts b/server/initializers/config.ts
index 3aadd9cbd..1658298c5 100644
--- a/server/initializers/config.ts
+++ b/server/initializers/config.ts
@@ -114,6 +114,7 @@ const CONFIG = {
114 MAX_UPLOAD_PART: bytes.parse(config.get<string>('object_storage.max_upload_part')), 114 MAX_UPLOAD_PART: bytes.parse(config.get<string>('object_storage.max_upload_part')),
115 ENDPOINT: config.get<string>('object_storage.endpoint'), 115 ENDPOINT: config.get<string>('object_storage.endpoint'),
116 REGION: config.get<string>('object_storage.region'), 116 REGION: config.get<string>('object_storage.region'),
117 UPLOAD_ACL: config.get<string>('object_storage.upload_acl'),
117 CREDENTIALS: { 118 CREDENTIALS: {
118 ACCESS_KEY_ID: config.get<string>('object_storage.credentials.access_key_id'), 119 ACCESS_KEY_ID: config.get<string>('object_storage.credentials.access_key_id'),
119 SECRET_ACCESS_KEY: config.get<string>('object_storage.credentials.secret_access_key') 120 SECRET_ACCESS_KEY: config.get<string>('object_storage.credentials.secret_access_key')
diff --git a/server/lib/object-storage/shared/object-storage-helpers.ts b/server/lib/object-storage/shared/object-storage-helpers.ts
index 47c37ffda..ecb82856e 100644
--- a/server/lib/object-storage/shared/object-storage-helpers.ts
+++ b/server/lib/object-storage/shared/object-storage-helpers.ts
@@ -6,10 +6,12 @@ import {
6 CompletedPart, 6 CompletedPart,
7 CompleteMultipartUploadCommand, 7 CompleteMultipartUploadCommand,
8 CreateMultipartUploadCommand, 8 CreateMultipartUploadCommand,
9 CreateMultipartUploadCommandInput,
9 DeleteObjectCommand, 10 DeleteObjectCommand,
10 GetObjectCommand, 11 GetObjectCommand,
11 ListObjectsV2Command, 12 ListObjectsV2Command,
12 PutObjectCommand, 13 PutObjectCommand,
14 PutObjectCommandInput,
13 UploadPartCommand 15 UploadPartCommand
14} from '@aws-sdk/client-s3' 16} from '@aws-sdk/client-s3'
15import { pipelinePromise } from '@server/helpers/core-utils' 17import { pipelinePromise } from '@server/helpers/core-utils'
@@ -143,12 +145,17 @@ async function objectStoragePut (options: {
143}) { 145}) {
144 const { objectStorageKey, content, bucketInfo } = options 146 const { objectStorageKey, content, bucketInfo } = options
145 147
146 const command = new PutObjectCommand({ 148 const input: PutObjectCommandInput = {
147 Bucket: bucketInfo.BUCKET_NAME, 149 Bucket: bucketInfo.BUCKET_NAME,
148 Key: buildKey(objectStorageKey, bucketInfo), 150 Key: buildKey(objectStorageKey, bucketInfo),
149 Body: content, 151 Body: content
150 ACL: 'public-read' 152 }
151 }) 153
154 if (CONFIG.OBJECT_STORAGE.UPLOAD_ACL) {
155 input.ACL = CONFIG.OBJECT_STORAGE.UPLOAD_ACL
156 }
157
158 const command = new PutObjectCommand(input)
152 159
153 await getClient().send(command) 160 await getClient().send(command)
154 161
@@ -167,11 +174,16 @@ async function multiPartUpload (options: {
167 174
168 const statResult = await stat(inputPath) 175 const statResult = await stat(inputPath)
169 176
170 const createMultipartCommand = new CreateMultipartUploadCommand({ 177 const input: CreateMultipartUploadCommandInput = {
171 Bucket: bucketInfo.BUCKET_NAME, 178 Bucket: bucketInfo.BUCKET_NAME,
172 Key: key, 179 Key: buildKey(objectStorageKey, bucketInfo)
173 ACL: 'public-read' 180 }
174 }) 181
182 if (CONFIG.OBJECT_STORAGE.UPLOAD_ACL) {
183 input.ACL = CONFIG.OBJECT_STORAGE.UPLOAD_ACL
184 }
185
186 const createMultipartCommand = new CreateMultipartUploadCommand(input)
175 const createResponse = await s3Client.send(createMultipartCommand) 187 const createResponse = await s3Client.send(createMultipartCommand)
176 188
177 const fd = await open(inputPath, 'r') 189 const fd = await open(inputPath, 'r')