From f9915efa5ea0714178fc60d11a0d5434e7b1e600 Mon Sep 17 00:00:00 2001 From: Doug Luce Date: Tue, 15 Mar 2022 08:57:12 -0700 Subject: Make object storage ACL configurable Override this value to allow uploads to non-public S3 buckets. Otherwise "AccessDenied: Access Denied" errors will end up in the log. Fixes #4850 --- server/initializers/config.ts | 1 + .../shared/object-storage-helpers.ts | 28 +++++++++++++++------- 2 files changed, 21 insertions(+), 8 deletions(-) (limited to 'server') diff --git a/server/initializers/config.ts b/server/initializers/config.ts index 3aadd9cbd..1658298c5 100644 --- a/server/initializers/config.ts +++ b/server/initializers/config.ts @@ -114,6 +114,7 @@ const CONFIG = { MAX_UPLOAD_PART: bytes.parse(config.get('object_storage.max_upload_part')), ENDPOINT: config.get('object_storage.endpoint'), REGION: config.get('object_storage.region'), + UPLOAD_ACL: config.get('object_storage.upload_acl'), CREDENTIALS: { ACCESS_KEY_ID: config.get('object_storage.credentials.access_key_id'), SECRET_ACCESS_KEY: config.get('object_storage.credentials.secret_access_key') diff --git a/server/lib/object-storage/shared/object-storage-helpers.ts b/server/lib/object-storage/shared/object-storage-helpers.ts index 47c37ffda..ecb82856e 100644 --- a/server/lib/object-storage/shared/object-storage-helpers.ts +++ b/server/lib/object-storage/shared/object-storage-helpers.ts @@ -6,10 +6,12 @@ import { CompletedPart, CompleteMultipartUploadCommand, CreateMultipartUploadCommand, + CreateMultipartUploadCommandInput, DeleteObjectCommand, GetObjectCommand, ListObjectsV2Command, PutObjectCommand, + PutObjectCommandInput, UploadPartCommand } from '@aws-sdk/client-s3' import { pipelinePromise } from '@server/helpers/core-utils' @@ -143,12 +145,17 @@ async function objectStoragePut (options: { }) { const { objectStorageKey, content, bucketInfo } = options - const command = new PutObjectCommand({ + const input: PutObjectCommandInput = { Bucket: bucketInfo.BUCKET_NAME, Key: buildKey(objectStorageKey, bucketInfo), - Body: content, - ACL: 'public-read' - }) + Body: content + } + + if (CONFIG.OBJECT_STORAGE.UPLOAD_ACL) { + input.ACL = CONFIG.OBJECT_STORAGE.UPLOAD_ACL + } + + const command = new PutObjectCommand(input) await getClient().send(command) @@ -167,11 +174,16 @@ async function multiPartUpload (options: { const statResult = await stat(inputPath) - const createMultipartCommand = new CreateMultipartUploadCommand({ + const input: CreateMultipartUploadCommandInput = { Bucket: bucketInfo.BUCKET_NAME, - Key: key, - ACL: 'public-read' - }) + Key: buildKey(objectStorageKey, bucketInfo) + } + + if (CONFIG.OBJECT_STORAGE.UPLOAD_ACL) { + input.ACL = CONFIG.OBJECT_STORAGE.UPLOAD_ACL + } + + const createMultipartCommand = new CreateMultipartUploadCommand(input) const createResponse = await s3Client.send(createMultipartCommand) const fd = await open(inputPath, 'r') -- cgit v1.2.3