PutBucketACL: unable to remove current grants

[evgeniiz321]

Current grants:

'Owner': {'DisplayName': 'NbUgTSFvPmsRxmGeWpuuGeJUoRoi6PErcM', 'ID': 'NbUgTSFvPmsRxmGeWpuuGeJUoRoi6PErcM'}, 
'Grants': [
{'Grantee': {'DisplayName': '', 'EmailAddress': '', 'ID': '031a6c6fbbdf02ca351745fa86b9ba5a9452d785ac4f7fc2b7548ca2a46c4fcf4a', 'Type': 'CanonicalUser', 'URI': ''}, 'Permission': 'FULL_CONTROL'}]}

We want to remove Grants and trying to PUT following json:

{'Owner': {'DisplayName': 'NbUgTSFvPmsRxmGeWpuuGeJUoRoi6PErcM', 'ID': 'NbUgTSFvPmsRxmGeWpuuGeJUoRoi6PErcM'}, 'Grants': []}

But get 500:

2023-10-18T02:18:11.257Z        error   handler/util.go:29      call method     {"status": 500, "request_id": "fc0c14a1-f3e5-4c21-93d5-d066f798bd19", "method": "PutBucketACL", "bucket": "yournamehere-5glkzt0jx74e55ha-1", "object": "", "description": "could not update bucket acl", "error": "could not translate ast to table: form records: public key from string: encoding/hex: invalid byte: U+004E 'N'"}

[smallhive]

The main problem here is the gate ACL response

$ aws --no-paginate s3api get-bucket-acl --bucket $BUCKET --endpoint http://localhost:19080
{
    "Owner": {
        "DisplayName": "Nj9FF9jYTsyX2XniTw5Kqy3Zf91nbhdYiM",
        "ID": "Nj9FF9jYTsyX2XniTw5Kqy3Zf91nbhdYiM"
    },
    "Grants": [
        {
            "Grantee": {
                "DisplayName": "Nj9FF9jYTsyX2XniTw5Kqy3Zf91nbhdYiM",
                "ID": "033845e8ebc78251029261cbc0e9bae104d2b7cc9fee5c79720a30332d5b3d1aa0",
                "Type": "CanonicalUser"
            },
            "Permission": "FULL_CONTROL"
        }
    ]
}

Here in Owner.ID and Owner.DisplayName we put the wallet address. This is the only available information from the bucket about the owner.

Owner.ID should have the owner's public key, like in the Grantee section, to execute such set-acl requests without canned rules.
Generally, we would take this info from the bearer token and pass it through. But in the case of an anonymous request, we just don't have the source to derive this information.

The first thought that came to my mind is putting the owner public key to container attributes. But what if a container was created without s3 gate? It means the side system will not add the required information to the attributes.
We need a way to get the bucket owner public key in any time.

About the issue in general, does it make sense to restrict yourself to the bucket?

[roman-khimov]

Let's try container attributes (forget about non-S3 containers) until we have nspcc-dev/neofs-api#278.

[roman-khimov]

Needs to be checked against the AWS, any behavior can be justified.

[roman-khimov]

We've got new tokens with addresses, maybe something can be improved here.

[smallhive]

After the latest changes, the GRANTS look different and consistent:

{
    "Owner": {
        "DisplayName": "NiskPF9pfRMzg7V7PeB4d6ogLzu74a1L2Q",
        "ID": "NiskPF9pfRMzg7V7PeB4d6ogLzu74a1L2Q"
    },
    "Grants": [
        {
            "Grantee": {
                "DisplayName": "NiskPF9pfRMzg7V7PeB4d6ogLzu74a1L2Q",
                "ID": "NiskPF9pfRMzg7V7PeB4d6ogLzu74a1L2Q",
                "Type": "CanonicalUser"
            },
            "Permission": "FULL_CONTROL"
        }
    ]
}

Now it is possible to upload downloaded ACL grants to the bucket without error. For test I used the next script:

export BUCKET=heh$(date +%s); echo $BUCKET; aws s3api create-bucket --bucket $BUCKET --endpoint http://localhost:19080
aws s3api get-bucket-acl --bucket $BUCKET --endpoint-url http://localhost:19080 > ACL.json
aws s3api put-bucket-acl --bucket $BUCKET --endpoint-url http://localhost:19080 --access-control-policy file://ACL.json

Despite this, it has no effect on the bucket owner grants. There is impossible to remove GRANTS from container owner