Add an ACL option to set access permission in S3 bucket #614 #615
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
PhucNguyen0311
force-pushed
the
s3-bucket-acl
branch
2 times, most recently
from
2085e21
to
deb51c8
Compare
PhucNguyen0311
changed the title
PhucNguyen0311
force-pushed
the
s3-bucket-acl
branch
from
deb51c8
to
fcdb4fc
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was an issue when we used CloudFront in one account to access S3 in another account. For example, my application and CloudFront are stored in A account but my S3 bucket is configured in B account. Then, I checked the log of scheduled tasks and I can see this issue:
php admin/cli/scheduled_task.php --execute='\tool_objectfs\task\push_objects_to_storage'
Execute scheduled task: Object file system upload task (tool_objectfs\task\push_objects_to_storage)
... started 12:42:52. Current memory use 2.9 MB.
copy_object_from_local_to_external. Total time taken: 0.16533708572388 seconds. Location change summary:
local -> local. Objects moved: 4. Total size: 4.6 MB.
... used 13 dbqueries
... used 0.66407299041748 seconds
Scheduled task complete: Object file system upload task (tool_objectfs\task\push_objects_to_storage)
It means we can't push objects from local to s3 (local->external). I tried to add a debug in upload_to_s3() function in https://github.com/catalyst/moodle-tool_objectfs/blob/MOODLE_310_STABLE/classes/local/store/s3/client.php line 458 and get this error:
Execute scheduled task: Object file system upload task (tool_objectfs\task\push_objects_to_storage)
... started 12:27:04. Current memory use 2.9 MB.
exception 'Aws\S3\Exception\S3Exception' with message 'Error executing "PutObject" on "https://s3bucketname.s3.region.amazonaws.com/path/to/objectkey"; AWS HTTP error: Client error: https://s3bucketname.s3.region.amazonaws.com/path/to/objectkey resulted in a 400 Bad Request response:
AccessControlListNotSupportedThe bucket does not all (truncated...)
AccessControlListNotSupported (client): The bucket does not allow ACLs -
AccessControlListNotSupportedThe bucket does not allow ACLsRequestIDHostID='
I recognized the $acl is set as private by default https://github.com/catalyst/moodle-local_aws/blob/master/sdk/Aws/S3/ObjectUploader.php line 54 but we don't have any way to input $acl from upload_to_s3() function in moodle-tool-objectfs plugin. I'm tested this and it doesn't matter if Moodle, CloudFront and S3 are stored in the same AWS account. So, I'm wondering if we can create an option for this in Moodle setting page with private by default.