Object Lock Error Responses Wrong/Weird
ferristocrat opened this issue · comments
The following object lock related actions returned an "unauthorized" error rather than the appropriate error.
| Action | Example Request | Response | Expected response |
|---|---|---|---|
| PutBucketVersioning | aws s3api put-bucket-versioning --bucket my-bucket --versioning-configuration Status=Suspended --endpoint-url https://gateway.qa.storjshare.io |
An error occurred (AccessDenied) when calling the PutBucketVersioning operation: Access Denied. | Not sure, but probably something different than the current response. |
| DeleteObject (with retention set) | aws s3api delete-object --bucket my-bucket --key my-object --version-id 0000000000000001a008c98f1d6afe18 --endpoint-url https://gateway.qa.storjshare.io | An error occurred (AccessDenied) when calling the DeleteObject operation: Access Denied | Not sure, but probably something different than the current response. |
| PutObjectLegalHold | aws s3api put-object-legal-hold --bucket my-bucket --key my-object --legal-hold '{ "Status": "ON"}' --endpoint-url https://gateway.qa.storjshare.io | An error occurred (InvalidRequest) when calling the PutObjectLegalHold operation: Bucket is missing ObjectLockConfiguration | Would expect "not implemented" response |
See columns G, H, I for more context: https://docs.google.com/spreadsheets/d/1Yfz1sSTRD2nTRAkgGJ27aAv7wTMJCd-74fJlujdNPBw/edit?gid=0#gid=0
Additional unmapped or incorrect errors discovered in tests: https://review.dev.storj.io/c/storj/edge/+/14432
GetObjectRetentionon an object without retention unmapped error:object retention not found: object does not have a retention configuration. Maybe this should beInvalidRequest.PutObject(and possiblyPutObjectRetention) with governance mode unmapped error:invalid retention mode 0, expected 1 (compliance)PutObjectRetentionon an object with a retain until date in the past producedMalformedXMLerror instead ofInvalidRequest.PutObjectwhen attempting to set lock settings on unversioned bucket produces unmapped errorcannot specify Object Lock settings when uploading into a bucket without Versioning enabled
Jeremy mentioned that S3 returns AccessDenied if attempting to delete a locked object, so that one should probably keep the code as-is but provide a more useful message. S3 responds with this:
An error occurred (AccessDenied) when calling the DeleteObject operation: Access Denied because object protected by object lock.
Change miniogw: map GetObjectRetention no retention errors mentions this issue.
AWS S3 error response research:
GetObjectLockConfiguration on bucket without object lock
S3: HTTP 404: ObjectLockConfigurationNotFoundError: Object Lock configuration does not exist for this bucket
Us: HTTP 400: "InvalidRequest: Bucket is missing Object Lock Configuration"
This is a big difference we should probably fix.
GetObjectRetention on object without any (bucket has object lock configuration)
S3: HTTP 404: "NoSuchObjectLockConfiguration: The specified object does not have a ObjectLock configuration"
Us: HTTP 400: "InvalidRequest: Object is missing retention configuration"
This is a big difference we should probably fix.
GetObjectRetention on object without any (bucket has no object lock configuration)
S3: HTTP 400: "InvalidRequest: Bucket is missing Object Lock Configuration"
Us: HTTP 400: "InvalidRequest: Object is missing retention configuration"
PutObjectLockConfiguration on bucket without versioning enabled
S3: HTTP 409: InvalidBucketState: Versioning must be 'Enabled' on the bucket to apply a Object Lock configuration
US: HTTP 501: Unimplemented
PutObject with retain date in the past
S3: HTTP 400: InvalidArgument: The retain until date must be in the future!
Us: MalformedXML. Might be a minio issue.
PutObject with invalid mode
S3: HTTP 400: InvalidArgument: Unknown wormMode directive.
Us: HTTP 400: InvalidRequest
Might not be worth fixing the code when the status is the same.
PutObject with correct retention settings, versioning not enabled on bucket and no bucket lock configuration:
S3: HTTP 400: InvalidRequest: Bucket is missing ObjectLockConfiguration
Us: HTTP 500: "cannot specify Object Lock settings when uploading into a bucket without Versioning enabled"
This is critical to fix as it's unmapped (defaults to 500) resulting in misleading clients to retry with the same result.
PutObject with correct retention settings, versioning is enabled on bucket and no bucket lock configuration:
S3: HTTP 400: InvalidRequest: Bucket is missing ObjectLockConfiguration
Us: HTTP 500: ""cannot specify Object Lock settings when uploading into a bucket without Object Lock enabled"
This is critical to fix as it's unmapped (defaults to 500) resulting in misleading clients to retry with the same result.
DeleteObject locked version
S3: HTTP 403: AccessDenied: Access Denied because object protected by object lock.
Us: HTTP 403: AccessDenied: Access Denied.
Adjusting the error message might be helpful to users.
PutBucketVersioning suspend bucket with existing object lock configuration
S3: HTTP 409: InvalidBucketState: An Object Lock configuration is present on this bucket, so the versioning state cannot be changed
Us: HTTP 403: AccessDenied: Access Denied:
This is probably worth fixing to make it more descriptive, at least.
Change miniogw: fix error responses for missing lock or retention mentions this issue.
Change satellite/metainfo: return object lock messages consistent with S3 mentions this issue.
Change private/metaclient: remap object lock errors mentions this issue.
Change miniogw: return 404 for GetObjectLockConfig if no lock found mentions this issue.
Change miniogw: fix up mappings to latest uplink code mentions this issue.