Make object storage ACL configurable

Override this value to allow uploads to non-public S3 buckets. Otherwise "AccessDenied: Access Denied" errors will end up in the log. Fixes #4850
2022-03-15 08:57:12 -07:00 · 2022-03-15 08:57:12 -07:00 · f9915efa5e
parent 60233e90d2
commit f9915efa5e
5 changed files with 28 additions and 8 deletions
--- a/config/default.yaml
+++ b/config/default.yaml
@ -138,6 +138,9 @@ object_storage:

  region: 'us-east-1'

+  # Set this ACL on each uploaded object
+  upload_acl: 'public-read'
+
  credentials:
    # You can also use AWS_ACCESS_KEY_ID env variable
    access_key_id: ''
--- a/config/production.yaml.example
+++ b/config/production.yaml.example
@ -134,6 +134,9 @@ object_storage:

  region: 'us-east-1'

+  # Set this ACL on each uploaded object
+  upload_acl: 'public'
+
  credentials:
    # You can also use AWS_ACCESS_KEY_ID env variable
    access_key_id: ''
--- a/server/initializers/config.ts
+++ b/server/initializers/config.ts
@ -114,6 +114,7 @@ const CONFIG = {
    MAX_UPLOAD_PART: bytes.parse(config.get<string>('object_storage.max_upload_part')),
    ENDPOINT: config.get<string>('object_storage.endpoint'),
    REGION: config.get<string>('object_storage.region'),
+    UPLOAD_ACL: config.get<string>('object_storage.upload_acl'),
    CREDENTIALS: {
      ACCESS_KEY_ID: config.get<string>('object_storage.credentials.access_key_id'),
      SECRET_ACCESS_KEY: config.get<string>('object_storage.credentials.secret_access_key')
--- a/server/lib/object-storage/shared/object-storage-helpers.ts
+++ b/server/lib/object-storage/shared/object-storage-helpers.ts
@ -6,10 +6,12 @@ import {
  CompletedPart,
  CompleteMultipartUploadCommand,
  CreateMultipartUploadCommand,
+  CreateMultipartUploadCommandInput,
  DeleteObjectCommand,
  GetObjectCommand,
  ListObjectsV2Command,
  PutObjectCommand,
+  PutObjectCommandInput,
  UploadPartCommand
 } from '@aws-sdk/client-s3'
 import { pipelinePromise } from '@server/helpers/core-utils'
@ -143,12 +145,17 @@ async function objectStoragePut (options: {
 }) {
  const { objectStorageKey, content, bucketInfo } = options

-  const command = new PutObjectCommand({
+  const input: PutObjectCommandInput = {
    Bucket: bucketInfo.BUCKET_NAME,
    Key: buildKey(objectStorageKey, bucketInfo),
-    Body: content,
-    ACL: 'public-read'
-  })
+    Body: content
+  }
+
+  if (CONFIG.OBJECT_STORAGE.UPLOAD_ACL) {
+    input.ACL = CONFIG.OBJECT_STORAGE.UPLOAD_ACL
+  }
+
+  const command = new PutObjectCommand(input)

  await getClient().send(command)

@ -167,11 +174,16 @@ async function multiPartUpload (options: {

  const statResult = await stat(inputPath)

-  const createMultipartCommand = new CreateMultipartUploadCommand({
+  const input: CreateMultipartUploadCommandInput = {
    Bucket: bucketInfo.BUCKET_NAME,
-    Key: key,
-    ACL: 'public-read'
-  })
+    Key: buildKey(objectStorageKey, bucketInfo)
+  }
+
+  if (CONFIG.OBJECT_STORAGE.UPLOAD_ACL) {
+    input.ACL = CONFIG.OBJECT_STORAGE.UPLOAD_ACL
+  }
+
+  const createMultipartCommand = new CreateMultipartUploadCommand(input)
  const createResponse = await s3Client.send(createMultipartCommand)

  const fd = await open(inputPath, 'r')
--- a/support/docker/production/config/custom-environment-variables.yaml
+++ b/support/docker/production/config/custom-environment-variables.yaml
@ -66,6 +66,7 @@ object_storage:
    bucket_name: "PEERTUBE_OBJECT_STORAGE_STREAMING_PLAYLISTS_BUCKET_NAME"
    prefix: "PEERTUBE_OBJECT_STORAGE_STREAMING_PLAYLISTS_PREFIX"
    base_url: "PEERTUBE_OBJECT_STORAGE_STREAMING_PLAYLISTS_BASE_URL"
+    upload_acl: "PEERTUBE_OBJECT_STORAGE_UPLOAD_ACL"

  videos:
    bucket_name: "PEERTUBE_OBJECT_STORAGE_VIDEOS_BUCKET_NAME"