Add object ownership s3 parameter

Signed-off-by: Suleimi Ahmed <sahmed@gitlab.com>
2023-03-16 06:25:33 -06:00 · 2023-03-16 06:25:33 -06:00 · e412eb112f
commit e412eb112f
parent e5d5810851
3 changed files with 34 additions and 0 deletions
--- a/docs/storage-drivers/s3.md
+++ b/docs/storage-drivers/s3.md
@ -26,6 +26,7 @@ Amazon S3 or S3 compatible services for object storage.
 | `rootdirectory`  | no | This is a prefix that is applied to all S3 keys to allow you to segment data in your bucket if necessary. |
 | `storageclass`  | no | The S3 storage class applied to each registry file. The default is `STANDARD`. |
 | `objectacl`  | no | The S3 Canned ACL for objects. The default value is "private". |
+| `objecownership`  | no | Indicates whether the S3 storage bucket to be used by the registry disabled access control lists (ACLs). The default value is `true`. |

 > **Note** You can provide empty strings for your access and secret keys to run the driver
 > on an ec2 instance and handles authentication with the instance's credentials. If you
@ -56,6 +57,8 @@ Amazon S3 or S3 compatible services for object storage.

 `objectacl`: (optional) The canned object ACL to be applied to each registry object. Defaults to `private`. If you are using a bucket owned by another AWS account, it is recommended that you set this to `bucket-owner-full-control` so that the bucket owner can access your objects. Other valid options are available in the [AWS S3 documentation](http://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html#canned-acl).

+`objectownership`: (optional) Whether your s3 bucket only supports object ownership as opposed to canned ACLs. This defaults to `false` if not specified. This parameter can not be `true` if the `objectacl` parameter is also set. S3 Object Ownership is an Amazon S3 bucket-level setting that you can use to disable access control lists (ACLs) and take ownership of every object in your bucket. More information is availaible in the [AWS S3 documentation](https://docs.aws.amazon.com/AmazonS3/latest/userguide/about-object-ownership.html).
+

 ## S3 permission scopes

--- a/registry/storage/driver/s3-aws/s3.go
+++ b/registry/storage/driver/s3-aws/s3.go
@ -117,6 +117,7 @@ type DriverParameters struct {
 	SessionToken                string
 	UseDualStack                bool
 	Accelerate                  bool
+	ObjectOwnership             bool
 }

 func init() {
@ -164,6 +165,7 @@ type driver struct {
 	RootDirectory               string
 	StorageClass                string
 	ObjectACL                   string
+	ObjectOwnership             bool
 }

 type baseEmbed struct {
@ -368,9 +370,22 @@ func FromParameters(parameters map[string]interface{}) (*Driver, error) {
 		userAgent = ""
 	}

+	objectOwnership := false
+	objectOwnershipParam := parameters["objectownership"]
+	if objectOwnershipParam != nil {
+		objectOwnershipBool, ok := objectOwnershipParam.(bool)
+		if !ok {
+			return nil, fmt.Errorf("invalid value for objectownership parameter must be either %v or %v", true, false)
+		}
+		objectOwnership = objectOwnershipBool
+	}
+
 	objectACL := s3.ObjectCannedACLPrivate
 	objectACLParam := parameters["objectacl"]
 	if objectACLParam != nil {
+		if objectOwnership {
+			return nil, fmt.Errorf("objectacl parameter can not be set when objectownership parameter is set to %v", objectOwnership)
+		}
 		objectACLString, ok := objectACLParam.(string)
 		if !ok {
 			return nil, fmt.Errorf("invalid value for objectacl parameter: %v", objectACLParam)
@ -459,6 +474,7 @@ func FromParameters(parameters map[string]interface{}) (*Driver, error) {
 		fmt.Sprint(sessionToken),
 		useDualStackBool,
 		accelerateBool,
+		objectOwnership,
 	}

 	return New(params)
@ -578,6 +594,7 @@ func New(params DriverParameters) (*Driver, error) {
 		RootDirectory:               params.RootDirectory,
 		StorageClass:                params.StorageClass,
 		ObjectACL:                   params.ObjectACL,
+		ObjectOwnership:             params.ObjectOwnership,
 	}

 	return &Driver{
@ -1239,6 +1256,10 @@ func (d *driver) getContentType() *string {
 }

 func (d *driver) getACL() *string {
+
+	if d.ObjectOwnership {
+		return nil
+	}
 	return aws.String(d.ObjectACL)
 }

--- a/registry/storage/driver/s3-aws/s3_test.go
+++ b/registry/storage/driver/s3-aws/s3_test.go
@ -49,6 +49,7 @@ func init() {
 		useDualStack     = os.Getenv("S3_USE_DUALSTACK")
 		combineSmallPart = os.Getenv("MULTIPART_COMBINE_SMALL_PART")
 		accelerate       = os.Getenv("S3_ACCELERATE")
+		objectOwnership  = os.Getenv("S3_OBJECT_OWNERSHIP")
 	)

 	root, err := os.MkdirTemp("", "driver-")
@ -118,6 +119,14 @@ func init() {
 			}
 		}

+		objectOwnershipBool := false
+		if objectOwnership != "" {
+			objectOwnershipBool, err = strconv.ParseBool(objectOwnership)
+			if err != nil {
+				return nil, err
+			}
+		}
+
 		parameters := DriverParameters{
 			accessKey,
 			secretKey,
@ -142,6 +151,7 @@ func init() {
 			sessionToken,
 			useDualStackBool,
 			accelerateBool,
+			objectOwnershipBool,
 		}

 		return New(parameters)