[BUG] ESOP fails with GCP uniform bucket-level access enabled - predefinedAcl #89
Description
Describe the bug
ESOP backup fails when using Google Cloud Storage buckets with uniform bucket-level access enabled. The error occurs because ESOP automatically sends predefinedAcl=bucketOwnerFullControl parameter during upload operations, which is incompatible with uniform bucket-level access that disables all ACL functionality.
To Reproduce
Steps to reproduce the behavior:
- Create a GCS bucket with uniform bucket-level access enabled:
gsutil mb gs://test-bucket
gsutil uniformbucketlevelaccess set on gs://test-bucket
-
Configure proper IAM permissions for your service account on the bucket
-
Trigger backup from Icarus
-
Observe the error:
PUT https://storage.googleapis.com/upload/storage/v1/b/test-bucket/o?name=...&predefinedAcl=bucketOwnerFullControl&uploadType=resumable&upload_id=...
{
"error": {
"code": 400,
"message": "Cannot insert legacy ACL for an object when uniform bucket-level access is enabled. Read more at https://cloud.google.com/storage/docs/uniform-bucket-level-access",
"errors": [
{
"message": "Cannot insert legacy ACL for an object when uniform bucket-level access is enabled. Read more at https://cloud.google.com/storage/docs/uniform-bucket-level-access",
"domain": "global",
"reason": "invalid"
}
]
}
}
Expected behavior
ESOP should successfully upload files to GCS buckets with uniform bucket-level access enabled.
System and versions (please complete the following information):
java -jar /usr/share/java/icarus.jar esop --version
instaclustr-esop 3.0.0
Build time: 2024-10-02T00:03:24+0200
Git commit: unknown
java -jar /usr/share/java/icarus.jar icarus --version
instaclustr-icarus 3.0.0
Build time: 2024-10-02T00:03:24+0200
Git commit: unknown
Additional context
- Google Cloud Storage uniform bucket-level access is the recommended security practice and is often enforced by organization policies
- Similar issues have been reported in other libraries (e.g., Cannot insert legacy ACL for an object when uniform bucket-level access is enabled googleapis/nodejs-storage#1230, Issue #1356: It should be possible not to use the visibility handler/visibility settings. thephpleague/flysystem#1357)