There seems to be a problem with applying permissons right now, once you make an object readable publicly it stays that way even when you revoke those permissions. I tried this using different chrome profiles, incognito window, same profile, none of these work the file stays available indefinitely. I was thinking browser caching but then I tried this curl -O command from my mac terminal and I could download the file with no problems!
$ gsutil acl get gs://test-bucket-10516/test.jpg`[`
`{
"entity": "project-owners-675503792014",
"projectTeam": {
"projectNumber": "675503792014",
"team": "owners"
},
"role": "OWNER"
},
{
"entity": "project-editors-675503792014",
"projectTeam": {
"projectNumber": "675503792014",
"team": "editors"
},
"role": "OWNER"
},
{
"entity": "project-viewers-675503792014",
"projectTeam": {
"projectNumber": "675503792014",
"team": "viewers"
},
"role": "READER"
},
{
"email": "Muhammad.M.ElSayed@gmail.com",
"entity": "user-Muhammad.M.ElSayed@gmail.com",
"role": "OWNER"
}
]` yet when I download the file, I can do so with no problems
$ curl -O https://storage.googleapis.com/test-bucket-10516/test.jpg
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 119k 100 119k 0 0 480k 0 --:--:-- --:--:-- --:--:-- 481k
$ ll test.jpg-rw-r--r-- 1 mo staff 120K 19 Sep 21:32 test.jpg` how is this possible ? should I report this to Google ?
regards,
Mohamed
2 Answers
Hello! One thing to be aware of is that it can sometimes take a little bit of time for permissions changes like these to propagate, so do retry this a number of minutes later. Also, it might help to retry this in a fresh incognito session to reduce the chance that you’re getting impacted by any local caching (though you could conceivably still be affected by something like corporate caching, however unlikely).
Also, FWIW, I cannot currently access that object link you posted–but seemingly because you’ve since cleaned up the bucket, eh?
I hope this helps!
Mattias
=D Same thing here, after I remove public access I still can access it without the permission. As Mattias just said, standard cache-control metadata is set to 3600. A good way to check on this is use chrome Developers tools. Go to Network -> Click your object -> Click in Header. You will find something like this: Cache-Control: (public, max-age=3600)
To test the theory as I didn’t want to wait for cache to expires, I created other object, but before set it public I went to "Edit Metadata" and in Cache-Control I set the value: no-cache,max-age=0
In this case, I was able to see permissions take effect right away! =D
Hope it helps!!!!
Maybe be its a good thing to discuss in this tread that local cache was not the problem here. In this case, even when I ignore local cache I was able to get the file. Can ACLoudGuru team can explain this in a more robust way? Maybe thats a good opportunity to draw Data Flow???
Regards
yes, I’ve indeed cleaned things up since. was merely checking if anybody else has come across the same behaviour.
I am experiencing the same. In my case, I created my bucket as "regional" so the changes shouldn’t take long to propagate. Still 3 minutes after making the change, removing public access, I can still access it. If this is just a matter of time, I do find it a very long time…
It took about 30 minutes to apply the changes
Hey, thanks for the info, Matthieu! Did you try that in a separate browser/situation to try to bypass caching? Google notes: "By default, publicly readable objects are served with a Cache-Control header that allows the objects to be cached for 3600 seconds." — https://cloud.google.com/storage/docs/access-control/lists