upspin-ui GCP setup doesn't give allUsers read access to bucket

[alltom]

I'm trying to follow https://upspin.io/doc/faq.md to allow a second account to use my personal upspin server, but getting stuck. Repro steps:

1. Create a server on GCP with upspin-ui. Sign up as user1@example.com. Reading/writing files works as expected.
2. On a second computer, create a new user user2@example.com with upspin-ui.
3. Back on the first computer, copy ~/upspin/config.upspinserver to ~/upspin/deploy/myhostname/config
   1. (Should the initial setup have done this? upspin setupwriters seems to assume the config lives in a ~/upspin/deploy subdirectory… or maybe this is my problem?)
4. Run upspin setupwriters -domain myhostname user1@example.com user2@example.com
   1. If I upspin get the Group/Writers file, I see that both users are now in it.
5. Back on the second computer, choose the option to specify the servers.
6. Enter "myhostname:443" in both Directory Server and Store Server fields.
7. Click "Continue".

After a short delay, an error appears in the bottom of the dialog with a message like:

error communicating with "myhostname:443": store/remote("myhostname:443").Get: fetching https://storage.googleapis.com/mybucket/Upspin:notexist: 403 Forbidden"

Did I miss a step?

[alltom]

I just tried restarting my instance, to no avail.

[adg]

It looks like the Google Cloud Storage bucket permissions are wrong. They need to be set such that the bucket is world-readable. @grosse had some related issues recently; was this the solution?

…

On Wed, 4 Dec 2019 at 09:16, Tom Lieber ***@***.***> wrote: I just tried restarting my instance, to no avail. — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#630?email_source=notifications&email_token=ACAOFFMSGCT5ZDC3MDOUCB3QW3LCLA5CNFSM4JU7HY4KYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEF3AFPI#issuecomment-561382077>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ACAOFFMP7SLW5UEBXQQLEHDQW3LCLANCNFSM4JU7HY4A> .

[alltom]

I poked around in my bucket and don't see any files named "Upspin". The files that do exist are all public and accessing them is no problem.

[n2vi]

Indeed upspin-ui will fail if you see "Forbidden" instead of "Not exist" when you use your plain browser to get https://storage.googleapis.com/mybucket/Upspin:notexist (no upspin software or credentials needed.) I have not been able to determine what makes the difference; in my case two setups both had world-readable buckets as far as I could tell from the cloud console. It could be that finishing the setup for user2@example.com manually, for example using "upspin user | edit | upspin user -put" will work; that's what I'd been doing all along with success. But it would be nice for upspin-ui to get debugged as well, so we'll continue tpo investigate. On Tue, Dec 3, 2019 at 2:24 PM Andrew Gerrand <notifications@github.com> wrote:

…

It looks like the Google Cloud Storage bucket permissions are wrong. They need to be set such that the bucket is world-readable. @grosse had some related issues recently; was this the solution? On Wed, 4 Dec 2019 at 09:16, Tom Lieber ***@***.***> wrote: > I just tried restarting my instance, to no avail. > > — > You are receiving this because you are subscribed to this thread. > Reply to this email directly, view it on GitHub > < #630?email_source=notifications&email_token=ACAOFFMSGCT5ZDC3MDOUCB3QW3LCLA5CNFSM4JU7HY4KYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEF3AFPI#issuecomment-561382077 >, > or unsubscribe > < https://github.com/notifications/unsubscribe-auth/ACAOFFMP7SLW5UEBXQQLEHDQW3LCLANCNFSM4JU7HY4A > > . > — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#630?email_source=notifications&email_token=ACADPOR46BGMVKLQMIY3Y7DQW3MCNA5CNFSM4JU7HY4KYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEF3A3MQ#issuecomment-561384882>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ACADPORDAUTWYPKAPSNMIBLQW3MCNANCNFSM4JU7HY4A> .

[alltom]

Thanks for the info! I added "allUsers" as a member of the bucket with role "Storage Object Viewer" per this page and storage-ui was able to continue. However… is that insecure?

[n2vi]

Interesting. I don't have that setting, but seems it would be safe since the buckets are encrypted and signed.

…

On Tue, Dec 3, 2019 at 3:41 PM Tom Lieber ***@***.***> wrote: Thanks for the info! I added "allUsers" as a member of the bucket with role "Storage Object Viewer" per this page <https://cloud.google.com/storage/docs/access-control/making-data-public#buckets> and storage-ui was able to continue. However… is that insecure? — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#630?email_source=notifications&email_token=ACADPOQGAGCJKN5O4AD256TQW3VBHA5CNFSM4JU7HY4KYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEF3GL5A#issuecomment-561407476>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ACADPORG3RFAG73BJQ2O2HLQW3VBHANCNFSM4JU7HY4A> .

[alltom]

Thanks, I seem to be in business now.

I renamed the issue to what I hope is a better summary of what seems to have been the problem.