WARNING: couldn't find acl header for object, generating default

What is the problem you are having with rclone?

Hello. I've copied objects from old rgw bucket to a new rgw bucket.
After the copy I've check every object health via "radosgw-admin object stat object=$i" and be sure everything written as expected.
Now somehow I see this warning in radosgw.log

2021-04-19 11:37:50.230 7f2d917eb700  1 ====== starting new request req=0x55a44414a710 =====
2021-04-19 11:37:50.230 7f2d917eb700  0 WARNING: couldn't find acl header for object, generating default
2021-04-19 11:37:50.230 7f2d917eb700  1 ====== req done req=0x55a44414a710 op status=0 http_status=200 latency=0s ======
2021-04-19 11:37:50.230 7f2d917eb700  1 beast: 0x55a44414a710: - - [2021-04-19 11:37:50.0.230489s] "HEAD /xdir/f5492238-50cb-4bc2-93fa-424869018946 HTTP/1.1" 200 0 - "aws-sdk-java/1.11.638 Linux/3.10.0-1160.11.1.el7.x86_64 Java_HotSpot(TM)_64-Bit_Server_VM/25.281-b09 java/1.8.0_281 groovy/2.5.6 vendor/Oracle_Corporation" -

If I check the object with radosgw-admin I see this:

radosgw-admin object stat --bucket=xdir --object=f5492238-50cb-4bc2-93fa-424869018946
    "name": "f5492238-50cb-4bc2-93fa-424869018946",
    "size": 0,
    "tag": "",
    "attrs": {
        "user.rgw.manifest": "",
        "user.rgw.olh.idtag": "5rs3x0qh152tn0j865k8ybo9xqy92qjn",
        "user.rgw.olh.info": "\u0001\u0001�",
        "user.rgw.olh.pending.00000000607c87b5pgo03tvm3sqt23i9": "\u0001\u0001\u0008",
        "user.rgw.olh.pending.00000000607c87b5pyv13ugk3fadvxw7": "\u0001\u0001\u0008",
        "user.rgw.olh.pending.00000000607c87b5qic02n0e54zsjkax": "\u0001\u0001\u0008",
        "user.rgw.olh.ver": "3"

What is your rclone version (output from rclone version)

rclone v1.55.0-beta.5247.b7199fe3d.fix-111-metadata

Which OS you are using and how many bits (eg Windows 7, 64 bit)

  • os/arch: linux/amd64
  • go version: go1.16

Which cloud storage system are you using? (eg Google Drive)

Ceph rgw

The command you were trying to run (eg rclone copy /tmp remote:tmp)

rclone copy --files-from "object.list" oldbucket:bucket newbucket:bucket --no-traverse -vv --progress --fast-list --checksum --no-update-modtime --transfers 100 --checkers 100

The rclone config contents with secrets removed.

type = s3
provider = Other
bucket = xdir
access_key_id = 
secret_access_key = 
endpoint = http://10.x

type = s3
provider = Other
bucket = xdir
access_key_id = 
secret_access_key = 
endpoint = http://10.x

All these objects has ACL but somehow I got the problem.
After searching the cause I've seen Rclone ceph conf. Maybe the problem related to the config or the rclone parameters I use?

type = s3
provider = Ceph
env_auth = false
acl = private
bucket = 
access_key_id = 
secret_access_key = 
endpoint =

I don't think the S3 protocol supports CEPH ACLs. How did you set these ACLs? Via CEPH tools?

Does this cause a problem? If so what is the problem?

This is the ACL rclone will set on the destination objects - that is an S3 ACL and I'm not sure if that is the same thing as a CEPH ACL.

I wasn't talking about Ceph ACLs. The log belongs to radosgw and its s3 acls. The rgw code is below:

I see a comment in the code: "/* object exists, but policy is broken */"

static int get_obj_policy_from_attr(CephContext *cct,
				    RGWRados *store,
				    RGWObjectCtx& obj_ctx,
				    RGWBucketInfo& bucket_info,
				    map<string, bufferlist>& bucket_attrs,
				    RGWAccessControlPolicy *policy,
                                    string *storage_class,
				    rgw_obj& obj)
  bufferlist bl;
  int ret = 0;

  RGWRados::Object op_target(store, bucket_info, obj_ctx, obj);
  RGWRados::Object::Read rop(&op_target);

  ret = rop.get_attr(RGW_ATTR_ACL, bl);
  if (ret >= 0) {
    ret = decode_policy(cct, bl, policy);
    if (ret < 0)
      return ret;
  } else if (ret == -ENODATA) {
    /* object exists, but policy is broken */
    ldout(cct, 0) << "WARNING: couldn't find acl header for object, generating default" << dendl;
    RGWUserInfo uinfo;
    ret = rgw_get_user_info_by_uid(store, bucket_info.owner, uinfo);
    if (ret < 0)
      return ret;

    policy->create_default(bucket_info.owner, uinfo.display_name);

  if (storage_class) {
    bufferlist scbl;
    int r = rop.get_attr(RGW_ATTR_STORAGE_CLASS, scbl);
    if (r >= 0) {
      *storage_class = scbl.to_str();
    } else {

  return ret;

It seems like an rgw bug again but I couldn't get an answer from maillist yet.
I couldn't find any solution yet. I will delete these problematic objects with rclone and PUT them again to try.

OK. Let me know if you think this is an rclone bug.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.