WARNING: couldn't find acl header for object, generating default

What is the problem you are having with rclone?

Hello. I've copied objects from old rgw bucket to a new rgw bucket.
After the copy I've check every object health via "radosgw-admin object stat object=$i" and be sure everything written as expected.
Now somehow I see this warning in radosgw.log

2021-04-19 11:37:50.230 7f2d917eb700  1 ====== starting new request req=0x55a44414a710 =====
2021-04-19 11:37:50.230 7f2d917eb700  0 WARNING: couldn't find acl header for object, generating default
2021-04-19 11:37:50.230 7f2d917eb700  1 ====== req done req=0x55a44414a710 op status=0 http_status=200 latency=0s ======
2021-04-19 11:37:50.230 7f2d917eb700  1 beast: 0x55a44414a710: - - [2021-04-19 11:37:50.0.230489s] "HEAD /xdir/f5492238-50cb-4bc2-93fa-424869018946 HTTP/1.1" 200 0 - "aws-sdk-java/1.11.638 Linux/3.10.0-1160.11.1.el7.x86_64 Java_HotSpot(TM)_64-Bit_Server_VM/25.281-b09 java/1.8.0_281 groovy/2.5.6 vendor/Oracle_Corporation" -

If I check the object with radosgw-admin I see this:

radosgw-admin object stat --bucket=xdir --object=f5492238-50cb-4bc2-93fa-424869018946
    "name": "f5492238-50cb-4bc2-93fa-424869018946",
    "size": 0,
    "tag": "",
    "attrs": {
        "user.rgw.manifest": "",
        "user.rgw.olh.idtag": "5rs3x0qh152tn0j865k8ybo9xqy92qjn",
        "user.rgw.olh.info": "\u0001\u0001�",
        "user.rgw.olh.pending.00000000607c87b5pgo03tvm3sqt23i9": "\u0001\u0001\u0008",
        "user.rgw.olh.pending.00000000607c87b5pyv13ugk3fadvxw7": "\u0001\u0001\u0008",
        "user.rgw.olh.pending.00000000607c87b5qic02n0e54zsjkax": "\u0001\u0001\u0008",
        "user.rgw.olh.ver": "3"

What is your rclone version (output from rclone version)

rclone v1.55.0-beta.5247.b7199fe3d.fix-111-metadata

Which OS you are using and how many bits (eg Windows 7, 64 bit)

  • os/arch: linux/amd64
  • go version: go1.16

Which cloud storage system are you using? (eg Google Drive)

Ceph rgw

The command you were trying to run (eg rclone copy /tmp remote:tmp)

rclone copy --files-from "object.list" oldbucket:bucket newbucket:bucket --no-traverse -vv --progress --fast-list --checksum --no-update-modtime --transfers 100 --checkers 100

The rclone config contents with secrets removed.

type = s3
provider = Other
bucket = xdir
access_key_id = 
secret_access_key = 
endpoint = http://10.x

type = s3
provider = Other
bucket = xdir
access_key_id = 
secret_access_key = 
endpoint = http://10.x

All these objects has ACL but somehow I got the problem.
After searching the cause I've seen Rclone ceph conf. Maybe the problem related to the config or the rclone parameters I use?

type = s3
provider = Ceph
env_auth = false
acl = private
bucket = 
access_key_id = 
secret_access_key = 
endpoint =

I don't think the S3 protocol supports CEPH ACLs. How did you set these ACLs? Via CEPH tools?

Does this cause a problem? If so what is the problem?

This is the ACL rclone will set on the destination objects - that is an S3 ACL and I'm not sure if that is the same thing as a CEPH ACL.

I wasn't talking about Ceph ACLs. The log belongs to radosgw and its s3 acls. The rgw code is below:

I see a comment in the code: "/* object exists, but policy is broken */"

static int get_obj_policy_from_attr(CephContext *cct,
				    RGWRados *store,
				    RGWObjectCtx& obj_ctx,
				    RGWBucketInfo& bucket_info,
				    map<string, bufferlist>& bucket_attrs,
				    RGWAccessControlPolicy *policy,
                                    string *storage_class,
				    rgw_obj& obj)
  bufferlist bl;
  int ret = 0;

  RGWRados::Object op_target(store, bucket_info, obj_ctx, obj);
  RGWRados::Object::Read rop(&op_target);

  ret = rop.get_attr(RGW_ATTR_ACL, bl);
  if (ret >= 0) {
    ret = decode_policy(cct, bl, policy);
    if (ret < 0)
      return ret;
  } else if (ret == -ENODATA) {
    /* object exists, but policy is broken */
    ldout(cct, 0) << "WARNING: couldn't find acl header for object, generating default" << dendl;
    RGWUserInfo uinfo;
    ret = rgw_get_user_info_by_uid(store, bucket_info.owner, uinfo);
    if (ret < 0)
      return ret;

    policy->create_default(bucket_info.owner, uinfo.display_name);

  if (storage_class) {
    bufferlist scbl;
    int r = rop.get_attr(RGW_ATTR_STORAGE_CLASS, scbl);
    if (r >= 0) {
      *storage_class = scbl.to_str();
    } else {

  return ret;

It seems like an rgw bug again but I couldn't get an answer from maillist yet.
I couldn't find any solution yet. I will delete these problematic objects with rclone and PUT them again to try.

OK. Let me know if you think this is an rclone bug.