S3 object ownership

S3 object ownership is a bucket-level setting in the Ceph Object Gateway (RGW) that defines who owns uploaded objects and whether Access Control Lists (ACLs) are evaluated for access decisions. Use object ownership to simplify access control, improve consistency in multi-tenant deployments, and reduce reliance on ACLs.

Ceph Object Gateway supports three S3-compatible ownership modes. Each ownership mode determines how object ownership is assigned at upload time and how ACLs are evaluated.

Object ownership can be configured at bucket creation or updated on existing buckets

• Set object ownership during bucket creation by using the x-amz-object-ownership header. For more information, see Set object ownership when creating a bucket.
• Use bucket ownership control operations to set, get, or delete ownership configuration. For more information, see Updating bucket ownership controls.

ObjectWriter

• This is the default behavior in Ceph Object Gateway.
• The uploader owns the object.
• ACLs are enabled.
• Access evaluation uses policies and ACLs.

BucketOwnerEnforced

• The bucket owner owns all objects.
• ACLs are disabled; ACL operations such as PutObjectAcl fail.
• Upload requests that specify ACLs other than bucket-owner-full-control fail.
• Access evaluation uses policies only.
• When you update an existing bucket to BucketOwnerEnforced by using PutBucketOwnershipControls, the bucket ACL must be private. If the bucket ACL is not private, the request fails with the error InvalidBucketAclWithObjectOwnership (HTTP 400). This requirement does not apply when you set BucketOwnerEnforced during bucket creation by using the x-amz-object-ownership header.

BucketOwnerPreferred

• Uploader owns the object by default.
• The bucket owner becomes the owner if the upload includes the bucket-owner-full-control canned ACL.
• ACLs remain enabled.
• Access evaluation uses policies and ACLs.

Using object ownership

You can use object ownership to simplify access control and ensure consistent ownership behavior across different workloads.

• Policy‑only access (optional): Disable ACLs and rely solely on bucket or IAM‑style policies.
• Consistent multi‑tenant behavior: Ensure the bucket owner retains object ownership when multiple users upload to the same bucket.
• Compatibility: Match modern S3 application expectations for bucket‑owner‑controlled access.

Table 1. Mode behavior summary

Mode	Ownership	ACL Behavior
ObjectWriter	Uploader	ACLs enabled; evaluated with policies
BucketOwnerEnforced	Bucket owner for all objects	ACLs disabled; ACL operations fail; access evaluated by policies only
BucketOwnerPreferred	Uploader by default; bucket owner when request includes bucket-owner-full-control	ACLs enabled; evaluated with policies

Effects on object operations

Object ownership controls how uploads and ACL-related APIs behave:

Uploads and ACL-related API behaviors in BucketOwnerEnforced operations

• PutObjectAcl and PutBucketAcl return an error.
• Upload requests that specify ACLs other than bucket-owner-full-control fail.
• Access decisions use only policies.

Uploads and ACL-related API behaviors in BucketOwnerPreferred and ObjectWriter operations

• ACLs are enabled and evaluated.
• Object ownership follows the mode-specific rules described above.