diff --git a/cmd/bucket-handlers.go b/cmd/bucket-handlers.go index d116a240c..e66e3a109 100644 --- a/cmd/bucket-handlers.go +++ b/cmd/bucket-handlers.go @@ -461,6 +461,13 @@ func (api objectAPIHandlers) DeleteMultipleObjectsHandler(w http.ResponseWriter, }, goi, gerr) replicateSync = repsync if replicate { + if apiErrCode := checkRequestAuthType(ctx, r, policy.ReplicateDeleteAction, bucket, object.ObjectName); apiErrCode != ErrNone { + if apiErrCode == ErrSignatureDoesNotMatch || apiErrCode == ErrInvalidAccessKeyID { + writeErrorResponse(ctx, w, errorCodes.ToAPIErr(apiErrCode), r.URL, guessIsBrowserReq(r)) + return + } + continue + } if object.VersionID != "" { object.VersionPurgeStatus = Pending if delMarker { diff --git a/cmd/object-handlers.go b/cmd/object-handlers.go index 8b6491cc5..6b48b1841 100644 --- a/cmd/object-handlers.go +++ b/cmd/object-handlers.go @@ -2758,7 +2758,7 @@ func (api objectAPIHandlers) DeleteObjectHandler(w http.ResponseWriter, r *http. if r.Header.Get(xhttp.AmzBucketReplicationStatus) == replication.Replica.String() { // check if replica has permission to be deleted. if apiErrCode := checkRequestAuthType(ctx, r, policy.ReplicateDeleteAction, bucket, object); apiErrCode != ErrNone { - writeErrorResponse(ctx, w, toAPIError(ctx, err), r.URL, guessIsBrowserReq(r)) + writeErrorResponse(ctx, w, errorCodes.ToAPIErr(apiErrCode), r.URL, guessIsBrowserReq(r)) return } opts.DeleteMarkerReplicationStatus = replication.Replica.String() diff --git a/docs/bucket/replication/HEAD_bucket_replication.png b/docs/bucket/replication/HEAD_bucket_replication.png index 77e1d54d6..d544fdec5 100644 Binary files a/docs/bucket/replication/HEAD_bucket_replication.png and b/docs/bucket/replication/HEAD_bucket_replication.png differ diff --git a/docs/bucket/replication/README.md b/docs/bucket/replication/README.md index 4837d5e07..aea879ce6 100644 --- a/docs/bucket/replication/README.md +++ b/docs/bucket/replication/README.md @@ -92,8 +92,7 @@ The access key provided for the replication *target* cluster should have these m ] } ``` - -Please note that the permissions required by the admin user on the target cluster can be more fine grained to exclude permissions like `s3:ReplicateDelete`, `s3:GetBucketObjectLockConfiguration` etc. depending on whether delete replication rules are set up or if object locking is disabled on `destbucket`. The above policies assume that replication of objects, tags and delete marker replication are all enabled on object lock enabled buckets. A sample script to setup replication is provided [here](https://github.com/minio/minio/blob/master/docs/bucket/replication/setup.sh) for convenience. +Please note that the permissions required by the admin user on the target cluster can be more fine grained to exclude permissions like "s3:ReplicateDelete", "s3:GetBucketObjectLockConfiguration" etc depending on whether delete replication rules are set up or if object locking is disabled on `destbucket`. The above policies assume that replication of objects, tags and delete marker replication are all enabled on object lock enabled buckets. A sample script to setup replication is provided [here](https://github.com/minio/minio/blob/master/docs/bucket/replication/setup_replication.sh) Once successfully created and authorized, the `mc admin bucket remote add` command generates a replication target ARN. This command lists all the currently authorized replication targets: ```