Tom filed a very good bug for ACL setting change on S3 object when users issue extractTemplate API (https://issues.apache.org/jira/browse/CLOUDSTACK-3030), and his recommendation of using Query String Request Authentication (QSRA) alternative sounds like a right approach to fix this bug. Before implementing it, I would like to confirm if QSRA should be supported by all S3 providers if they claim that they are AWS s3 compatible. If so, we will make this assumption in our code. Based on Tom, Cloudian is supporting it. How about RiakCS, John?
Thanks -min
