Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.

Bug 1516099

Summary: radosgw ACL are not correctly working with Swift CLI
Product: Red Hat Ceph Storage Reporter: Alexandre Maumené <amaumene>
Component: RGWAssignee: Marcus Watts <mwatts>
Status: CLOSED ERRATA QA Contact: Tejas <tchandra>
Severity: high Docs Contact:
Priority: high    
Version: 2.4CC: amaumene, anharris, cbodley, ceph-eng-bugs, edonnell, gfidente, gkadam, gmeno, hnallurv, jbiao, jcall, jdurgin, jefbrown, joea, kbader, kdreyer, lhh, mbenjamin, mhackett, mwatts, nlevine, owasserm, pmorey, srevivo, sweil, tchandra, tserlin, vumrao
Target Milestone: z2   
Target Release: 2.5   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: RHEL: ceph-10.2.10-40.el7cp Ubuntu: ceph_10.2.10-34redhat1 Doc Type: Bug Fix
Doc Text:
Previously, the Ceph Object Gateway's Swift ACL processing logic was deficient in several respects. Several types of Swift ACLs could not be applied to Swift container objects, including ones used to make containers publicly accessible. With this update, Swift ACL parsing has been enhanced, and as a result, RGW's Swift ACL conformance has been improved. In particular, public container ACLs can now be set.
Story Points: ---
Clone Of:
: 1526222 1552234 (view as bug list) Environment:
Last Closed: 2018-09-05 19:39:32 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 1526222, 1552234    

Description Alexandre Maumené 2017-11-22 04:17:55 UTC
Description of problem:
Setting an ACL when posting with Swift ACL is not always working correctly.

Version-Release number of selected component (if applicable):
OSP11

How reproducible:
Every time

Steps to Reproduce:
1. swift post TESTCONTAINER
2. swift stat TESTCONTAINER
3. swift post -r '.r:*,.rlistings' -w '*:*' TESTCONTAINER
4. swift stat TESTCONTAINER

Actual results:
swift stat TESTCONTAINER
                      Account: v1
                    Container: TESTCONTAINER
                      Objects: 0
                        Bytes: 0
                     Read ACL: .r:*
                    Write ACL:
                      Sync To:
                     Sync Key:
                Accept-Ranges: bytes
                   X-Trans-Id: tx0000000000000000000ef-005a14f88c-2d0d0-def=
ault
             X-Storage-Policy: default-placement
X-Container-Bytes-Used-Actual: 0
                  X-Timestamp: 1511323785.72340
                 Content-Type: text/plain; charset=3Dutf-8

Expected results (with proper Swift):
swift stat TESTCONTAINER
               Account: AUTH_ef90a334c2e744038f8b93eeec17dd7f
             Container: TESTCONTAINER
               Objects: 0
                 Bytes: 0
              Read ACL: .r:*,.rlistings
             Write ACL: *:*
               Sync To:
              Sync Key:
         Accept-Ranges: bytes
            X-Trans-Id: tx52a54224918248e4821f6-005a14f7f1
      X-Storage-Policy: Policy-0
         Last-Modified: Wed, 22 Nov 2017 04:07:13 GMT
           X-Timestamp: 1511323628.00466
          Content-Type: text/plain; charset=3Dutf-8
X-Openstack-Request-Id: tx52a54224918248e4821f6-005a14f7f1

Additional info:
The Ceph doc at http://docs.ceph.com/docs/master/radosgw/swift/containerops=
/#update-a-container-s-acls says:

"You may also specify * in the X-Container-Read or X-Container-Write settin=
gs, which effectively enables all users to either read from or write to the=
 container. Setting * makes the container public."

However that doesn't work either:

$ swift post -r '*' -w '*' TESTCONTAINER ; swift stat TESTCONTAINER
                      Account: v1
                    Container: TESTCONTAINER
                      Objects: 0
                        Bytes: 0
                     Read ACL:
                    Write ACL:
                      Sync To:
                     Sync Key:
                Accept-Ranges: bytes
             X-Storage-Policy: default-placement
X-Container-Bytes-Used-Actual: 0
                  X-Timestamp: 1511323785.72340
                   X-Trans-Id: tx000000000000000000172-005a14f8e3-2abe4-def=
ault
                 Content-Type: text/plain; charset=3Dutf-8

Comment 1 Keith Schincke 2017-12-07 04:00:32 UTC
Performed the following tests with OSP11/Ocata using example command from (1):

* Set read and write(world writeable) ACLs on a bucket:
stack@undercloud ~]$ swift post --read-acl ".r:*" --write-acl "*:*" my_test
[stack@undercloud ~]$ echo $?
0
[stack@undercloud ~]$ swift stat my_test
                      Account: v1
                    Container: my_test
                      Objects: 0
                        Bytes: 0
                     Read ACL: .r:*
                    Write ACL:
                      Sync To:
                     Sync Key:
                Accept-Ranges: bytes
                   X-Trans-Id: tx00000000000000000000b-005a28b987-5e48-default
             X-Storage-Policy: default-placement
X-Container-Bytes-Used-Actual: 0
                  X-Timestamp: 1512618054.03552
                 Content-Type: text/plain; charset=utf-8

* Set project writable on a bucket:
[stack@undercloud ~]$ swift post --read-acl ".r:*" --write-acl "admin" my_test
[stack@undercloud ~]$ swift stat my_test
                      Account: v1
                    Container: my_test
                      Objects: 0
                        Bytes: 0
                     Read ACL: .r:*
                    Write ACL:
                      Sync To:
                     Sync Key:
                Accept-Ranges: bytes
                   X-Trans-Id: tx00000000000000000000d-005a28ba1d-5e48-default
             X-Storage-Policy: default-placement
X-Container-Bytes-Used-Actual: 0
                  X-Timestamp: 1512618054.03552
                 Content-Type: text/plain; charset=utf-8

Performed the following test with OSP latest and Ceph Luminous:

* set world writable acl on bucket:
(overcloud) [stack@undercloud ~]$ swift list
(overcloud) [stack@undercloud ~]$ swift post my_test2
(overcloud) [stack@undercloud ~]$ swift stat my_test2
                      Account: v1
                    Container: my_test2
                      Objects: 0
                        Bytes: 0
                     Read ACL:
                    Write ACL:
                      Sync To:
                     Sync Key:
                Accept-Ranges: bytes
             X-Storage-Policy: default-placement
X-Container-Bytes-Used-Actual: 0
                  X-Timestamp: 1512577698.94967
                   X-Trans-Id: tx000000000000000000601-005a281aac-1021-default
                 Content-Type: text/plain; charset=utf-8
       X-Openstack-Request-Id: tx000000000000000000601-005a281aac-1021-default
(overcloud) [stack@undercloud ~]$ swift post --write-acl '*:*' my_test2
(overcloud) [stack@undercloud ~]$ swift stat my_test2
                      Account: v1
                    Container: my_test2
                      Objects: 0
                        Bytes: 0
                     Read ACL:
                    Write ACL: *:*
                      Sync To:
                     Sync Key:
                Accept-Ranges: bytes
             X-Storage-Policy: default-placement
X-Container-Bytes-Used-Actual: 0
                  X-Timestamp: 1512577698.94967
                   X-Trans-Id: tx000000000000000000618-005a281ad7-1021-default
                 Content-Type: text/plain; charset=utf-8
       X-Openstack-Request-Id: tx000000000000000000618-005a281ad7-1021-default


We will talk about this issue on the team and recommend additional action or reassignment of this BZ. 
 

1: https://docs.openstack.org/swift/latest/overview_acl.html

Comment 4 Matt Benjamin (redhat) 2017-12-20 21:57:23 UTC
*** Bug 1526222 has been marked as a duplicate of this bug. ***

Comment 42 errata-xmlrpc 2018-09-05 19:39:32 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:2651

Comment 44 Vikhyat Umrao 2018-09-19 18:05:56 UTC
*** Bug 1588681 has been marked as a duplicate of this bug. ***