Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1516099 - radosgw ACL are not correctly working with Swift CLI
Summary: radosgw ACL are not correctly working with Swift CLI
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Ceph Storage
Classification: Red Hat
Component: RGW
Version: 2.4
Hardware: x86_64
OS: Linux
high
high
Target Milestone: z2
: 2.5
Assignee: Marcus Watts
QA Contact: Tejas
URL:
Whiteboard:
: 1526222 1588681 (view as bug list)
Depends On:
Blocks: 1526222 1552234
TreeView+ depends on / blocked
 
Reported: 2017-11-22 04:17 UTC by Alexandre Maumené
Modified: 2019-04-11 09:39 UTC (History)
28 users (show)

Fixed In Version: RHEL: ceph-10.2.10-40.el7cp Ubuntu: ceph_10.2.10-34redhat1
Doc Type: Bug Fix
Doc Text:
Previously, the Ceph Object Gateway's Swift ACL processing logic was deficient in several respects. Several types of Swift ACLs could not be applied to Swift container objects, including ones used to make containers publicly accessible. With this update, Swift ACL parsing has been enhanced, and as a result, RGW's Swift ACL conformance has been improved. In particular, public container ACLs can now be set.
Clone Of:
: 1526222 1552234 (view as bug list)
Environment:
Last Closed: 2018-09-05 19:39:32 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2018:2651 None None None 2018-09-05 19:40:25 UTC
Github ceph ceph pull 20257 None None None 2018-08-08 14:26:55 UTC

Description Alexandre Maumené 2017-11-22 04:17:55 UTC
Description of problem:
Setting an ACL when posting with Swift ACL is not always working correctly.

Version-Release number of selected component (if applicable):
OSP11

How reproducible:
Every time

Steps to Reproduce:
1. swift post TESTCONTAINER
2. swift stat TESTCONTAINER
3. swift post -r '.r:*,.rlistings' -w '*:*' TESTCONTAINER
4. swift stat TESTCONTAINER

Actual results:
swift stat TESTCONTAINER
                      Account: v1
                    Container: TESTCONTAINER
                      Objects: 0
                        Bytes: 0
                     Read ACL: .r:*
                    Write ACL:
                      Sync To:
                     Sync Key:
                Accept-Ranges: bytes
                   X-Trans-Id: tx0000000000000000000ef-005a14f88c-2d0d0-def=
ault
             X-Storage-Policy: default-placement
X-Container-Bytes-Used-Actual: 0
                  X-Timestamp: 1511323785.72340
                 Content-Type: text/plain; charset=3Dutf-8

Expected results (with proper Swift):
swift stat TESTCONTAINER
               Account: AUTH_ef90a334c2e744038f8b93eeec17dd7f
             Container: TESTCONTAINER
               Objects: 0
                 Bytes: 0
              Read ACL: .r:*,.rlistings
             Write ACL: *:*
               Sync To:
              Sync Key:
         Accept-Ranges: bytes
            X-Trans-Id: tx52a54224918248e4821f6-005a14f7f1
      X-Storage-Policy: Policy-0
         Last-Modified: Wed, 22 Nov 2017 04:07:13 GMT
           X-Timestamp: 1511323628.00466
          Content-Type: text/plain; charset=3Dutf-8
X-Openstack-Request-Id: tx52a54224918248e4821f6-005a14f7f1

Additional info:
The Ceph doc at http://docs.ceph.com/docs/master/radosgw/swift/containerops=
/#update-a-container-s-acls says:

"You may also specify * in the X-Container-Read or X-Container-Write settin=
gs, which effectively enables all users to either read from or write to the=
 container. Setting * makes the container public."

However that doesn't work either:

$ swift post -r '*' -w '*' TESTCONTAINER ; swift stat TESTCONTAINER
                      Account: v1
                    Container: TESTCONTAINER
                      Objects: 0
                        Bytes: 0
                     Read ACL:
                    Write ACL:
                      Sync To:
                     Sync Key:
                Accept-Ranges: bytes
             X-Storage-Policy: default-placement
X-Container-Bytes-Used-Actual: 0
                  X-Timestamp: 1511323785.72340
                   X-Trans-Id: tx000000000000000000172-005a14f8e3-2abe4-def=
ault
                 Content-Type: text/plain; charset=3Dutf-8

Comment 1 Keith Schincke 2017-12-07 04:00:32 UTC
Performed the following tests with OSP11/Ocata using example command from (1):

* Set read and write(world writeable) ACLs on a bucket:
stack@undercloud ~]$ swift post --read-acl ".r:*" --write-acl "*:*" my_test
[stack@undercloud ~]$ echo $?
0
[stack@undercloud ~]$ swift stat my_test
                      Account: v1
                    Container: my_test
                      Objects: 0
                        Bytes: 0
                     Read ACL: .r:*
                    Write ACL:
                      Sync To:
                     Sync Key:
                Accept-Ranges: bytes
                   X-Trans-Id: tx00000000000000000000b-005a28b987-5e48-default
             X-Storage-Policy: default-placement
X-Container-Bytes-Used-Actual: 0
                  X-Timestamp: 1512618054.03552
                 Content-Type: text/plain; charset=utf-8

* Set project writable on a bucket:
[stack@undercloud ~]$ swift post --read-acl ".r:*" --write-acl "admin" my_test
[stack@undercloud ~]$ swift stat my_test
                      Account: v1
                    Container: my_test
                      Objects: 0
                        Bytes: 0
                     Read ACL: .r:*
                    Write ACL:
                      Sync To:
                     Sync Key:
                Accept-Ranges: bytes
                   X-Trans-Id: tx00000000000000000000d-005a28ba1d-5e48-default
             X-Storage-Policy: default-placement
X-Container-Bytes-Used-Actual: 0
                  X-Timestamp: 1512618054.03552
                 Content-Type: text/plain; charset=utf-8

Performed the following test with OSP latest and Ceph Luminous:

* set world writable acl on bucket:
(overcloud) [stack@undercloud ~]$ swift list
(overcloud) [stack@undercloud ~]$ swift post my_test2
(overcloud) [stack@undercloud ~]$ swift stat my_test2
                      Account: v1
                    Container: my_test2
                      Objects: 0
                        Bytes: 0
                     Read ACL:
                    Write ACL:
                      Sync To:
                     Sync Key:
                Accept-Ranges: bytes
             X-Storage-Policy: default-placement
X-Container-Bytes-Used-Actual: 0
                  X-Timestamp: 1512577698.94967
                   X-Trans-Id: tx000000000000000000601-005a281aac-1021-default
                 Content-Type: text/plain; charset=utf-8
       X-Openstack-Request-Id: tx000000000000000000601-005a281aac-1021-default
(overcloud) [stack@undercloud ~]$ swift post --write-acl '*:*' my_test2
(overcloud) [stack@undercloud ~]$ swift stat my_test2
                      Account: v1
                    Container: my_test2
                      Objects: 0
                        Bytes: 0
                     Read ACL:
                    Write ACL: *:*
                      Sync To:
                     Sync Key:
                Accept-Ranges: bytes
             X-Storage-Policy: default-placement
X-Container-Bytes-Used-Actual: 0
                  X-Timestamp: 1512577698.94967
                   X-Trans-Id: tx000000000000000000618-005a281ad7-1021-default
                 Content-Type: text/plain; charset=utf-8
       X-Openstack-Request-Id: tx000000000000000000618-005a281ad7-1021-default


We will talk about this issue on the team and recommend additional action or reassignment of this BZ. 
 

1: https://docs.openstack.org/swift/latest/overview_acl.html

Comment 4 Matt Benjamin (redhat) 2017-12-20 21:57:23 UTC
*** Bug 1526222 has been marked as a duplicate of this bug. ***

Comment 42 errata-xmlrpc 2018-09-05 19:39:32 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:2651

Comment 44 Vikhyat Umrao 2018-09-19 18:05:56 UTC
*** Bug 1588681 has been marked as a duplicate of this bug. ***


Note You need to log in before you can comment on or make changes to this bug.