OpenStack Object Storage (swift)

swift_auth middleware disallows access to public Swift URLs

Bug #1020722 reported by Dan Prince
28
This bug affects 5 people
Affects Status Importance Assigned to Milestone
OpenStack Object Storage (swift)
Fix Released
High
Chmouel Boudjnah
OpenStack Object Storage (swift) 1.8.0 "grizzly"

Bug Description

When using swift_auth middleware tenants are prevented from accessing URL's from outside there account even if they have been granted access via ACL or the access is public.

This should be a supported use case for using Swift with Keystone.

To reproduce:

Make a swift URL public:

swift post -r ".r:*" foo

And then try to access that URL with a different tenants auth code.

curl -i http://localhost:8080/v1/AUTH_40467cf149ac42339feee283ff9f4300/foo/bar -X HEAD -H "X-Auth-Token: bc4b0123260f4a82a2d79a11125e2477"

Note: The URL above contains the initial tenants ID in the URL (40467cf149ac42339feee283ff9f4300) but uses a different tenants auth token. Since the URL is public Swift should grant access. Swift auth currently prevents this however due to the _reseller_check function.

Tags: tempest
Dan Prince (dan-prince)
Changed in keystone:
assignee: nobody → Dan Prince (dan-prince)
importance: Undecided → High
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/9290

Revision history for this message
Dan Prince (dan-prince) wrote :

The middleware moved from keystone to swift. I'm going to repost this fix in a minute.

affects: keystone → swift
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to swift (master)

Fix proposed to branch: master
Review: https://review.openstack.org/11147

Davanum Srinivas (DIMS) (dims-v)
tags: added: tempest
Chmouel Boudjnah (chmouel)
Changed in swift:
status: In Progress → Triaged
Chmouel Boudjnah (chmouel)
Changed in swift:
assignee: Dan Prince (dan-prince) → Chmouel Boudjnah (chmouel)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Fix proposed to branch: master
Review: https://review.openstack.org/22451

Changed in swift:
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to swift (master)

Reviewed: https://review.openstack.org/22451
Committed: http://github.com/openstack/swift/commit/0f284e04e4f0d6455d9865c5ac03fe7b3f348a52
Submitter: Jenkins
Branch: master

commit 0f284e04e4f0d6455d9865c5ac03fe7b3f348a52
Author: Chmouel Boudjnah <email address hidden>
Date: Wed Feb 20 18:08:58 2013 +0100

    Allow acl with a valid token.

    - When a user as a valid token it would go to authorize but the acl
      check was after the reseller_check and due fail. Check this before
      reseller_check and add a test for it.
    - Fixes bug 1020722.

    Change-Id: Iaff9f35f5ee690e9b729c36d05fb9adf3368dc79

Changed in swift:
status: In Progress → Fix Committed
Thierry Carrez (ttx)
Changed in swift:
milestone: none → 1.8.0-rc1
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in swift:
milestone: 1.8.0-rc1 → 1.8.0
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.