OpenStack Object Storage (swift)

World readable access to segmented object produces 401, even if _segments is also world readable.

Bug #1082835 reported by Byron McCollum
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Object Storage (swift)
Incomplete
Low
Alexey Khivin

Bug Description

So, seems I've stumbled across something that used to work in Essex, but is no longer working in Folsom. Using the swift tool, upload a segmented object to a container with a `.r:*` read ACL. Accessing the object anonymously produces a 401 as expected, as the segments are in the companion _segments container. After giving `.r:*` access to the _segments container, anonymous access to the segmented object used to work. In Folsom, it continues to produce a 401.

Revision history for this message
John Dickinson (notmyname) wrote :

For the time being (ie until this bug is resolved either through a change in behavior or an update to the docs), enable .rlistings on the _segements container. This will allow the anonymous manifest requests to work.

Changed in swift:
status: New → Confirmed
importance: Undecided → High
Revision history for this message
Dae S. Kim (daeskp) wrote :

As far as I've seen, this "bug" is present on TempAuth, if it is a bug at all. The problem is that a GET request on a manifest file in turn gets a listing of the _segments container. Of course, this is to guess which segments compose the requested object. However, without setting '.rlisting' on the _segments container, the listing cannot be retrieved anonymously.

One way to address this could be to allow the segments to inherit the read permissions of the manifest file. That is, if we have read permissions on the manifest file, we should be able to list and get the segments. I exemplify this behavior in the attached patch.

Perhaps a less radical solution is to make the swift tool set '.rlisting' on _segments by default.

Revision history for this message
Dae S. Kim (daeskp) wrote :

'.rlistings', not '.rlisting'. Sorry about that :D

Madhuri Kumari (madhuri-rai07)
Changed in swift:
assignee: nobody → Madhuri Kumari (madhuri-rai07)
Madhuri Kumari (madhuri-rai07)
Changed in swift:
assignee: Madhuri Kumari (madhuri-rai07) → nobody
Alexey Khivin (akhivin)
Changed in swift:
assignee: nobody → Alex Khivin (akhivin)
John Dickinson (notmyname)
Changed in swift:
importance: High → Low
Revision history for this message
John Dickinson (notmyname) wrote :

marking this as incomplete again. I want to know if this is something that is actually a bug or if it's something that is working as intended. (I suspect it's working as intended.)

Changed in swift:
status: Confirmed → Incomplete
Revision history for this message
Nikita Koltsov (nkoltsov) wrote :

Faced this issue on yoga, want to add slightly more details and context.
The actual bug is that *_segments container is not inheriting acls from target container. Which leading to loosing permissions.
Also for some reason even adding all ACLs manually not solving the issue unless --use-slo flag for upload is used

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.