*LO subrequests don't pass on the referer or req.acl on
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Object Storage (swift) |
Fix Released
|
Medium
|
Matthew Oliver |
Bug Description
When a *LO object is requested, the subrequests sent to get the segments doesn't contain the req.acl or HTTP_REFERER details. This is a problem when you put a READ ACL on a container containing an *LO object, when read a 403 will be raised unless you make the segment container public readable.
If we pass the referer on to the subrequests we can use the same ACL's on the segment and *LO container.
$ curl -i -H "X-Auth-Token: $TOKEN" $STORAGE_URL/c -H "X-Container-Read: .r:*.exapmle.
$ curl -i -H "X-Auth-Token: $TOKEN" $STORAGE_URL/segs -H "X-Container-Read: .r:*.exapmle.
HTTP/1.1 204 No Content
Content-Length: 0
Content-Type: text/html; charset=UTF-8
X-Trans-Id: tx353b8ed48c2a4
Date: Tue, 15 Dec 2015 23:43:04 GMT
$ curl -i -H "X-Auth-Token: $USER_TOKEN" $STORAGE_URL/c/dlo -e "http://
HTTP/1.1 403 Forbidden
Content-Length: 73
Content-Type: text/html; charset=UTF-8
X-Trans-Id: tx519503979f4b4
Date: Tue, 15 Dec 2015 23:43:08 GMT
<html>
This is happening on the current master.
Fix proposed to branch: master /review. openstack. org/258280
Review: https:/