tempauth: Account ACLs allow users to delete their own accounts
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Object Storage (swift) |
New
|
Undecided
|
Unassigned |
Bug Description
On a fresh account, tempauth prevents this:
$ curl -H "x-auth-token: $OS_AUTH_TOKEN" $OS_STORAGE_URL -X DELETE
* Trying 192.168.8.80...
* TCP_NODELAY set
* Connected to saio (192.168.8.80) port 8080 (#0)
> DELETE /v1/AUTH_test HTTP/1.1
> Host: saio:8080
> User-Agent: curl/7.54.0
> Accept: application/
> x-auth-token: AUTH_tk8867a258
>
< HTTP/1.1 403 Forbidden
< Content-Length: 73
< Content-Type: text/html; charset=UTF-8
< X-Trans-Id: tx9a5de00bffce4
< X-Openstack-
< Date: Thu, 28 Dec 2017 00:34:51 GMT
<
<html><
But after setting some account ACLs...
$ curl -H "x-auth-token: $OS_AUTH_TOKEN" $OS_STORAGE_URL -X POST -H 'x-account-
* Trying 192.168.8.80...
* TCP_NODELAY set
* Connected to saio (192.168.8.80) port 8080 (#0)
> POST /v1/AUTH_test HTTP/1.1
> Host: saio:8080
> User-Agent: curl/7.54.0
> Accept: application/
> x-auth-token: AUTH_tk8867a258
> x-account-
>
< HTTP/1.1 204 No Content
< Content-Length: 0
< Content-Type: text/html; charset=UTF-8
< X-Trans-Id: txc541be2172194
< X-Openstack-
< Date: Thu, 28 Dec 2017 00:39:13 GMT
<
... suddenly I *can*!
$ curl -H "x-auth-token: $OS_AUTH_TOKEN" $OS_STORAGE_URL -X DELETE
* Trying 192.168.8.80...
* TCP_NODELAY set
* Connected to saio (192.168.8.80) port 8080 (#0)
> DELETE /v1/AUTH_test HTTP/1.1
> Host: saio:8080
> User-Agent: curl/7.54.0
> Accept: application/
> x-auth-token: AUTH_tk8867a258
>
< HTTP/1.1 204 No Content
< Content-Length: 0
< Content-Type: text/html; charset=UTF-8
< X-Account-Status: Deleted
< X-Trans-Id: txf27a6b7e467d4
< X-Openstack-
< Date: Thu, 28 Dec 2017 00:39:20 GMT
<
But all the meta's gone, so even with https:/
$ curl -H "x-auth-token: $OS_AUTH_TOKEN" $OS_STORAGE_URL -X PUT -H x-undelete-
* Trying 192.168.8.80...
* TCP_NODELAY set
* Connected to saio (192.168.8.80) port 8080 (#0)
> PUT /v1/AUTH_test HTTP/1.1
> Host: saio:8080
> User-Agent: curl/7.54.0
> Accept: application/
> x-auth-token: AUTH_tk8867a258
> x-undelete-
>
< HTTP/1.1 403 Forbidden
< Content-Length: 73
< Content-Type: text/html; charset=UTF-8
< X-Trans-Id: tx10806338027a4
< X-Openstack-
< Date: Thu, 28 Dec 2017 00:41:01 GMT
<
* Connection #0 to host saio left intact
<html><
...so *that's* good. However, I'm pretty sure I shouldn't have been allowed to delete it in the first place!