Comment 2 for bug 1715650

Revision history for this message
Kenneth Loafman (kenneth-loafman) wrote : Re: [Bug 1715650] Re: Cloudfiles backend does not handle container ACLs

Please do. Thanks!

On Thu, Sep 7, 2017 at 9:15 AM, Matthew S <email address hidden>
wrote:

> I have written a patch for the Pyrax backend to fix this bug, which uses
> get_container() initially, and only uses create_container() if necessary.
> It handles both completely unprivileged users, and read-only privileged
> users.
> I can provide a diff in a separate comment if necessary?
>
> --
> You received this bug notification because you are subscribed to
> Duplicity.
> https://bugs.launchpad.net/bugs/1715650
>
> Title:
> Cloudfiles backend does not handle container ACLs
>
> Status in Duplicity:
> New
>
> Bug description:
> duplicity --version - duplicity 0.7.14
> python2 - Python 2.7.6
> Ubuntu 14.04.5
> Using a Rackspace Cloudfiles container (with ACLs enabled)
> Accessed via the Pyrax backend (also tested with Cloudfiles)
>
> With Duplicity, both the old Cloudfiles and newer Pyrax backend (both
> connect to Rackspace Cloudfiles-the-service) do not work with
> container ACLs(1). The backends try to create a container, which with
> a normal privileged user either creates a container, or returns an
> existing container of the same name. However, to take advantage of
> Rackspace container ACLs means using an unprivileged user, which only
> has read/write access to a single container, and no other privileges.
> Consequently a Duplicity backup results in a 403 Forbidden permissions
> error, even when the user being used is able to read/write just fine.
>
> 1) https://developer.rackspace.com/docs/cloud-files/v1/use-cases
> /additional-container-services-information/#container-access-control-
> lists
>
> Traceback of Pyrax error:
>
> Traceback (most recent call last):
> File "/usr/bin/duplicity", line 1532, in <module>
> with_tempdir(main)
> File "/usr/bin/duplicity", line 1526, in with_tempdir
> fn()
> File "/usr/bin/duplicity", line 1364, in main
> action = commandline.ProcessCommandLine(sys.argv[1:])
> File "/usr/lib/python2.7/dist-packages/duplicity/commandline.py",
> line 1116, in ProcessCommandLine
> backup, local_pathname = set_backend(args[0], args[1])
> File "/usr/lib/python2.7/dist-packages/duplicity/commandline.py",
> line 1005, in set_backend
> globals.backend = backend.get_backend(bend)
> File "/usr/lib/python2.7/dist-packages/duplicity/backend.py", line
> 223, in get_backend
> obj = get_backend_object(url_string)
> File "/usr/lib/python2.7/dist-packages/duplicity/backend.py", line
> 209, in get_backend_object
> return factory(pu)
> File "/usr/lib/python2.7/dist-packages/duplicity/backends/_cf_pyrax.py",
> line 72, in __init__
> self.container = pyrax.cloudfiles.create_container(container)
> File "/usr/local/lib/python2.7/dist-packages/pyrax/client.py", line
> 103, in create
> return self._manager.create(*args, **kwargs)
> File "/usr/local/lib/python2.7/dist-packages/pyrax/object_storage.py",
> line 833, in create
> resp, resp_body = self.api.method_put(uri, headers=headers)
> File "/usr/local/lib/python2.7/dist-packages/pyrax/client.py", line
> 260, in method_put
> return self._api_request(uri, "PUT", **kwargs)
> File "/usr/local/lib/python2.7/dist-packages/pyrax/client.py", line
> 231, in _api_request
> resp, body = self._time_request(safe_uri, method, **kwargs)
> File "/usr/local/lib/python2.7/dist-packages/pyrax/client.py", line
> 193, in _time_request
> resp, body = self.request(uri, method, **kwargs)
> File "/usr/local/lib/python2.7/dist-packages/pyrax/client.py", line
> 184, in request
> resp, body = pyrax.http.request(method, uri, *args, **kwargs)
> File "/usr/local/lib/python2.7/dist-packages/pyrax/http.py", line 76,
> in request
> raise exc.from_response(resp, body)
> Forbidden: <html><h1>Forbidden</h1><p>Access was denied to this
> resource.</p></html> (HTTP 403)
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/duplicity/+bug/1715650/+subscriptions
>