object store doesn't work for members

Bug #1561241 reported by Andrey Grebennikov on 2016-03-23
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Fuel for OpenStack
High
Alexey Deryugin
8.0.x
High
Sergii Rizvan
Mitaka
High
Sergii Golovatiuk

Bug Description

MOS8.0 GA, Swift on controllers, no additional plugins.

1. Log into horizon with admin, go to Obect Store, create a container, create an object
2. Create a new user, assign role _member_ in "admin" tenant, log in as the new user, go to Object Store tab

Expected behaviour - able to see containers

Reality - "Unable to retrieve container list"

In Horizon log:

2016-03-23 23:03:14,629 4131 INFO swiftclient RESP BODY: <html><h1>Forbidden</h1><p>Access was denied to this resource.</p></html>
2016-03-23 23:03:14,631 4131 ERROR swiftclient Account GET failed: http://10.108.31.16:8080/v1/AUTH_dccf2950b0c645dba636e444d1e6d3d2?format=json&limit=1001 403 Forbidden [first 60 chars of response] <html><h1>Forbidden</h1><p>Access was denied to this resourc
Traceback (most recent call last):
  File "/usr/lib/python2.7/dist-packages/swiftclient/client.py", line 1390, in _retry
    service_token=self.service_token, **kwargs)
  File "/usr/lib/python2.7/dist-packages/swiftclient/client.py", line 519, in get_account
    end_marker, http_conn)
  File "/usr/lib/python2.7/dist-packages/swiftclient/client.py", line 556, in get_account
    http_response_content=body)
ClientException: Account GET failed: http://10.108.31.16:8080/v1/AUTH_dccf2950b0c645dba636e444d1e6d3d2?format=json&limit=1001 403 Forbidden [first 60 chars of response] <html><h1>Forbidden</h1><p>Access was denied to this resourc
2016-03-23 23:03:14,631 4131 WARNING horizon.exceptions Recoverable error: Account GET failed: http://10.108.31.16:8080/v1/AUTH_dccf2950b0c645dba636e444d1e6d3d2?format=json&limit=1001 403 Forbidden [first 60 chars of response] <html><h1>Forbidden</h1><p>Access was denied to this resourc

Same actully happens if I create a brand new tenant and assign _member_ role to any user. The user logs in and gets same error when switching to "Object Store" tab and choose "containers"

Dmitry Klenov (dklenov) on 2016-03-24
Changed in fuel:
assignee: nobody → MOS Swift (mos-swift)
milestone: none → 9.0
importance: Undecided → High
status: New → Confirmed
tags: added: area-mos

(This check performed automatically)
Please, make sure that bug description contains the following sections filled in with the appropriate data related to the bug you are describing:

actual result

version

steps to reproduce

For more detailed information on the contents of each of the listed sections see https://wiki.openstack.org/wiki/Fuel/How_to_contribute#Here_is_how_you_file_a_bug

tags: added: need-info
Alyona Kiseleva (akiselyova) wrote :

This is not a bug in Swift, it's expected behavior.

The roles, which can be used for swift client, are listed in operator_roles in proxy-server.conf. They are:

# cat /etc/swift/proxy-server.conf | grep operator
operator_roles = admin, SwiftOperator

And the user, created via the above way, have the role _member_, and it doesn't allow him to use swift stat operations, for example:

# keystone user-role-list --user new_user --tenant admin
+----------------------------------+----------+----------------------------------+----------------------------------+
| id | name | user_id | tenant_id |
+----------------------------------+----------+----------------------------------+----------------------------------+
| 9fe2ff9ee4384b1894a90878d3e92bab | _member_ | 3e2c6506ef444c0aa037c2b84b2aa263 | 5d5a6abb572e4a458837e8857cb1abe2 |
+----------------------------------+----------+----------------------------------+----------------------------------+
# swift --os-username=new_user --os-password=123 list
Account GET failed: http://192.168.0.2:8080/v1/AUTH_5d5a6abb572e4a458837e8857cb1abe2?format=json 403 Forbidden [first 60 chars of response] <html><h1>Forbidden</h1><p>Access was denied to this resourc

The last command shows container list, and it fails, as it reported.

If you set to user one of the roles, included in operator_roles list in proxy-server.conf, for example, SwiftOperator, all will work:

# keystone user-role-add --user new_user --role SwiftOperator --tenant admin
# swift --os-username=new_user --os-password=123 list
priv
publ

So, to solve this problem, we must either add _member_ role in operator_roles list, or use for user one of "right" roles.

Alyona Kiseleva (akiselyova) wrote :

Sorry, I don't know to whom this can be reassigned. It's not a swift, but role configuration problem.

Dmitry Pyzhov (dpyzhov) on 2016-04-19
Changed in fuel:
milestone: 9.0 → 10.0

Fix proposed to branch: master
Review: https://review.openstack.org/311093

Changed in fuel:
status: Confirmed → In Progress

Reviewed: https://review.openstack.org/311093
Committed: https://git.openstack.org/cgit/openstack/fuel-library/commit/?id=6c8d10130b7658b733d7b56ea54cc7933a9f5857
Submitter: Jenkins
Branch: master

commit 6c8d10130b7658b733d7b56ea54cc7933a9f5857
Author: Alexey Deryugin <email address hidden>
Date: Fri Apr 29 12:36:50 2016 +0000

    Add _member_ role to Swift operator list

    Newly created users unable to interract with Swift by default,
    to fix this, we need to add _member_ role to Swift operator list.

    Change-Id: Ia4a2ab35efa0e4304b9aba39d59c643848aa123e
    Closes-Bug: #1561241

Changed in fuel:
status: In Progress → Fix Committed

Reviewed: https://review.openstack.org/314493
Committed: https://git.openstack.org/cgit/openstack/fuel-library/commit/?id=d4946028b4149507438216e24f863241a6879b87
Submitter: Jenkins
Branch: stable/mitaka

commit d4946028b4149507438216e24f863241a6879b87
Author: Alexey Deryugin <email address hidden>
Date: Fri Apr 29 12:36:50 2016 +0000

    Add _member_ role to Swift operator list

    Newly created users unable to interract with Swift by default,
    to fix this, we need to add _member_ role to Swift operator list.

    Change-Id: Ia4a2ab35efa0e4304b9aba39d59c643848aa123e
    Closes-Bug: #1561241
    (cherry picked from commit 6c8d10130b7658b733d7b56ea54cc7933a9f5857)

tags: added: on-verification
Ekaterina Shutova (eshutova) wrote :

Used scenario from description.
No errors are seen when try to retrieve container list under created user.
Verified on:
cat /etc/fuel_build_id:
 443
cat /etc/fuel_build_number:
 443
cat /etc/fuel_release:
 9.0
cat /etc/fuel_openstack_version:
 mitaka-9.0

tags: removed: on-verification

Change abandoned by Alexey Deryugin (<email address hidden>) on branch: stable/8.0
Review: https://review.openstack.org/318085

Reviewed: https://review.openstack.org/391117
Committed: https://git.openstack.org/cgit/openstack/fuel-library/commit/?id=71060b4c47139bfec1fa7b1fead477d1d7f34363
Submitter: Jenkins
Branch: stable/8.0

commit 71060b4c47139bfec1fa7b1fead477d1d7f34363
Author: Alexey Deryugin <email address hidden>
Date: Wed May 18 16:27:55 2016 +0300

    Add _member_ role to Swift operator list

    Newly created users unable to interract with Swift by default,
    to fix this, we need to add _member_ role to Swift operator list.

    Change-Id: Ia4a2ab35efa0e4304b9aba39d59c643848aa123d
    Closes-Bug: #1561241

tags: added: on-verification
Ekaterina Shutova (eshutova) wrote :

Verified on MOS 8.0 MU4 updates. Used scenario from description.
Container list is available under created user.

tags: removed: on-verification
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers