Fuel for OpenStack

object store doesn't work for members

Bug #1561241 reported by Andrey Grebennikov on 2016-03-23

This bug affects 1 person

	Status	Importance	Assigned to	Milestone
Fuel for OpenStack	Fix Committed	High	Alexey Deryugin	Fuel for OpenStack 10.0
8.0.x	Fix Released	High	Sergii Rizvan	Fuel for OpenStack 8.0-mu-4
Mitaka	Fix Released	High	Sergii Golovatiuk	Fuel for OpenStack 9.0

Bug Description

MOS8.0 GA, Swift on controllers, no additional plugins.

1. Log into horizon with admin, go to Obect Store, create a container, create an object
2. Create a new user, assign role _member_ in "admin" tenant, log in as the new user, go to Object Store tab

Expected behaviour - able to see containers

Reality - "Unable to retrieve container list"

In Horizon log:

2016-03-23 23:03:14,629 4131 INFO swiftclient RESP BODY: <html><h1>Forbidden</h1><p>Access was denied to this resource.</p></html>
2016-03-23 23:03:14,631 4131 ERROR swiftclient Account GET failed: http://10.108.31.16:8080/v1/AUTH_dccf2950b0c645dba636e444d1e6d3d2?format=json&limit=1001 403 Forbidden [first 60 chars of response] <html><h1>Forbidden</h1><p>Access was denied to this resourc
Traceback (most recent call last):
  File "/usr/lib/python2.7/dist-packages/swiftclient/client.py", line 1390, in _retry
    service_token=self.service_token, **kwargs)
  File "/usr/lib/python2.7/dist-packages/swiftclient/client.py", line 519, in get_account
    end_marker, http_conn)
  File "/usr/lib/python2.7/dist-packages/swiftclient/client.py", line 556, in get_account
    http_response_content=body)
ClientException: Account GET failed: http://10.108.31.16:8080/v1/AUTH_dccf2950b0c645dba636e444d1e6d3d2?format=json&limit=1001 403 Forbidden [first 60 chars of response] <html><h1>Forbidden</h1><p>Access was denied to this resourc
2016-03-23 23:03:14,631 4131 WARNING horizon.exceptions Recoverable error: Account GET failed: http://10.108.31.16:8080/v1/AUTH_dccf2950b0c645dba636e444d1e6d3d2?format=json&limit=1001 403 Forbidden [first 60 chars of response] <html><h1>Forbidden</h1><p>Access was denied to this resourc

Same actully happens if I create a brand new tenant and assign _member_ role to any user. The user logs in and gets same error when switching to "Object Store" tab and choose "containers"

Tags:

Dmitry Klenov (dklenov) on 2016-03-24

Changed in fuel:
assignee:	nobody → MOS Swift (mos-swift)
milestone:	none → 9.0
importance:	Undecided → High
status:	New → Confirmed
tags:	added: area-mos

Revision history for this message

Bug Checker Bot (bug-checker) wrote on 2016-03-28: Autochecker

(This check performed automatically)
Please, make sure that bug description contains the following sections filled in with the appropriate data related to the bug you are describing:

actual result

version

steps to reproduce

For more detailed information on the contents of each of the listed sections see https://wiki.openstack.org/wiki/Fuel/How_to_contribute#Here_is_how_you_file_a_bug

tags:

added: need-info

Revision history for this message

Alyona Kiseleva (akiselyova) wrote on 2016-03-28:

This is not a bug in Swift, it's expected behavior.

The roles, which can be used for swift client, are listed in operator_roles in proxy-server.conf. They are:

# cat /etc/swift/proxy-server.conf | grep operator
operator_roles = admin, SwiftOperator

And the user, created via the above way, have the role _member_, and it doesn't allow him to use swift stat operations, for example:

# keystone user-role-list --user new_user --tenant admin
+----------------------------------+----------+----------------------------------+----------------------------------+
| id | name | user_id | tenant_id |
+----------------------------------+----------+----------------------------------+----------------------------------+
| 9fe2ff9ee4384b1894a90878d3e92bab | _member_ | 3e2c6506ef444c0aa037c2b84b2aa263 | 5d5a6abb572e4a458837e8857cb1abe2 |
+----------------------------------+----------+----------------------------------+----------------------------------+
# swift --os-username=new_user --os-password=123 list
Account GET failed: http://192.168.0.2:8080/v1/AUTH_5d5a6abb572e4a458837e8857cb1abe2?format=json 403 Forbidden [first 60 chars of response] <html><h1>Forbidden</h1><p>Access was denied to this resourc

The last command shows container list, and it fails, as it reported.

If you set to user one of the roles, included in operator_roles list in proxy-server.conf, for example, SwiftOperator, all will work:

# keystone user-role-add --user new_user --role SwiftOperator --tenant admin
# swift --os-username=new_user --os-password=123 list
priv
publ

So, to solve this problem, we must either add _member_ role in operator_roles list, or use for user one of "right" roles.

Revision history for this message

Alyona Kiseleva (akiselyova) wrote on 2016-03-28:

Sorry, I don't know to whom this can be reassigned. It's not a swift, but role configuration problem.

Dmitry Pyzhov (dpyzhov) on 2016-04-19

Changed in fuel:
milestone:	9.0 → 10.0

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-04-29: Fix proposed to fuel-library (master)

Fix proposed to branch: master
Review: https://review.openstack.org/311093

Changed in fuel:
status:	Confirmed → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-05-06: Fix merged to fuel-library (master)

Reviewed: https://review.openstack.org/311093
Committed: https://git.openstack.org/cgit/openstack/fuel-library/commit/?id=6c8d10130b7658b733d7b56ea54cc7933a9f5857
Submitter: Jenkins
Branch: master

commit 6c8d10130b7658b733d7b56ea54cc7933a9f5857
Author: Alexey Deryugin <email address hidden>
Date: Fri Apr 29 12:36:50 2016 +0000

Add _member_ role to Swift operator list

Newly created users unable to interract with Swift by default,
to fix this, we need to add _member_ role to Swift operator list.

Change-Id: Ia4a2ab35efa0e4304b9aba39d59c643848aa123e
Closes-Bug: #1561241

Changed in fuel:
status:	In Progress → Fix Committed

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-05-10: Fix proposed to fuel-library (stable/mitaka)

Fix proposed to branch: stable/mitaka
Review: https://review.openstack.org/314493

Revision history for this message

Ivan Berezovskiy (iberezovskiy) wrote on 2016-05-10:

Fix for 9.0 - https://review.openstack.org/#/c/314493/

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-05-13: Fix merged to fuel-library (stable/mitaka)

Reviewed: https://review.openstack.org/314493
Committed: https://git.openstack.org/cgit/openstack/fuel-library/commit/?id=d4946028b4149507438216e24f863241a6879b87
Submitter: Jenkins
Branch: stable/mitaka

commit d4946028b4149507438216e24f863241a6879b87
Author: Alexey Deryugin <email address hidden>
Date: Fri Apr 29 12:36:50 2016 +0000

Add _member_ role to Swift operator list

Newly created users unable to interract with Swift by default,
to fix this, we need to add _member_ role to Swift operator list.

    Change-Id: Ia4a2ab35efa0e4304b9aba39d59c643848aa123e
    Closes-Bug: #1561241
    (cherry picked from commit 6c8d10130b7658b733d7b56ea54cc7933a9f5857)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-05-18: Fix proposed to fuel-library (stable/8.0)

Fix proposed to branch: stable/8.0
Review: https://review.openstack.org/318085

Ekaterina Shutova (eshutova) on 2016-06-06

tags:

added: on-verification

Revision history for this message

Ekaterina Shutova (eshutova) wrote on 2016-06-08:

#10

Used scenario from description.
No errors are seen when try to retrieve container list under created user.
Verified on:
cat /etc/fuel_build_id:
443
cat /etc/fuel_build_number:
443
cat /etc/fuel_release:
9.0
cat /etc/fuel_openstack_version:
mitaka-9.0

tags:

removed: on-verification

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-10-21: Change abandoned on fuel-library (stable/8.0)

#11

Change abandoned by Alexey Deryugin (<email address hidden>) on branch: stable/8.0
Review: https://review.openstack.org/318085

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-10-27: Fix proposed to fuel-library (stable/8.0)

#12

Fix proposed to branch: stable/8.0
Review: https://review.openstack.org/391117

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-12-05: Fix merged to fuel-library (stable/8.0)

#13

Reviewed: https://review.openstack.org/391117
Committed: https://git.openstack.org/cgit/openstack/fuel-library/commit/?id=71060b4c47139bfec1fa7b1fead477d1d7f34363
Submitter: Jenkins
Branch: stable/8.0

commit 71060b4c47139bfec1fa7b1fead477d1d7f34363
Author: Alexey Deryugin <email address hidden>
Date: Wed May 18 16:27:55 2016 +0300

Add _member_ role to Swift operator list

Newly created users unable to interract with Swift by default,
to fix this, we need to add _member_ role to Swift operator list.

Change-Id: Ia4a2ab35efa0e4304b9aba39d59c643848aa123d
Closes-Bug: #1561241

Ekaterina Shutova (eshutova) on 2017-02-09

tags:

added: on-verification

Revision history for this message

Ekaterina Shutova (eshutova) wrote on 2017-02-09:

#14

Verified on MOS 8.0 MU4 updates. Used scenario from description.
Container list is available under created user.

tags:

removed: on-verification

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.