Multi-tenant swift store image sharing doesn't work
Bug #1155389 reported by
Mark Washenberger
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Glance |
Fix Released
|
Critical
|
Kun Huang | ||
OpenStack Object Storage (swift) |
Fix Released
|
High
|
Kun Huang |
Bug Description
Using the multi-tenant swift store, I can't read images shared with me.
This seems to be because glance is setting the X-Container-Read header on the image container to be a list of tenant ids. However, a bare tenant id is not among the approved ACL settings, which can only be of the form:
tenant_id:user_id
tenant_name:user_id
*:user_id
Unfortunately there doesn't seem to be any way to really make this work without a change in swift. In particular, we need swift to support something like <tenant_id>:* to indicate that permissions are extended to all users that can successfully authenticate for the given tenant id.
Changed in glance: | |
status: | New → Triaged |
importance: | Undecided → High |
milestone: | none → havana-1 |
Changed in glance: | |
importance: | High → Critical |
Changed in swift: | |
assignee: | nobody → Kun Huang (academicgareth) |
status: | New → In Progress |
Changed in swift: | |
importance: | Undecided → High |
Changed in swift: | |
milestone: | none → 1.9.0 |
Changed in swift: | |
status: | Fix Committed → Fix Released |
Changed in glance: | |
assignee: | nobody → Mark Washenberger (markwash) |
status: | Triaged → In Progress |
Changed in glance: | |
status: | In Progress → Fix Committed |
Changed in glance: | |
status: | Fix Committed → Fix Released |
Changed in glance: | |
milestone: | havana-2 → 2013.2 |
To post a comment you must log in.
Swift *does* support this. The proper ACL syntax for all users in an account is just...
<tenant_id>
See: http:// docs.openstack. org/developer/ swift/misc. html#id5