OpenStack Dashboard (Horizon)

Creating object storage container causes user to be logged out

Bug #1686729 reported by sean redmond
22
This bug affects 5 people
Affects Status Importance Assigned to Milestone
OpenStack Dashboard (Horizon)
Won't Fix
Undecided
Unassigned

Bug Description

Version = openstack-dashboard 3:11.0.1-0ubuntu1~cloud0
Ceph version = 10.2.7

When using ceph RGW swift interface for open stack and the open stack dashboard version above to create a swift container the dashboard does a number of curl requests to check if the bucket name already exists to prevent the user from trying to create a bucket with the same name as an existing bucket.

In most cases this works as expected, however if I try to create a bucket that starts with the same name as an existing bucket that has the ACL set to private I am unexpectedly logged out of the dashboard.

In my tests I have open stack user 'paul' and project 'paul that owns a private swift bucket called 'paul'

I then as a second user 'sean' and project 'sean' try to create a swift container called 'paul1' this will result in me getting logged out of the dashboard, The below shows the log file for when I try and create this bucket:

``
REQ: curl -i https://rgw.domain.com/swift/v1/p/ -X GET -H "X-Auth-Token: {hidden}"
RESP STATUS: 400 Bad Request
RESP HEADERS: {u'Date': u'Thu, 27 Apr 2017 13:22:01 GMT', u'Content-Length': u'17', u'Content-Type': u'text/plain; charset=utf-8', u'Accept-Ranges': u'bytes', u'X-Trans-Id': u'{hidden}'}
RESP BODY: InvalidBucketName
REQ: curl -i https://rgw.domain.com/swift/v1/pa/ -X GET -H "X-Auth-Token: {hidden}"
RESP STATUS: 400 Bad Request
RESP HEADERS: {u'Date': u'Thu, 27 Apr 2017 13:22:02 GMT', u'Content-Length': u'17', u'Content-Type': u'text/plain; charset=utf-8', u'Accept-Ranges': u'bytes', u'X-Trans-Id': u'{hidden}'}
RESP BODY: InvalidBucketName
REQ: curl -i https://rgw.domain.com/swift/v1/pau/ -X GET -H "X-Auth-Token: {hidden}"
RESP STATUS: 404 Not Found
RESP HEADERS: {u'Date': u'Thu, 27 Apr 2017 13:22:04 GMT', u'Content-Length': u'12', u'Content-Type': u'text/plain; charset=utf-8', u'Accept-Ranges': u'bytes', u'X-Trans-Id': u'{hidden}'}
RESP BODY: NoSuchBucket
REQ: curl -i https://rgw.domain.com/swift/v1/paul/ -X GET -H "X-Auth-Token: {hidden}"
RESP STATUS: 401 Unauthorized
RESP HEADERS: {u'Date': u'Thu, 27 Apr 2017 13:22:04 GMT', u'Content-Length': u'12', u'Content-Type': u'text/plain; charset=utf-8', u'Accept-Ranges': u'bytes', u'X-Trans-Id': u'{hidden}'}
RESP BODY: AccessDenied
Logging out user "sean
``

As you can see this works until the 401 is received by horizon from the rgw when checking bucket 'paul' I believe this is because the bucket ACL of Paul (created by user Paul) is set to ACL private as I don't have the same issue when the ACL is set to public or when the ACL is private and I try and create the bucket 'paul1' as the user 'paul'

Tags: swift
Revision history for this message
Akihiro Motoki (amotoki) wrote :

Swift defines three models (account, container, object) but I don't see 'bucket'. Do you mean 'account' by 'bucket'?

Returning to the bug reported, according to the Swift document, ACL for 'account' is not supported when using keystone auth [1]. On the other hand, Horizon requires keystone and swift needs to be configured to use keystone auth.
What is your horizon configuration and how do you set ACL for 'account'?

[1] https://docs.openstack.org/developer/swift/overview_acl.html#account-acls

Revision history for this message
sean redmond (sean-redmond1) wrote :

Sorry by bucket I mean container, and the ACL of public or private is set on the container not on an account. This is set by togging the checkbox 'Public Access'

Gary W. Smith (gary-w-smith)
tags: added: swift
Revision history for this message
Gary W. Smith (gary-w-smith) wrote :

This works correctly in Pike using swift with devstack (but not ceph). This makes me wonder whether there is something wrong with the permissions model in swift+ceph.

Revision history for this message
Akihiro Motoki (amotoki) wrote :

Actually what we support is the swift API. I confirmed it works with swift too, so I think it comes from the different behavior between the Swift API and Ceph swift support. If it is correct, it is a bug of Ceph implementation.

Revision history for this message
Akihiro Motoki (amotoki) wrote :

Marking this as Incomplete.

Changed in horizon:
status: New → Incomplete
Revision history for this message
sean redmond (sean-redmond1) wrote :

OK so if we think this is a ceph bug we should look to move it to the ceph bug tracker, I don't currently have a working swift cluster - If you do would be possible for you to collect the logs such as those collected in the initial report showing the difference in response?

Revision history for this message
Akihiro Motoki (amotoki) wrote :

This is an example with 'swift' CLI.
http://paste.openstack.org/show/624308/

First, I created a container named 'foo' with user 'ne-motoki'.
Then I tried to access containers 'foo' and 'foo1' with user 'admin'. 404 was returned expectedly.

Revision history for this message
Akihiro Motoki (amotoki) wrote :

A bit more similar to your REST URL with the same environment as comment #7.
http://paste.openstack.org/show/624309/

I guess swift works correctly. Thanks.

Revision history for this message
Akihiro Motoki (amotoki) wrote :

Note that my swift environment is integrated with keystone.

In addition, I am not sure the url https://rgw.domain.com/swift/v1/paul/ you used is correct or not. In Swift case, the component (paul) just after the version component (v1) is used to identify an account. This field does not specify a container. horizon swift integration assumes keystone as horizon itself depends on keystone, so the field is assumed as 'account'. I am afraid your integration does not satisfy the horizon assumption.

I believe this bug can be marked as Invalid.

Changed in horizon:
status: Incomplete → Invalid
Revision history for this message
Ivan Kolodyazhny (e0ne) wrote :

It's a RadosGW configuration issue. You need to set these values into your ceph.conf to enable multi-tenancy[1]:
rgw swift account in url = true
rgw s3 auth use keystone = true

[1] http://docs.ceph.com/docs/master/radosgw/multitenancy/

Changed in horizon:
status: Invalid → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.