Creating object storage container causes user to be logged out
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Dashboard (Horizon) |
Won't Fix
|
Undecided
|
Unassigned |
Bug Description
Version = openstack-dashboard 3:11.0.
Ceph version = 10.2.7
When using ceph RGW swift interface for open stack and the open stack dashboard version above to create a swift container the dashboard does a number of curl requests to check if the bucket name already exists to prevent the user from trying to create a bucket with the same name as an existing bucket.
In most cases this works as expected, however if I try to create a bucket that starts with the same name as an existing bucket that has the ACL set to private I am unexpectedly logged out of the dashboard.
In my tests I have open stack user 'paul' and project 'paul that owns a private swift bucket called 'paul'
I then as a second user 'sean' and project 'sean' try to create a swift container called 'paul1' this will result in me getting logged out of the dashboard, The below shows the log file for when I try and create this bucket:
``
REQ: curl -i https:/
RESP STATUS: 400 Bad Request
RESP HEADERS: {u'Date': u'Thu, 27 Apr 2017 13:22:01 GMT', u'Content-Length': u'17', u'Content-Type': u'text/plain; charset=utf-8', u'Accept-Ranges': u'bytes', u'X-Trans-Id': u'{hidden}'}
RESP BODY: InvalidBucketName
REQ: curl -i https:/
RESP STATUS: 400 Bad Request
RESP HEADERS: {u'Date': u'Thu, 27 Apr 2017 13:22:02 GMT', u'Content-Length': u'17', u'Content-Type': u'text/plain; charset=utf-8', u'Accept-Ranges': u'bytes', u'X-Trans-Id': u'{hidden}'}
RESP BODY: InvalidBucketName
REQ: curl -i https:/
RESP STATUS: 404 Not Found
RESP HEADERS: {u'Date': u'Thu, 27 Apr 2017 13:22:04 GMT', u'Content-Length': u'12', u'Content-Type': u'text/plain; charset=utf-8', u'Accept-Ranges': u'bytes', u'X-Trans-Id': u'{hidden}'}
RESP BODY: NoSuchBucket
REQ: curl -i https:/
RESP STATUS: 401 Unauthorized
RESP HEADERS: {u'Date': u'Thu, 27 Apr 2017 13:22:04 GMT', u'Content-Length': u'12', u'Content-Type': u'text/plain; charset=utf-8', u'Accept-Ranges': u'bytes', u'X-Trans-Id': u'{hidden}'}
RESP BODY: AccessDenied
Logging out user "sean
``
As you can see this works until the 401 is received by horizon from the rgw when checking bucket 'paul' I believe this is because the bucket ACL of Paul (created by user Paul) is set to ACL private as I don't have the same issue when the ACL is set to public or when the ACL is private and I try and create the bucket 'paul1' as the user 'paul'
tags: | added: swift |
Swift defines three models (account, container, object) but I don't see 'bucket'. Do you mean 'account' by 'bucket'?
Returning to the bug reported, according to the Swift document, ACL for 'account' is not supported when using keystone auth [1]. On the other hand, Horizon requires keystone and swift needs to be configured to use keystone auth.
What is your horizon configuration and how do you set ACL for 'account'?
[1] https:/ /docs.openstack .org/developer/ swift/overview_ acl.html# account- acls