2012-05-16 00:52:32 |
Liem Nguyen |
description |
In KSL (2012.1), Swift auth middleware uses a new format for expressing a container ACL for a user: <tenantName>:<userName>. In essex-3 and before, it was in the format of <tenantId>:<userName>.
This breaks backward-compatibility for those Swift containers that already have the old format for the ACL pre-KSL. Also, tenantName is not unique; so, you can potentially have a security hole where access is granted to the wrong same-named tenant. I am not sure why we are using tenantName here, because it appears we use tenantId pretty much everywhere else to uniquely identify a tenant.
At any rate, I raise this bug because of backward-incompatibility with essex-3. To maintain backward compatibility, we should at least support the old format as well.
Thanks,
Liem |
In KSL (2012.1), Swift auth middleware uses a new format for expressing a container ACL for a user: <tenantName>:<userName>. In essex-3 and before, it was in the format of <tenantId>:<userName>.
This breaks backward-compatibility for those Swift containers that already have the old format for the ACL pre-KSL. To maintain backward compatibility, we should at least support the old format as well.
Thanks,
Liem |
|
2012-05-16 00:57:47 |
Liem Nguyen |
description |
In KSL (2012.1), Swift auth middleware uses a new format for expressing a container ACL for a user: <tenantName>:<userName>. In essex-3 and before, it was in the format of <tenantId>:<userName>.
This breaks backward-compatibility for those Swift containers that already have the old format for the ACL pre-KSL. To maintain backward compatibility, we should at least support the old format as well.
Thanks,
Liem |
In KSL (2012.1), Swift auth middleware uses a new format for expressing a container ACL for a user: <tenantName>:<userName>. In essex-3 and before, it was in the format of <tenantId>:<userName>.
This breaks backward-compatibility for those Swift containers that already have the old format for the ACL pre-KSL. To maintain backward compatibility, we should at least support the old format as well. It also appears that we are using tenantId to identify the tenant everywhere else (Nova project, Swift account), so why not in Swift ACL as well for consistency?
Thanks,
Liem |
|