python-swiftclient

account HEAD returns 403 which fails --os-storage-url

Bug #1371650 reported by John Dickinson
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
python-swiftclient
Fix Released
Undecided
Alistair Coles

Bug Description

There is an option in the Swift CLI to override the storage URL. This option is "--os-storage-url". This works great for reading data in other accounts you have (full) permissions in, but the bug is that the swiftclient code does a HEAD request and gets a 403 (unauthorized) to the other account and returns "account not found".

eg if you Have read or write access to a container in a different account, you cannot use the CLI to access that container because it is doing an account HEAD (to the account specified by the --os-storage-url) and getting a 403 which is then reported as "account not found".

Alistair Coles (alistair-coles)
Changed in python-swiftclient:
assignee: nobody → Alistair Coles (alistair-coles)
status: New → Confirmed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to python-swiftclient (master)

Fix proposed to branch: master
Review: https://review.openstack.org/125759

Changed in python-swiftclient:
status: Confirmed → In Progress
Revision history for this message
Alistair Coles (alistair-coles) wrote :

First issue is that an account HEAD was being attempted during object upload which clearly will fail if the user is not account owner.

Second is that an object HEAD is attempted to check if the object is a manifest and has segments that should be deleted before the new object is PUT. That will also fail if the user only has write access in the container ACLs. The proposed patch does not change this behavior - a workaround is to use the --leave-segments option for the object upload which will cause the object HEAD to be skipped.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to python-swiftclient (master)

Reviewed: https://review.openstack.org/125759
Committed: https://git.openstack.org/cgit/openstack/python-swiftclient/commit/?id=9593d4b58a5e9f240e26d7873d3cc251c7d51f71
Submitter: Jenkins
Branch: master

commit 9593d4b58a5e9f240e26d7873d3cc251c7d51f71
Author: Alistair Coles <email address hidden>
Date: Mon Sep 29 18:26:33 2014 +0100

    Fix cross account upload using --os-storage-url

    Removes an account stat from the object upload path.
    This stat fails when user is not account admin even
    though the user may have container ACL permission to
    write objects.

    Reduces the severity of the CLI output message when
    upload fails to create the given container (this is
    not an error since the container may exist - the user
    just does not have permission to PUT or POST the
    container).

    Changes the 'swift upload' exit return code from 1 to
    0 if container PUT fails but object PUT succeeds.

    For segment uploads, makes the attempt to create the
    segment container conditional on it not being the same
    as the manifest container. This avoids an unnecessary
    container PUT.

    Fixes another bug that became apparent: with segmented
    upload a container HEAD may be attempted to determine
    the policy to be used for the segment container. When
    this failed the result dict has headers=None which was
    causing an exception in the shell result handler.

    Add unit tests for object upload/download and container
    list with --os-storage-url option.

    Closes-Bug: #1371650
    Change-Id: If1f8a02ee7459ea2158ffa6e958f67d299ec529e

Changed in python-swiftclient:
status: In Progress → Fix Committed
John Dickinson (notmyname)
Changed in python-swiftclient:
status: Fix Committed → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/python-swiftclient 2.4.0

This issue was fixed in the openstack/python-swiftclient 2.4.0 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.