Swift with keystone auth does not allow ACL on a Tenant (or Account)
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| OpenStack Object Storage (swift) |
Fix Released
|
Undecided
|
Kun Huang | ||
Bug Description
I was doing some testing and making sure the ACL's for my swift install worked. I created an admin user, a regular user, two containers and 2 or 3 objects per container. The first container/object was supposed to have admin only priveleges and the second would allow users from a certain tenant. I tested applying these with both cmd line and api calls and got the same result.
Assume:
tenant name = myTenantName
regular user name = myUser
I set the container headers to:
Then I try to do actions such as list objects or update metadata but get forbidden errors.
I also tried:
but none of them work.
Eventually, I had to specifically set them for each user as follows:
According to the doc my very first set of headers should work. Speaking to some people on the IRC channel I found it's possible that this has to do with the fact that swift uses hash keys to decide ACL permissions. Perhaps the tenants from keystone don't get mapped properly or at all.
I can't find any other bugs relating to this so I'm not sure if it's a known issue without a plan for a fix, hasn't been mentioned yet or if I'm bad at swift.
Any feedback is appreciated and if any more info is needed I'll be happy to provide it.
| Kun Huang (academicgareth) wrote | #1 |
| Changed in swift: | |
| assignee: | nobody → Kun Huang (academicgareth) |
| status: | New → In Progress |
| Changed in swift: | |
| milestone: | none → 1.9.0 |
| OpenStack Infra (hudson-openstack) wrote Fix merged to swift (master) | #2 |
| Changed in swift: | |
| status: | In Progress → Fix Committed |
| Changed in swift: | |
| status: | Fix Committed → Fix Released |
Hi,
Actually, {'X-Container-
I'm not sure core developer's plan, but I could write a patch for this case "myTenantName:*".