OpenStack Object Storage (Swift)

Adding world readable access can prevent other users granted read access from listing container.

Reported by Byron McCollum on 2012-11-25
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Object Storage (swift)
Undecided
Kun Huang

Bug Description

Adding world readable access can prevent other users granted read access from listing container.

Alice's Roles: member, swiftoperator
Andy's Roles: member

alice@AlphaTenant:~$ swift upload container object
object

alice@AlphaTenant:~$ swift stat container | grep "Read ACL"
 Read ACL:

andy@AlphaTenant:~$ swift list container
Container GET failed: http://192.168.2.12:8080/v1/AUTH_df10ab19126240d2acaef191e7b3878e/container?format=json 403 Forbidden 403 Forbidden

Access was denied to this resource.

alice@AlphaTenant:~$ swift post container -r 'AlphaTenant:andy'

alice@AlphaTenant:~$ swift stat container | grep "Read ACL"
 Read ACL: AlphaTenant:andy

andy@AlphaTenant:~$ swift list container
object

alice@AlphaTenant:~$ swift post container -r 'AlphaTenant:andy,.r:*'

alice@AlphaTenant:~$ swift stat container | grep "Read ACL"
 Read ACL: AlphaTenant:andy,.r:*

andy@AlphaTenant:~$ swift list container
Container GET failed: http://192.168.2.12:8080/v1/AUTH_df10ab19126240d2acaef191e7b3878e/container?format=json 403 Forbidden 403 Forbidden

Access was denied to this resource.

Kun Huang (academicgareth) wrote :

I'm curious with this too. But I found this in reading codes.
I paste those codes in answer.launchpad to ask.
In short, a request with lawful refer(* in your case) and without both obj in request and .rlistings in ACL will be denied.

the question is here:https://answers.launchpad.net/swift/+question/224129

Kun Huang (academicgareth) wrote :

There's is no problem with acl.parse_acl, and you get a 403 just because at that time, keystoneauth doesn't support 'tenant_name:user_name'.

Now this has been fixed by this patch: https://review.openstack.org/#/c/22820/, so this case is also fixed

Kun Huang (academicgareth) wrote :

My mistake, that is talking about tempauth.
The difference is keystoneauth check roles first, tempauth check referer first

Fix proposed to branch: master
Review: https://review.openstack.org/34331

Changed in swift:
assignee: nobody → Kun Huang (academicgareth)
status: New → In Progress
clayg (clay-gerrard) wrote :

Umm... this looks like the fix has been merged - what's the appropriate status here?

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers