request for account ACLs in swift with keystone authentication

Bug #1333409 reported by Rob Mitchell on 2014-06-23
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Object Storage (swift)
Wishlist
Unassigned

Bug Description

I setup the read-only account ACL but it is not honored:

[root@sprswiftprox02 ~]# swift stat
       Account: AUTH_ab8bb98436294dd9b13fe0f252806cd7
    Containers: 1
       Objects: 1055142
         Bytes: 217413815906
Meta X-Account-Acl: {"read-only": ["eu1prdimgsrvtenant:eu1prdimgsrvread01"]}
    X-Cnection: close
           Via: 1.1 sprswiftprox02.stni.mycompany.com:8443
 Accept-Ranges: bytes
          Vary: Accept-Encoding
   X-Timestamp: 1403165800.23848
  Content-Type: text/plain; charset=utf-8
[root@sprswiftprox02 ~]#

[root@sprswiftprox02 proc]# curl -v -d '{"auth":{"passwordCredentials":{"username": "eu1prdimgsrvread01", "password": "dataread01"},"tenantName":"eu1prdimgsrvtenant"}}' -H "Content-type: application/json" https://keystone.stni.mycompany.com:5443/v2.0/tokens
* About to connect() to keystone.stni.mycompany.com port 5443 (#0)
* Trying 10.17.25.2... connected
* Connected to keystone.stni.mycompany.com (10.17.25.2) port 5443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* SSL connection using SSL_RSA_WITH_RC4_128_SHA
* Server certificate:
* subject: CN=keystone.stni.mycompany.com,OU=1173797355,O=mycompany TECHNOLOGY LLC,L=Oklahoma City,ST=Oklahoma,C=US
* start date: Apr 15 00:00:00 2014 GMT
* expire date: Apr 15 23:59:59 2016 GMT
* common name: keystone.stni.mycompany.com
* issuer: CN=VeriSign Class 3 Secure Server CA - G3,OU=Terms of use at https://www.verisign.com/rpa (c)10,OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
> POST /v2.0/tokens HTTP/1.1
> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.13.6.0 zlib/1.2.3 libidn/1.18 libssh2/1.4.2
> Host: keystone.stni.mycompany.com:5443
> Accept: */*
> Content-type: application/json
> Content-Length: 127
>
< HTTP/1.1 200 OK
< Date: Mon, 23 Jun 2014 19:52:18 GMT
< Server: Apache/2.2.15 (CentOS)
< Vary: X-Auth-Token,Accept-Encoding
< Content-Length: 3628
< X-Cnection: close
< Content-Type: application/json
<
{"access": {"token": {"issued_at": "2014-06-23T19:52:18.814296", "expires": "2014-06-24T19:52:18Z", "id": "MIIG1AYJKoZIhvcNAQcCoIIGxTCCBsECAQExCTAHBgUrDgMCGjCCBSoGCSqGSIb3DQEHAaCCBRsEggUXeyJhY2Nlc3MiOiB7InRva2VuIjogeyJpc3N1ZWRfYXQiOiAiMjAxNC0wNi0yM1QxOTo1MjoxOC44MTQyOTYiLCAiZXhwaXJlcyI6ICIyMDE0LTA2LTI0VDE5OjUyOjE4WiIsICJpZCI6ICJwbGFjZWhvbGRlciIsICJ0ZW5hbnQiOiB7ImRlc2NyaXB0aW9uIjogbnVsbCwgImVuYWJsZWQiOiB0cnVlLCAiaWQiOiAiYWI4YmI5ODQzNjI5NGRkOWIxM2ZlMGYyNTI4MDZjZDciLCAibmFtZSI6ICJldTFwcmRpbWdzcnZ0ZW5hbnQifX0sICJzZXJ2aWNlQ2F0YWxvZyI6IFt7ImVuZHBvaW50cyI6IFt7ImFkbWluVVJMIjogImh0dHBzOi8vZ3VsbGl2ZXIuc3RuaS5zZWFnYXRlLmNvbTo4NDQzLyIsICJyZWdpb24iOiAicmVnaW9uT25lIiwgImludGVybmFsVVJMIjogImh0dHBzOi8vZ3VsbGl2ZXIuc3RuaS5zZWFnYXRlLmNvbTo4NDQzL3YxL0FVVEhfYWI4YmI5ODQzNjI5NGRkOWIxM2ZlMGYyNTI4MDZjZDciLCAiaWQiOiAiNTY0MTllNjhiYmQwNDA1YmE0OWY0MjM4MTA3MmQwMDYiLCAicHVibGljVVJMIjogImh0dHBzOi8vZ3VsbGl2ZXIuc3RuaS5zZWFnYXRlLmNvbTo4NDQzL3YxL0FVVEhfYWI4YmI5ODQzNjI5NGRkOWIxM2ZlMGYyNTI4MDZjZDcifV0sICJlbmRwb2ludHNfbGlua3MiOiBbXSwgInR5cGUiOiAib2JqZWN0LXN0b3JlIiwgIm5hbWUiOiAic3dpZnQifSwgeyJlbmRwb2ludHMiOiBbeyJhZG1pblVSTCI6ICJodHRwczovL3NwcnN3aWZ0YXV0aDAxLnN0bmkuc2VhZ2F0ZS5jb206MzU0NDMvdjIuMCIsICJyZWdpb24iOiAicmVnaW9uT25lIiwgImludGVybmFsVVJMIjogImh0dHBzOi8va2V5c3RvbmUuc3RuaS5zZWFnYXRlLmNvbTo1NDQzL3YyLjAiLCAiaWQiOiAiMTZhMjM1ZWJlNzE5NDhjZTg0N2RmYjdmOTE0NTI4YjUiLCAicHVibGljVVJMIjogImh0dHBzOi8va2V5c3RvbmUuc3RuaS5zZWFnYXRlLmNvbTo1NDQzL3YyLjAifV0sICJlbmRwb2ludHNfbGlua3MiOiBbXSwgInR5cGUiOiAiaWRlbnRpdHkiLCAibmFtZSI6ICJrZXlzdG9uZSJ9XSwgInVzZXIiOiB7InVzZXJuYW1lIjogImV1MXByZGltZ3NydnJlYWQwMSIsICJyb2xlc19saW5rcyI6IFtdLCAiaWQiOiAiNjc3NWRiMGEyNzRmNGYyOGFjZTZlNGI3NDQxZDNiZTIiLCAicm9sZXMiOiBbeyJuYW1lIjogInN3aWZ0cmVhZG9ubHkifSwgeyJuYW1lIjogIl9tZW1iZXJfIn1dLCAibmFtZSI6ICJldTFwcmRpbWdzcnZyZWFkMDEifSwgIm1ldGFkYXRhIjogeyJpc19hZG1pbiI6IDAsICJyb2xlcyI6IFsiOWJiMDI4NTJhYjk0NGNlNDg2NTIwNGMyZTgzMjUzZWUiLCAiOWZlMmZmOWVlNDM4NGIxODk0YTkwODc4ZDNlOTJiYWIiXX19fTGCAYEwggF9AgEBMFwwVzELMAkGA1UEBhMCVVMxDjAMBgNVBAgMBVVuc2V0MQ4wDAYDVQQHDAVVbnNldDEOMAwGA1UECgwFVW5zZXQxGDAWBgNVBAMMD3d3dy5leGFtcGxlLmNvbQIBATAHBgUrDgMCGjANBgkqhkiG9w0BAQEFAASCAQBfe1-9T4XNkTLKCWHKZpfmQyDx7RKrO4WI9Y+pKMGkSAsI4FspuRYekVd0IspZSGwBATFLngDCzYiEE6pdQZBlhTE7e5943SsSyUj-DJGoSc8LBDcBaPUAf8J5NcgqWbEBg99QDi9DG4lQ+602ctIvJgO1bMTEeGufR3816xZtyWDMSKqIz0WQ4yL2YvxShy869l+bgue+f92qU4I8DiZZVuFxfdR9WRHT66GGrUAU6rMWSE5pWhUab9TyHgYErWY+-s9vGHprGfOFMz2eWV0Lz2kordSH1TSauxBd1Df4SFtQr4qJUtg99clKiSKznbT2s8IPQ+qAywnEb-7kf7nL", "tenant": {"description": null, "enabled": true, "id": "ab8bb98436294dd9b13fe0f252806cd7", "name": "eu1prdimgsrvtenant"}}, "serviceCatalog": [{"endpoints": [{"adminURL": "https://gulliver.stni.mycompany.com:8443/", "region": "regionOne", "internalURL": "https://gulliver.stni.mycompany.com:8443/v1/AUTH_ab8bb98436294dd9b13fe0f252806cd7", "id": "56419e68bbd0405ba49f42381072d006", "publicURL": "https://gulliver.stni.mycompany.com:8443/v1/AUTH_ab8bb98436294dd9b13fe0f252806cd7"}], "endpoints_links": [], "type": "object-store", "name": "swift"}, {"endpoints": [{"adminURL": "https://sprswiftauth01.stni.mycompany.com:35443/v2.0", "regi* Connection #0 to host keystone.stni.mycompany.com left intact
* Closing connection #0
on": "regionOne", "internalURL": "https://keystone.stni.mycompany.com:5443/v2.0", "id": "16a235ebe71948ce847dfb7f914528b5", "publicURL": "https://keystone.stni.mycompany.com:5443/v2.0"}], "endpoints_links": [], "type": "identity", "name": "keystone"}], "user": {"username": "eu1prdimgsrvread01", "roles_links": [], "id": "6775db0a274f4f28ace6e4b7441d3be2", "roles": [{"name": "swiftreadonly"}, {"name": "_member_"}], "name": "eu1prdimgsrvread01"}, "metadata": {"is_admin": 0, "roles": ["9bb02852ab944ce4865204c2e83253ee", "9fe2ff9ee4384b1894a90878d3e92bab"]}}}[root@sprswiftprox02 proc]#
[root@sprswiftprox02 proc]#
[root@sprswiftprox02 proc]#
[root@sprswiftprox02 proc]# curl -i -H "X-Auth-Token: MIIG1AYJKoZIhvcNAQcCoIIGxTCCBsECAQExCTAHBgUrDgMCGjCCBSoGCSqGSIb3DQEHAaCCBRsEggUXeyJhY2Nlc3MiOiB7InRva2VuIjogeyJpc3N1ZWRfYXQiOiAiMjAxNC0wNi0yM1QxOTo1MjoxOC44MTQyOTYiLCAiZXhwaXJlcyI6ICIyMDE0LTA2LTI0VDE5OjUyOjE4WiIsICJpZCI6ICJwbGFjZWhvbGRlciIsICJ0ZW5hbnQiOiB7ImRlc2NyaXB0aW9uIjogbnVsbCwgImVuYWJsZWQiOiB0cnVlLCAiaWQiOiAiYWI4YmI5ODQzNjI5NGRkOWIxM2ZlMGYyNTI4MDZjZDciLCAibmFtZSI6ICJldTFwcmRpbWdzcnZ0ZW5hbnQifX0sICJzZXJ2aWNlQ2F0YWxvZyI6IFt7ImVuZHBvaW50cyI6IFt7ImFkbWluVVJMIjogImh0dHBzOi8vZ3VsbGl2ZXIuc3RuaS5zZWFnYXRlLmNvbTo4NDQzLyIsICJyZWdpb24iOiAicmVnaW9uT25lIiwgImludGVybmFsVVJMIjogImh0dHBzOi8vZ3VsbGl2ZXIuc3RuaS5zZWFnYXRlLmNvbTo4NDQzL3YxL0FVVEhfYWI4YmI5ODQzNjI5NGRkOWIxM2ZlMGYyNTI4MDZjZDciLCAiaWQiOiAiNTY0MTllNjhiYmQwNDA1YmE0OWY0MjM4MTA3MmQwMDYiLCAicHVibGljVVJMIjogImh0dHBzOi8vZ3VsbGl2ZXIuc3RuaS5zZWFnYXRlLmNvbTo4NDQzL3YxL0FVVEhfYWI4YmI5ODQzNjI5NGRkOWIxM2ZlMGYyNTI4MDZjZDcifV0sICJlbmRwb2ludHNfbGlua3MiOiBbXSwgInR5cGUiOiAib2JqZWN0LXN0b3JlIiwgIm5hbWUiOiAic3dpZnQifSwgeyJlbmRwb2ludHMiOiBbeyJhZG1pblVSTCI6ICJodHRwczovL3NwcnN3aWZ0YXV0aDAxLnN0bmkuc2VhZ2F0ZS5jb206MzU0NDMvdjIuMCIsICJyZWdpb24iOiAicmVnaW9uT25lIiwgImludGVybmFsVVJMIjogImh0dHBzOi8va2V5c3RvbmUuc3RuaS5zZWFnYXRlLmNvbTo1NDQzL3YyLjAiLCAiaWQiOiAiMTZhMjM1ZWJlNzE5NDhjZTg0N2RmYjdmOTE0NTI4YjUiLCAicHVibGljVVJMIjogImh0dHBzOi8va2V5c3RvbmUuc3RuaS5zZWFnYXRlLmNvbTo1NDQzL3YyLjAifV0sICJlbmRwb2ludHNfbGlua3MiOiBbXSwgInR5cGUiOiAiaWRlbnRpdHkiLCAibmFtZSI6ICJrZXlzdG9uZSJ9XSwgInVzZXIiOiB7InVzZXJuYW1lIjogImV1MXByZGltZ3NydnJlYWQwMSIsICJyb2xlc19saW5rcyI6IFtdLCAiaWQiOiAiNjc3NWRiMGEyNzRmNGYyOGFjZTZlNGI3NDQxZDNiZTIiLCAicm9sZXMiOiBbeyJuYW1lIjogInN3aWZ0cmVhZG9ubHkifSwgeyJuYW1lIjogIl9tZW1iZXJfIn1dLCAibmFtZSI6ICJldTFwcmRpbWdzcnZyZWFkMDEifSwgIm1ldGFkYXRhIjogeyJpc19hZG1pbiI6IDAsICJyb2xlcyI6IFsiOWJiMDI4NTJhYjk0NGNlNDg2NTIwNGMyZTgzMjUzZWUiLCAiOWZlMmZmOWVlNDM4NGIxODk0YTkwODc4ZDNlOTJiYWIiXX19fTGCAYEwggF9AgEBMFwwVzELMAkGA1UEBhMCVVMxDjAMBgNVBAgMBVVuc2V0MQ4wDAYDVQQHDAVVbnNldDEOMAwGA1UECgwFVW5zZXQxGDAWBgNVBAMMD3d3dy5leGFtcGxlLmNvbQIBATAHBgUrDgMCGjANBgkqhkiG9w0BAQEFAASCAQBfe1-9T4XNkTLKCWHKZpfmQyDx7RKrO4WI9Y+pKMGkSAsI4FspuRYekVd0IspZSGwBATFLngDCzYiEE6pdQZBlhTE7e5943SsSyUj-DJGoSc8LBDcBaPUAf8J5NcgqWbEBg99QDi9DG4lQ+602ctIvJgO1bMTEeGufR3816xZtyWDMSKqIz0WQ4yL2YvxShy869l+bgue+f92qU4I8DiZZVuFxfdR9WRHT66GGrUAU6rMWSE5pWhUab9TyHgYErWY+-s9vGHprGfOFMz2eWV0Lz2kordSH1TSauxBd1Df4SFtQr4qJUtg99clKiSKznbT2s8IPQ+qAywnEb-7kf7nL" https://gulliver.stni.mycompany.com:8443/v1/AUTH_ab8bb98436294dd9b13fe0f252806cd7
HTTP/1.1 403 Forbidden
Date: Mon, 23 Jun 2014 19:52:55 GMT
Content-Length: 73
Content-Type: text/html; charset=UTF-8
Via: 1.1 sprswiftprox02.stni.mycompany.com:8443
Vary: Accept-Encoding
X-Cnection: close

<html><h1>Forbidden</h1><p>Access was denied to this resource.</p></html>[root@sprswiftprox02 proc]#

Alistair Coles (alistair-coles) wrote :

Account ACLS are not supported with keystone auth, as documented here [1]. Making this a wishlist item.

[1] https://docs.openstack.org/swift/latest/overview_acl.html#account-acls

Changed in swift:
status: New → Confirmed
importance: Undecided → Wishlist
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers