OpenStack Object Storage (swift)

request for account ACLs in swift with keystone authentication

Bug #1333409 reported by Rob Mitchell on 2014-06-23

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Object Storage (swift)	Confirmed	Wishlist	Unassigned

Bug Description

I setup the read-only account ACL but it is not honored:

[root@sprswiftprox02 ~]# swift stat
       Account: AUTH_ab8bb98436294dd9b13fe0f252806cd7
    Containers: 1
       Objects: 1055142
         Bytes: 217413815906
Meta X-Account-Acl: {"read-only": ["eu1prdimgsrvtenant:eu1prdimgsrvread01"]}
    X-Cnection: close
           Via: 1.1 sprswiftprox02.stni.mycompany.com:8443
Accept-Ranges: bytes
          Vary: Accept-Encoding
   X-Timestamp: 1403165800.23848
  Content-Type: text/plain; charset=utf-8
[root@sprswiftprox02 ~]#

[root@sprswiftprox02 proc]# curl -v -d '{"auth":{"passwordCredentials":{"username": "eu1prdimgsrvread01", "password": "dataread01"},"tenantName":"eu1prdimgsrvtenant"}}' -H "Content-type: application/json" https://keystone.stni.mycompany.com:5443/v2.0/tokens
* About to connect() to keystone.stni.mycompany.com port 5443 (#0)
* Trying 10.17.25.2... connected
* Connected to keystone.stni.mycompany.com (10.17.25.2) port 5443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* SSL connection using SSL_RSA_WITH_RC4_128_SHA
* Server certificate:
* subject: CN=keystone.stni.mycompany.com,OU=1173797355,O=mycompany TECHNOLOGY LLC,L=Oklahoma City,ST=Oklahoma,C=US
* start date: Apr 15 00:00:00 2014 GMT
* expire date: Apr 15 23:59:59 2016 GMT
* common name: keystone.stni.mycompany.com
* issuer: CN=VeriSign Class 3 Secure Server CA - G3,OU=Terms of use at https://www.verisign.com/rpa (c)10,OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
> POST /v2.0/tokens HTTP/1.1
> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.13.6.0 zlib/1.2.3 libidn/1.18 libssh2/1.4.2
> Host: keystone.stni.mycompany.com:5443
> Accept: */*
> Content-type: application/json
> Content-Length: 127
>
< HTTP/1.1 200 OK
< Date: Mon, 23 Jun 2014 19:52:18 GMT
< Server: Apache/2.2.15 (CentOS)
< Vary: X-Auth-Token,Accept-Encoding
< Content-Length: 3628
< X-Cnection: close
< Content-Type: application/json
<
{"access": {"token": {"issued_at": "2014-06-23T19:52:18.814296", "expires": "2014-06-24T19:52:18Z", "id": "MIIG1AYJKoZIhvcNAQcCoIIGxTCCBsECAQExCTAHBgUrDgMCGjCCBSoGCSqGSIb3DQEHAaCCBRsEggUXeyJhY2Nlc3MiOiB7InRva2VuIjogeyJpc3N1ZWRfYXQiOiAiMjAxNC0wNi0yM1QxOTo1MjoxOC44MTQyOTYiLCAiZXhwaXJlcyI6ICIyMDE0LTA2LTI0VDE5OjUyOjE4WiIsICJpZCI6ICJwbGFjZWhvbGRlciIsICJ0ZW5hbnQiOiB7ImRlc2NyaXB0aW9uIjogbnVsbCwgImVuYWJsZWQiOiB0cnVlLCAiaWQiOiAiYWI4YmI5ODQzNjI5NGRkOWIxM2ZlMGYyNTI4MDZjZDciLCAibmFtZSI6ICJldTFwcmRpbWdzcnZ0ZW5hbnQifX0sICJzZXJ2aWNlQ2F0YWxvZyI6IFt7ImVuZHBvaW50cyI6IFt7ImFkbWluVVJMIjogImh0dHBzOi8vZ3VsbGl2ZXIuc3RuaS5zZWFnYXRlLmNvbTo4NDQzLyIsICJyZWdpb24iOiAicmVnaW9uT25lIiwgImludGVybmFsVVJMIjogImh0dHBzOi8vZ3VsbGl2ZXIuc3RuaS5zZWFnYXRlLmNvbTo4NDQzL3YxL0FVVEhfYWI4YmI5ODQzNjI5NGRkOWIxM2ZlMGYyNTI4MDZjZDciLCAiaWQiOiAiNTY0MTllNjhiYmQwNDA1YmE0OWY0MjM4MTA3MmQwMDYiLCAicHVibGljVVJMIjogImh0dHBzOi8vZ3VsbGl2ZXIuc3RuaS5zZWFnYXRlLmNvbTo4NDQzL3YxL0FVVEhfYWI4YmI5ODQzNjI5NGRkOWIxM2ZlMGYyNTI4MDZjZDcifV0sICJlbmRwb2ludHNfbGlua3MiOiBbXSwgInR5cGUiOiAib2JqZWN0LXN0b3JlIiwgIm5hbWUiOiAic3dpZnQifSwgeyJlbmRwb2ludHMiOiBbeyJhZG1pblVSTCI6ICJodHRwczovL3NwcnN3aWZ0YXV0aDAxLnN0bmkuc2VhZ2F0ZS5jb206MzU0NDMvdjIuMCIsICJyZWdpb24iOiAicmVnaW9uT25lIiwgImludGVybmFsVVJMIjogImh0dHBzOi8va2V5c3RvbmUuc3RuaS5zZWFnYXRlLmNvbTo1NDQzL3YyLjAiLCAiaWQiOiAiMTZhMjM1ZWJlNzE5NDhjZTg0N2RmYjdmOTE0NTI4YjUiLCAicHVibGljVVJMIjogImh0dHBzOi8va2V5c3RvbmUuc3RuaS5zZWFnYXRlLmNvbTo1NDQzL3YyLjAifV0sICJlbmRwb2ludHNfbGlua3MiOiBbXSwgInR5cGUiOiAiaWRlbnRpdHkiLCAibmFtZSI6ICJrZXlzdG9uZSJ9XSwgInVzZXIiOiB7InVzZXJuYW1lIjogImV1MXByZGltZ3NydnJlYWQwMSIsICJyb2xlc19saW5rcyI6IFtdLCAiaWQiOiAiNjc3NWRiMGEyNzRmNGYyOGFjZTZlNGI3NDQxZDNiZTIiLCAicm9sZXMiOiBbeyJuYW1lIjogInN3aWZ0cmVhZG9ubHkifSwgeyJuYW1lIjogIl9tZW1iZXJfIn1dLCAibmFtZSI6ICJldTFwcmRpbWdzcnZyZWFkMDEifSwgIm1ldGFkYXRhIjogeyJpc19hZG1pbiI6IDAsICJyb2xlcyI6IFsiOWJiMDI4NTJhYjk0NGNlNDg2NTIwNGMyZTgzMjUzZWUiLCAiOWZlMmZmOWVlNDM4NGIxODk0YTkwODc4ZDNlOTJiYWIiXX19fTGCAYEwggF9AgEBMFwwVzELMAkGA1UEBhMCVVMxDjAMBgNVBAgMBVVuc2V0MQ4wDAYDVQQHDAVVbnNldDEOMAwGA1UECgwFVW5zZXQxGDAWBgNVBAMMD3d3dy5leGFtcGxlLmNvbQIBATAHBgUrDgMCGjANBgkqhkiG9w0BAQEFAASCAQBfe1-9T4XNkTLKCWHKZpfmQyDx7RKrO4WI9Y+pKMGkSAsI4FspuRYekVd0IspZSGwBATFLngDCzYiEE6pdQZBlhTE7e5943SsSyUj-DJGoSc8LBDcBaPUAf8J5NcgqWbEBg99QDi9DG4lQ+602ctIvJgO1bMTEeGufR3816xZtyWDMSKqIz0WQ4yL2YvxShy869l+bgue+f92qU4I8DiZZVuFxfdR9WRHT66GGrUAU6rMWSE5pWhUab9TyHgYErWY+-s9vGHprGfOFMz2eWV0Lz2kordSH1TSauxBd1Df4SFtQr4qJUtg99clKiSKznbT2s8IPQ+qAywnEb-7kf7nL", "tenant": {"description": null, "enabled": true, "id": "ab8bb98436294dd9b13fe0f252806cd7", "name": "eu1prdimgsrvtenant"}}, "serviceCatalog": [{"endpoints": [{"adminURL": "https://gulliver.stni.mycompany.com:8443/", "region": "regionOne", "internalURL": "https://gulliver.stni.mycompany.com:8443/v1/AUTH_ab8bb98436294dd9b13fe0f252806cd7", "id": "56419e68bbd0405ba49f42381072d006", "publicURL": "https://gulliver.stni.mycompany.com:8443/v1/AUTH_ab8bb98436294dd9b13fe0f252806cd7"}], "endpoints_links": [], "type": "object-store", "name": "swift"}, {"endpoints": [{"adminURL": "https://sprswiftauth01.stni.mycompany.com:35443/v2.0", "regi* Connection #0 to host keystone.stni.mycompany.com left intact
* Closing connection #0
on": "regionOne", "internalURL": "https://keystone.stni.mycompany.com:5443/v2.0", "id": "16a235ebe71948ce847dfb7f914528b5", "publicURL": "https://keystone.stni.mycompany.com:5443/v2.0"}], "endpoints_links": [], "type": "identity", "name": "keystone"}], "user": {"username": "eu1prdimgsrvread01", "roles_links": [], "id": "6775db0a274f4f28ace6e4b7441d3be2", "roles": [{"name": "swiftreadonly"}, {"name": "_member_"}], "name": "eu1prdimgsrvread01"}, "metadata": {"is_admin": 0, "roles": ["9bb02852ab944ce4865204c2e83253ee", "9fe2ff9ee4384b1894a90878d3e92bab"]}}}[root@sprswiftprox02 proc]#
[root@sprswiftprox02 proc]#
[root@sprswiftprox02 proc]#
[root@sprswiftprox02 proc]# curl -i -H "X-Auth-Token: MIIG1AYJKoZIhvcNAQcCoIIGxTCCBsECAQExCTAHBgUrDgMCGjCCBSoGCSqGSIb3DQEHAaCCBRsEggUXeyJhY2Nlc3MiOiB7InRva2VuIjogeyJpc3N1ZWRfYXQiOiAiMjAxNC0wNi0yM1QxOTo1MjoxOC44MTQyOTYiLCAiZXhwaXJlcyI6ICIyMDE0LTA2LTI0VDE5OjUyOjE4WiIsICJpZCI6ICJwbGFjZWhvbGRlciIsICJ0ZW5hbnQiOiB7ImRlc2NyaXB0aW9uIjogbnVsbCwgImVuYWJsZWQiOiB0cnVlLCAiaWQiOiAiYWI4YmI5ODQzNjI5NGRkOWIxM2ZlMGYyNTI4MDZjZDciLCAibmFtZSI6ICJldTFwcmRpbWdzcnZ0ZW5hbnQifX0sICJzZXJ2aWNlQ2F0YWxvZyI6IFt7ImVuZHBvaW50cyI6IFt7ImFkbWluVVJMIjogImh0dHBzOi8vZ3VsbGl2ZXIuc3RuaS5zZWFnYXRlLmNvbTo4NDQzLyIsICJyZWdpb24iOiAicmVnaW9uT25lIiwgImludGVybmFsVVJMIjogImh0dHBzOi8vZ3VsbGl2ZXIuc3RuaS5zZWFnYXRlLmNvbTo4NDQzL3YxL0FVVEhfYWI4YmI5ODQzNjI5NGRkOWIxM2ZlMGYyNTI4MDZjZDciLCAiaWQiOiAiNTY0MTllNjhiYmQwNDA1YmE0OWY0MjM4MTA3MmQwMDYiLCAicHVibGljVVJMIjogImh0dHBzOi8vZ3VsbGl2ZXIuc3RuaS5zZWFnYXRlLmNvbTo4NDQzL3YxL0FVVEhfYWI4YmI5ODQzNjI5NGRkOWIxM2ZlMGYyNTI4MDZjZDcifV0sICJlbmRwb2ludHNfbGlua3MiOiBbXSwgInR5cGUiOiAib2JqZWN0LXN0b3JlIiwgIm5hbWUiOiAic3dpZnQifSwgeyJlbmRwb2ludHMiOiBbeyJhZG1pblVSTCI6ICJodHRwczovL3NwcnN3aWZ0YXV0aDAxLnN0bmkuc2VhZ2F0ZS5jb206MzU0NDMvdjIuMCIsICJyZWdpb24iOiAicmVnaW9uT25lIiwgImludGVybmFsVVJMIjogImh0dHBzOi8va2V5c3RvbmUuc3RuaS5zZWFnYXRlLmNvbTo1NDQzL3YyLjAiLCAiaWQiOiAiMTZhMjM1ZWJlNzE5NDhjZTg0N2RmYjdmOTE0NTI4YjUiLCAicHVibGljVVJMIjogImh0dHBzOi8va2V5c3RvbmUuc3RuaS5zZWFnYXRlLmNvbTo1NDQzL3YyLjAifV0sICJlbmRwb2ludHNfbGlua3MiOiBbXSwgInR5cGUiOiAiaWRlbnRpdHkiLCAibmFtZSI6ICJrZXlzdG9uZSJ9XSwgInVzZXIiOiB7InVzZXJuYW1lIjogImV1MXByZGltZ3NydnJlYWQwMSIsICJyb2xlc19saW5rcyI6IFtdLCAiaWQiOiAiNjc3NWRiMGEyNzRmNGYyOGFjZTZlNGI3NDQxZDNiZTIiLCAicm9sZXMiOiBbeyJuYW1lIjogInN3aWZ0cmVhZG9ubHkifSwgeyJuYW1lIjogIl9tZW1iZXJfIn1dLCAibmFtZSI6ICJldTFwcmRpbWdzcnZyZWFkMDEifSwgIm1ldGFkYXRhIjogeyJpc19hZG1pbiI6IDAsICJyb2xlcyI6IFsiOWJiMDI4NTJhYjk0NGNlNDg2NTIwNGMyZTgzMjUzZWUiLCAiOWZlMmZmOWVlNDM4NGIxODk0YTkwODc4ZDNlOTJiYWIiXX19fTGCAYEwggF9AgEBMFwwVzELMAkGA1UEBhMCVVMxDjAMBgNVBAgMBVVuc2V0MQ4wDAYDVQQHDAVVbnNldDEOMAwGA1UECgwFVW5zZXQxGDAWBgNVBAMMD3d3dy5leGFtcGxlLmNvbQIBATAHBgUrDgMCGjANBgkqhkiG9w0BAQEFAASCAQBfe1-9T4XNkTLKCWHKZpfmQyDx7RKrO4WI9Y+pKMGkSAsI4FspuRYekVd0IspZSGwBATFLngDCzYiEE6pdQZBlhTE7e5943SsSyUj-DJGoSc8LBDcBaPUAf8J5NcgqWbEBg99QDi9DG4lQ+602ctIvJgO1bMTEeGufR3816xZtyWDMSKqIz0WQ4yL2YvxShy869l+bgue+f92qU4I8DiZZVuFxfdR9WRHT66GGrUAU6rMWSE5pWhUab9TyHgYErWY+-s9vGHprGfOFMz2eWV0Lz2kordSH1TSauxBd1Df4SFtQr4qJUtg99clKiSKznbT2s8IPQ+qAywnEb-7kf7nL" https://gulliver.stni.mycompany.com:8443/v1/AUTH_ab8bb98436294dd9b13fe0f252806cd7
HTTP/1.1 403 Forbidden
Date: Mon, 23 Jun 2014 19:52:55 GMT
Content-Length: 73
Content-Type: text/html; charset=UTF-8
Via: 1.1 sprswiftprox02.stni.mycompany.com:8443
Vary: Accept-Encoding
X-Cnection: close

<html><h1>Forbidden</h1><p>Access was denied to this resource.</p></html>[root@sprswiftprox02 proc]#

Revision history for this message

Alistair Coles (alistair-coles) wrote on 2017-09-11:

Account ACLS are not supported with keystone auth, as documented here [1]. Making this a wishlist item.

[1] https://docs.openstack.org/swift/latest/overview_acl.html#account-acls

Changed in swift:
status:	New → Confirmed
importance:	Undecided → Wishlist

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.