ACL not automatically replicated to _segments container

Bug #1581454 reported by Alberto Colla on 2016-05-13
This bug affects 2 people
Affects Status Importance Assigned to Milestone
OpenStack Object Storage (swift)

Bug Description

I have noticed that ACLs set on a container are not replicated to the container_segments container where files > 5GB are stored. So it happens that a user/tenant which has read access to the container cannot list or download big files until I post the same ACLs to _segments. Is it possible to have this feature enabled?

Saverio Proto (zioproto) wrote :

Steps to reproduce the bug.

Create a container and give read permission to another tenant:

swift post mycontainer -r 'ext_tenant:*'

At this point the user from ext_tenant is able to list objects and download them, but only the objects stored in a single part. SLO objects will fail with 403.

swift --os-project-name ext_tenant \
--os-storage-url http://swiftproxy.mydomain:8080/v1/AUTH_<UUID_of_tenant_that_owns_the_containers> list mycontainer

After giving this additional read permission:

swift post mycontainer_segments -r 'ext_tenant:*'

The user is able to read also objects that are segmented because larger than 5GB.

The user should not know about the existence of the mycontainer_segments container, so the first ACL call should take care of setting the right read permission everywhere.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers