ACL not automatically replicated to _segments container

Bug #1581454 reported by Alberto Colla
This bug affects 2 people
Affects Status Importance Assigned to Milestone
OpenStack Object Storage (swift)
Won't Fix

Bug Description

I have noticed that ACLs set on a container are not replicated to the container_segments container where files > 5GB are stored. So it happens that a user/tenant which has read access to the container cannot list or download big files until I post the same ACLs to _segments. Is it possible to have this feature enabled?

Tags: acl segments
Revision history for this message
Saverio Proto (zioproto) wrote :

Steps to reproduce the bug.

Create a container and give read permission to another tenant:

swift post mycontainer -r 'ext_tenant:*'

At this point the user from ext_tenant is able to list objects and download them, but only the objects stored in a single part. SLO objects will fail with 403.

swift --os-project-name ext_tenant \
--os-storage-url http://swiftproxy.mydomain:8080/v1/AUTH_<UUID_of_tenant_that_owns_the_containers> list mycontainer

After giving this additional read permission:

swift post mycontainer_segments -r 'ext_tenant:*'

The user is able to read also objects that are segmented because larger than 5GB.

The user should not know about the existence of the mycontainer_segments container, so the first ACL call should take care of setting the right read permission everywhere.

Revision history for this message
Matthew Oliver (matt-0) wrote :

This was dealt with, well arguably mostly in
Which pushes the referrer into the subrequests that are send to the segments container so the acl's can be matched.

The segments container will still need acls sent. But this is known and expected.

Changed in swift:
status: New → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers