ACL not automatically replicated to _segments container
Bug #1581454 reported by
Alberto Colla
This bug affects 2 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Object Storage (swift) |
Won't Fix
|
Undecided
|
Unassigned |
Bug Description
I have noticed that ACLs set on a container are not replicated to the container_segments container where files > 5GB are stored. So it happens that a user/tenant which has read access to the container cannot list or download big files until I post the same ACLs to _segments. Is it possible to have this feature enabled?
To post a comment you must log in.
Steps to reproduce the bug.
Create a container and give read permission to another tenant:
swift post mycontainer -r 'ext_tenant:*'
At this point the user from ext_tenant is able to list objects and download them, but only the objects stored in a single part. SLO objects will fail with 403.
swift --os-project-name ext_tenant \ swiftproxy. mydomain: 8080/v1/ AUTH_<UUID_of_ tenant_ that_owns_ the_containers> list mycontainer
--os-storage-url http://
After giving this additional read permission:
swift post mycontainer_ segments -r 'ext_tenant:*'
The user is able to read also objects that are segmented because larger than 5GB.
The user should not know about the existence of the mycontainer_ segments container, so the first ACL call should take care of setting the right read permission everywhere.