OpenStack Object Storage (swift)

tempauth: Account ACLs allow users to delete their own accounts

Bug #1740326 reported by Tim Burke
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Object Storage (swift)
New
Undecided
Unassigned

Bug Description

On a fresh account, tempauth prevents this:

$ curl -H "x-auth-token: $OS_AUTH_TOKEN" $OS_STORAGE_URL -X DELETE
* Trying 192.168.8.80...
* TCP_NODELAY set
* Connected to saio (192.168.8.80) port 8080 (#0)
> DELETE /v1/AUTH_test HTTP/1.1
> Host: saio:8080
> User-Agent: curl/7.54.0
> Accept: application/json;q=1, text/*;q=.9, */*;q=.8
> x-auth-token: AUTH_tk8867a25855af488dbbadaa28b7612209
>
< HTTP/1.1 403 Forbidden
< Content-Length: 73
< Content-Type: text/html; charset=UTF-8
< X-Trans-Id: tx9a5de00bffce4b5abc692-005a443c2b
< X-Openstack-Request-Id: tx9a5de00bffce4b5abc692-005a443c2b
< Date: Thu, 28 Dec 2017 00:34:51 GMT
<
<html><h1>Forbidden</h1><p>Access was denied to this resource.</p></html>

But after setting some account ACLs...

$ curl -H "x-auth-token: $OS_AUTH_TOKEN" $OS_STORAGE_URL -X POST -H 'x-account-access-control:{"admin":["tester","test","AUTH_test","test:tester","AUTH_test:tester"]}'
* Trying 192.168.8.80...
* TCP_NODELAY set
* Connected to saio (192.168.8.80) port 8080 (#0)
> POST /v1/AUTH_test HTTP/1.1
> Host: saio:8080
> User-Agent: curl/7.54.0
> Accept: application/json;q=1, text/*;q=.9, */*;q=.8
> x-auth-token: AUTH_tk8867a25855af488dbbadaa28b7612209
> x-account-access-control:{"admin":["tester","test","AUTH_test","test:tester","AUTH_test:tester"]}
>
< HTTP/1.1 204 No Content
< Content-Length: 0
< Content-Type: text/html; charset=UTF-8
< X-Trans-Id: txc541be2172194b69b6e77-005a443d31
< X-Openstack-Request-Id: txc541be2172194b69b6e77-005a443d31
< Date: Thu, 28 Dec 2017 00:39:13 GMT
<

... suddenly I *can*!

$ curl -H "x-auth-token: $OS_AUTH_TOKEN" $OS_STORAGE_URL -X DELETE
* Trying 192.168.8.80...
* TCP_NODELAY set
* Connected to saio (192.168.8.80) port 8080 (#0)
> DELETE /v1/AUTH_test HTTP/1.1
> Host: saio:8080
> User-Agent: curl/7.54.0
> Accept: application/json;q=1, text/*;q=.9, */*;q=.8
> x-auth-token: AUTH_tk8867a25855af488dbbadaa28b7612209
>
< HTTP/1.1 204 No Content
< Content-Length: 0
< Content-Type: text/html; charset=UTF-8
< X-Account-Status: Deleted
< X-Trans-Id: txf27a6b7e467d4b56a8f80-005a443d38
< X-Openstack-Request-Id: txf27a6b7e467d4b56a8f80-005a443d38
< Date: Thu, 28 Dec 2017 00:39:20 GMT
<

But all the meta's gone, so even with https://review.openstack.org/#/c/507808/ (Add ability to undelete an account) I can't revive it:

$ curl -H "x-auth-token: $OS_AUTH_TOKEN" $OS_STORAGE_URL -X PUT -H x-undelete-account:true
* Trying 192.168.8.80...
* TCP_NODELAY set
* Connected to saio (192.168.8.80) port 8080 (#0)
> PUT /v1/AUTH_test HTTP/1.1
> Host: saio:8080
> User-Agent: curl/7.54.0
> Accept: application/json;q=1, text/*;q=.9, */*;q=.8
> x-auth-token: AUTH_tk8867a25855af488dbbadaa28b7612209
> x-undelete-account:true
>
< HTTP/1.1 403 Forbidden
< Content-Length: 73
< Content-Type: text/html; charset=UTF-8
< X-Trans-Id: tx10806338027a4ba9a6176-005a443d9d
< X-Openstack-Request-Id: tx10806338027a4ba9a6176-005a443d9d
< Date: Thu, 28 Dec 2017 00:41:01 GMT
<
* Connection #0 to host saio left intact
<html><h1>Forbidden</h1><p>Access was denied to this resource.</p></html>

...so *that's* good. However, I'm pretty sure I shouldn't have been allowed to delete it in the first place!

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.