ACLs and container tempurls don't work with x-versions-enable: true

Bug #1880013 reported by clayg
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Object Storage (swift)
Fix Released
Medium
Unassigned

Bug Description

With legacy version modes (x-history-location & x-versions-location) the ACLs applied to the versioned container apply to current versions in the versioned container:

vagrant@saio:~$ swift stat test
               Account: AUTH_test
             Container: test
               Objects: 1
                 Bytes: 8
              Read ACL: .r:*,.rlistings
             Write ACL:
               Sync To:
              Sync Key:
    X-History-Location: test+versions
         Accept-Ranges: bytes
            X-Trans-Id: txd2ccfbd4892a41029cd75-005ec6d311
                  Vary: Accept
      X-Storage-Policy: default
         Last-Modified: Thu, 21 May 2020 19:08:16 GMT
           X-Timestamp: 1590087882.97465
          Content-Type: text/plain; charset=utf-8
X-Openstack-Request-Id: txd2ccfbd4892a41029cd75-005ec6d311
vagrant@saio:~$ curl http://saio:8080/v1/AUTH_test/test/test
awesome

Containers using the new versions api (x-versions-enable: true) are not able to enable anonymous read access:

vagrant@saio:~$ swift stat new-test
               Account: AUTH_test
             Container: new-test
               Objects: 1
                 Bytes: 8
              Read ACL: .r:*,.rlistings
             Write ACL:
               Sync To:
              Sync Key:
                  Vary: Accept
         Accept-Ranges: bytes
            X-Trans-Id: tx1a7e47f36ff944a289997-005ec6d337
    X-Versions-Enabled: True
      X-Storage-Policy: default
         Last-Modified: Thu, 21 May 2020 19:08:47 GMT
           X-Timestamp: 1590087901.60930
          Content-Type: text/plain; charset=utf-8
X-Openstack-Request-Id: tx1a7e47f36ff944a289997-005ec6d337
vagrant@saio:~$ curl http://saio:8080/v1/AUTH_test/new-test/test
<html><h1>Unauthorized</h1><p>This server could not verify that you are authorized to access the document you requested.</p></html>

Revision history for this message
Tim Burke (1-tim-z) wrote :

Similar troubles with container tempurls:

$ curl -I --no-verbose $( swift tempurl GET 600 http://saio/v1/AUTH_test/bucket/obj container-key )
HTTP/1.1 401 Unauthorized
Content-Type: text/html; charset=UTF-8
Content-Length: 0
Www-Authenticate: Swift realm="AUTH_test"
Content-Location: /v1/AUTH_test/bucket/obj?version-id=1590512971.59874
X-Object-Version-Id: 1590512971.59874
X-Trans-Id: txabd94623dab7414094d0f-005ecd57ee
X-Openstack-Request-Id: txabd94623dab7414094d0f-005ecd57ee
Date: Tue, 26 May 2020 17:54:54 GMT

Account tempurls are fine, though:

$ curl -I --no-verbose $( swift tempurl GET 600 http://saio/v1/AUTH_test/bucket/obj account-key )
HTTP/1.1 200 OK
Content-Type: application/octet-stream
Content-Length: 8721
Etag: edb906fbd9e621279219ba905ffa122c
Last-Modified: Tue, 26 May 2020 17:09:32 GMT
X-Timestamp: 1590512971.59874
Accept-Ranges: bytes
Content-Location: /v1/AUTH_test/bucket/obj?version-id=1590512971.59874
X-Object-Version-Id: 1590512971.59874
Content-Disposition: attachment; filename="obj"; filename*=UTF-8''obj
Expires: Tue, 26 May 2020 18:04:42 GMT
X-Trans-Id: txa6b5d6c201ca4835bcb63-005ecd57e2
X-Openstack-Request-Id: txa6b5d6c201ca4835bcb63-005ecd57e2
Date: Tue, 26 May 2020 17:54:42 GMT

summary: - ACLs don't work with x-versions-enable: true
+ ACLs and container tempurls don't work with x-versions-enable: true
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to swift (master)

Reviewed: https://review.opendev.org/724393
Committed: https://git.openstack.org/cgit/openstack/swift/commit/?id=a8e03f42e09de3f3c660e0d4786bb35fe1317482
Submitter: Zuul
Branch: master

commit a8e03f42e09de3f3c660e0d4786bb35fe1317482
Author: Tim Burke <email address hidden>
Date: Tue Apr 28 16:48:52 2020 -0700

    versioning: Have versioning symlinks make pre-auth requests to reserved container

    Previously, the lack of container ACLs on the reserved container would
    mean that attempting to grant access to the user-visible container would
    not work; the user could not access the backing object.

    Now, have symlinks with the allow-reserved-names sysmeta set be
    pre-authed. Note that the user still has to be authorized to read the
    symlink, and if the backing object was *itself* a symlink, that will be
    authed separately.

    Change-Id: Ifd744044421ef2ca917ce9502b155a6514ce8ecf
    Closes-Bug: #1880013

Changed in swift:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to swift (feature/losf)

Fix proposed to branch: feature/losf
Review: https://review.opendev.org/735381

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to swift (feature/losf)
Download full text (20.6 KiB)

Reviewed: https://review.opendev.org/735381
Committed: https://git.openstack.org/cgit/openstack/swift/commit/?id=481f126e6b59689599f438e5d27f7328f5b3e813
Submitter: Zuul
Branch: feature/losf

commit 51a587ed8dd5700b558ad26d70dcb7facc0f91e4
Author: Tim Burke <email address hidden>
Date: Tue Jun 16 11:34:01 2020 -0700

    Use ensure-pip role

    Hopefully this will fix the currently-broken probe test gate?

    Depends-On: https://review.opendev.org/#/c/736070/
    Change-Id: Ib652534b35236fdb6bcab131c7dc08a079bf72f6

commit 79811df34c84b416ce9f445926b31a23a32ea1a4
Author: Tim Burke <email address hidden>
Date: Fri Apr 10 22:02:57 2020 -0700

    Use ini_file to update timeout instead of crudini

    crudini seems to have trouble on py3 -- still not sure *why* it's using
    py3 for the losf job, though...

    Change-Id: Id98055994c8d59e561372417c9eb4aec969afc6a

commit e4586fdcde5267f39056bb1b5f413a411bb8e7a0
Author: Tim Burke <email address hidden>
Date: Tue Jun 9 10:50:07 2020 -0700

    memcached: Plumb logger into MemcacheRing

    This way proxies log memcached errors in the normal way instead of
    to the root logger (which eventually gets them out on STDERR).

    If no logger is provided, fall back to the root logger behavior.

    Change-Id: I2f7b3e7d5b976fab07c9a2d0a9b8c0bd9a840dfd

commit 1dfa41dada30c139129cb2771b0d68c95fd84e32
Author: Tim Burke <email address hidden>
Date: Tue Apr 28 10:45:27 2020 -0700

    swift-get-nodes: Allow users to specify either quoted or unquoted paths

    Now that we can have null bytes in Swift paths, we need a way for
    operators to be able to locate such containers and objects. Our usual
    trick of making sure the name is properly quoted for the shell won't
    suffice; running something like

       swift-get-nodes /etc/swift/container.ring.gz $'AUTH_test/\0versions\0container'

    has the path get cut off after "AUTH_test/" because of how argv works.

    So, add a new option, --quoted, to let operators indicate that they
    already quoted the path.

    Drive-bys:

      * If account, container, or object are explicitly blank, treat them
        as though they were not provided. This provides better errors when
        account is explicitly blank, for example.
      * If account, container, or object are not provided or explicitly
        blank, skip printing them. This resolves abiguities about things
        like objects whose name is actually "None".
      * When displaying account, container, and object, quote them (since
        they may contain newlines or other control characters).

    Change-Id: I3d10e121b403de7533cc3671604bcbdecb02c795
    Related-Change: If912f71d8b0d03369680374e8233da85d8d38f85
    Closes-Bug: #1875734
    Closes-Bug: #1875735
    Closes-Bug: #1875736
    Related-Bug: #1791302

commit 1b6c8f7fdf630458affe2778fc7be86df3ef1674
Author: Tim Burke <email address hidden>
Date: Fri Jun 5 16:36:32 2020 -0700

    Remove etag-quoter from 2.25.0 release notes

    This was released in 2.24.0, which already has a release note for it.

    Change-Id: I9837df281ec8baa19e8e4a7976f415e8add4a2da

commi...

tags: added: in-feature-losf
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.