OpenStack Object Storage (swift)

privileged metadata access for cross-project ACL

Bug #1958167 reported by Raphaël Droz on 2022-01-17

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Object Storage (swift)	New	Undecided	Unassigned

Bug Description

https://docs.openstack.org/swift/latest/overview_acl.html#container-acls
states that "a container ACL does not allow access to privileged metadata (such as X-Container-Sync-Key)."

This is understandable since sensitive things are stored using "privileged" metadata (including ACL themselves IIUC).

But one useful use of "privileged metadata" is "Temp-Url-Key". The fact that we can use them using an application credentials (or any means relying upon container ACL) is really limiting.

I strongly suggest that cross-project ACL read-access may **conditionally** allow for **some** privileged metadata (Temp-Url-Key" in mind).

https://docs.openstack.org/swift/queens/middleware.html#account-acls mentions that "_Users with admin access are swift_owners and can perform any action, including viewing/setting privileged metadata (e.g. changing account ACLs)._"

An intermediary permission between "admin" and "read" would be adequate here: Allow some privileged metadata to be available as part of the read access.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.