Swift3

Setting ACL in a Bucket returns "200 OK" but does not apply the ACL

Bug #1381548 reported by Ariday Balderas
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Swift3
Fix Released
Undecided
Kota Tsuyuzaki

Bug Description

--Setting ACL by using request body, returns a 200 OK Response:--

PUT /s3BucketACL?acl HTTP/1.1
User-Agent: curl/7.29.0
Host: es-node1:8080
Accept: */*
Date: Wed, 15 Oct 2014 05:09:07 +0000
Authorization: AWS f78452a596024f65beae309e4cadea1b:Lx9C/yYIJI/4+ZSJwrXkJhpyqQg=
Content-Length: 517
Expect: 100-continue

HTTP/1.1 100 Continue

<?xml version='1.0' encoding='UTF-8'?>
<AccessControlPolicy xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
  <Owner>
    <ID>ariday:monserrat</ID>
    <DisplayName>ariday:monserrat</DisplayName>
  </Owner>
  <AccessControlList>
    <Grant>
      <Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="Group">
        <URI xmlns="">http://acs.amazonaws.com/groups/global/AllUsers</URI>
      </Grantee>
      <Permission>READ</Permission>
    </Grant>
  </AccessControlList>
</AccessControlPolicy>
HTTP/1.1 200 OK
x-amz-id-2: tx23e7159901144baab3e70-00543e0173
Content-Length: 0
x-amz-request-id: tx23e7159901144baab3e70-00543e0173
Content-Type: text/html; charset=UTF-8
Location: s3BucketACL
X-Trans-Id: tx23e7159901144baab3e70-00543e0173
Date: Wed, 15 Oct 2014 05:09:07 GMT

--By reviewing the ACL setup and Header in "s3BucketACL" Bucket, it only returns the "Full Control" Permission of the authenticated user--

GET /s3BucketACL?acl HTTP/1.1
User-Agent: curl/7.29.0
Host: es-node1:8080
Accept: */*
Date: Wed, 15 Oct 2014 05:09:18 +0000
Authorization: AWS f78452a596024f65beae309e4cadea1b:WaXse8AHMLxL12em+DBfk9XFVNg=

HTTP/1.1 200 OK
x-amz-id-2: txc1ca6dd0aa1e44a3a2d53-00543e017e
Content-Length: 470
x-amz-request-id: txc1ca6dd0aa1e44a3a2d53-00543e017e
Content-Type: text/plain
X-Trans-Id: txc1ca6dd0aa1e44a3a2d53-00543e017e
Date: Wed, 15 Oct 2014 05:09:18 GMT

<?xml version='1.0' encoding='UTF-8'?>
<AccessControlPolicy xmlns="http://s3.amazonaws.com/doc/2006-03-01/"><Owner><ID>ariday:monserrat</ID><DisplayName>ariday:monserrat</DisplayName></Owner><AccessControlList><Grant><Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="CanonicalUser"><ID>ariday:monserrat</ID><DisplayName>ariday:monserrat</DisplayName></Grantee><Permission>FULL_CONTROL</Permission></Grant></AccessControlList></AccessControlPolicy>

HEAD /s3BucketACL HTTP/1.1
User-Agent: curl/7.29.0
Host: es-node1:8080
Accept: */*
Date: Wed, 15 Oct 2014 05:14:33 +0000
Authorization: AWS f78452a596024f65beae309e4cadea1b:jHAteVvZLobu5FUaIOPJFYpddCA=

HTTP/1.1 200 OK
x-amz-id-2: tx78181d34bf5e4fbebc9cc-00543e02b9
Content-Length: 0
x-amz-request-id: tx78181d34bf5e4fbebc9cc-00543e02b9
Content-Type: text/plain; charset=utf-8
X-Trans-Id: tx78181d34bf5e4fbebc9cc-00543e02b9
Date: Wed, 15 Oct 2014 05:14:36 GMT

--Setting ACL by using request headers, it also returns 200 OK response:--

PUT /s3BucketACL2 HTTP/1.1
User-Agent: curl/7.29.0
Host: es-node1:8080
Accept: */*
Date: Wed, 15 Oct 2014 05:16:55 +0000
Authorization: AWS f78452a596024f65beae309e4cadea1b:4gM8d68jvLpm2uIEETfgo/jAq/s=
x-amz-acl: public-read
Content-Length: 0

HTTP/1.1 200 OK
x-amz-id-2: tx7f28a42bfbbf4998a8dbe-00543e0347
Content-Length: 0
x-amz-request-id: tx7f28a42bfbbf4998a8dbe-00543e0347
Content-Type: text/html; charset=UTF-8
Location: /s3BucketACL2
X-Trans-Id: tx7f28a42bfbbf4998a8dbe-00543e0347
Date: Wed, 15 Oct 2014 05:16:56 GMT

--But by getting the bucket acl, it returns only the "Full-Controll" permission for the authenticated user:--
GET /s3BucketACL2?acl HTTP/1.1
User-Agent: curl/7.29.0
Host: es-node1:8080
Accept: */*
Date: Wed, 15 Oct 2014 05:17:09 +0000
Authorization: AWS f78452a596024f65beae309e4cadea1b:YvEhHgIdy1aV43DTeL8JLQwoM2g=

HTTP/1.1 200 OK
x-amz-id-2: tx6608f7a109994e75a7716-00543e0355
Content-Length: 470
x-amz-request-id: tx6608f7a109994e75a7716-00543e0355
Content-Type: text/plain
X-Trans-Id: tx6608f7a109994e75a7716-00543e0355
Date: Wed, 15 Oct 2014 05:17:09 GMT

<?xml version='1.0' encoding='UTF-8'?>
<AccessControlPolicy xmlns="http://s3.amazonaws.com/doc/2006-03-01/"><Owner><ID>ariday:monserrat</ID><DisplayName>ariday:monserrat</DisplayName></Owner><AccessControlList><Grant><Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="CanonicalUser"><ID>ariday:monserrat</ID><DisplayName>ariday:monserrat</DisplayName></Grantee><Permission>FULL_CONTROL</Permission></Grant></AccessControlList></AccessControlPolicy>

--Even by running swift stat "s3BucketACL(2)" it returns no READ permissions were given to everyone or "public-read" (canned acl)--

Expected:
If put acl request returns 200 OK Response, then it is expected the ACL is set and can be correctly displayed:

<?xml version='1.0' encoding='UTF-8'?>
<AccessControlPolicy xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
  <Owner>
    <ID>ariday:monserrat</ID>
    <DisplayName>ariday:monserrat</DisplayName>
  </Owner>
  <AccessControlList>
    <Grant>
      <Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="CanonicalUser">
        <ID>ariday:monserrat</ID>
        <DisplayName>ariday:monserrat</DisplayName>
      </Grantee>
      <Permission>FULL_CONTROL</Permission>
    </Grant>
    <Grant>
      <Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="Group">
        <URI xmlns="">http://acs.amazonaws.com/groups/global/AllUsers</URI>
      </Grantee>
      <Permission>READ</Permission>
    </Grant>
  </AccessControlList>
</AccessControlPolicy>

Kota Tsuyuzaki (tsuyuzaki-kota)
Changed in swift3:
status: New → Confirmed
Kota Tsuyuzaki (tsuyuzaki-kota)
Changed in swift3:
assignee: nobody → Kota Tsuyuzaki (tsuyuzaki-kota)
status: Confirmed → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to swift3 (master)

Reviewed: https://review.openstack.org/129514
Committed: https://git.openstack.org/cgit/stackforge/swift3/commit/?id=906cce614f789e0e65c168890230156f4be644e3
Submitter: Jenkins
Branch: master

commit 906cce614f789e0e65c168890230156f4be644e3
Author: Kota Tsuyuzaki <email address hidden>
Date: Sun Oct 19 19:51:19 2014 -0700

    Fix X-AMZ-ACL header is not applied

    Current swift generates wrong ACL header (e.g. HTTP_HTTP_Container-Read)
    because it is based on old swift3 specification to apply the header to
    an "enviroment" variable of eventlet. However, now we use the header property
    of swift3.request.Request (also swift.common.swob.Request) which doesn't need "HTTP"
    prefix for a given property key.

    Change-Id: Ie62468ad144772537610adb359c75f46d460fc64
    Closes-Bug: 1381548

Changed in swift3:
status: In Progress → Fix Committed
Kota Tsuyuzaki (tsuyuzaki-kota)
Changed in swift3:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.