OpenStack Object Storage (swift)

HTTP/1.1 403 Forbidden when tempauth user is same as account

Bug #1078471 reported by Dieter P
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Object Storage (swift)
Expired
Low
Unassigned

Bug Description

using swift 1.7.4, using tempauth

proxy-server.conf:

[filter:tempauth]
use = egg:swift#tempauth
# "hardcode" the storageURL for now. see https://review.openstack.org/#/c/15814/
user_system_root = bar .admin http://10.90.251.91:80/v1/AUTH_system
user_vimeo_vimeo = foo .admin http://10.90.251.91:80/v1/AUTH_vimeo

=> when trying to use this config, i.e.:
swift -A http://dfdfs/auth/v1.0 -U vimeo:vimeo -K foo stat
I get: HTTP/1.1 403 Forbidden

I check with tcpdump, it authenticates, gets the correct storageURL and a token, but can't access the account.

solution: user_vimeo_somethingelse, that works fine.

Revision history for this message
Dieter P (dieter-plaetinck) wrote :

correction, the output of the swift list command is:
 Account GET failed: http://10.90.251.91:80/v1/AUTH_vimeo?format=json 403 Forbidden 403 Forbidden

with tcpdump I saw that swift returns the http header HTTP/1.1 403 Forbidden

Revision history for this message
Alex Yang (alexyang) wrote :

you can check whether the account_autocreate=True and allow_account_management=True in the section of proxy-server.

Revision history for this message
Dieter P (dieter-plaetinck) wrote :

yes, those are true. here's the snippet:

[pipeline:main]
pipeline = healthcheck cache tempurl tempauth proxy-logging proxy-server

[app:proxy-server]
use = egg:swift#proxy
allow_account_management = true
account_autocreate = true

Revision history for this message
Dieter P (dieter-plaetinck) wrote :

actually, here's the entire config, but it's pretty much default. (actual passwords are of course different):

[DEFAULT]
bind_port = 8080
workers = 8
user = swift
log_statsd_host = dfvimeostatsd1
log_statsd_port = 8125
log_statsd_default_sample_rate = 1
log_statsd_metric_prefix = dfvimeodfsproxy1

[pipeline:main]
pipeline = healthcheck cache tempurl tempauth proxy-server

[app:proxy-server]
use = egg:swift#proxy
allow_account_management = true
account_autocreate = true

[filter:tempurl]
use = egg:swift#tempurl

[filter:tempauth]
use = egg:swift#tempauth
# "hardcode" the storageURL for now. see https://review.openstack.org/#/c/15814/
user_system_root = bar .admin http://10.90.251.91:80/v1/AUTH_system
user_vimeo_vimeo = foo .admin http://10.90.251.91:80/v1/AUTH_vimeo

[filter:healthcheck]
use = egg:swift#healthcheck

[filter:cache]
use = egg:swift#memcache
memcache_servers = 10.90.151.131:11211,10.90.151.132:11211

Chuck Thier (cthier)
Changed in swift:
importance: Undecided → Low
Chuck Thier (cthier)
Changed in swift:
status: New → Triaged
Kun Huang (academicgareth)
Changed in swift:
assignee: nobody → Kun Huang (academicgareth)
Revision history for this message
Kun Huang (academicgareth) wrote :

Hi, Dieter

Could have a check in newest version 1.7.7.
I have tested on admin:admin, vimeo:vimeo. Both of them are ok.
(Actually I need debug logs for your case, but I find no logs in the target codes.....)

Kun Huang (academicgareth)
Changed in swift:
status: Triaged → Incomplete
Kun Huang (academicgareth)
Changed in swift:
assignee: Kun Huang (academicgareth) → nobody
Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for OpenStack Object Storage (swift) because there has been no activity for 60 days.]

Changed in swift:
status: Incomplete → Expired
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.