OpenStack Object Storage (swift)

GET Public-readable container's object with another user credentials is raising 403(Forbidden) exception

Bug #1091669 reported by Harika Vakadi on 2012-12-18

This bug report is a duplicate of: Bug #1020722: swift_auth middleware disallows access to public Swift URLs. Edit Remove

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Object Storage (swift)	New	Undecided	Unassigned

Bug Description

Description: Make container public-readable, and access the object anonymously, e.g. using another user credentials is raising 403(forbidden) exception while trying to GET the object after making the container public-readable.

Steps followed:

1. Create container
2. Update Container metadata, providing this --> contHeaders = {'X-Container-Read': '.r:*,.rlistings'}
3. Creating object in the above container
4. Trying to Get Object with another user authToken as it is public readable, following is the data to GET
headers = {'X-Auth-Token': self.otherUserToken}
resp, body = self.custom_object_client.get_object(self.container_name, object_name, metadata=headers)

Result:
response

{'date': 'Tue, 18 Dec 2012 16:18:35 GMT', 'status': '403', 'content-length': '73', 'content-type': 'text/html; charset=UTF-8', 'x-trans-id': 'tx73ef5e1cbb3344e6b56d8722156c1644'}

content

<html><h1>Forbidden</h1><p>Access was denied to this resource.</p></html>

The same procedure using a swift command

Default creds.

root@Grizzly-machine2:/opt/stack/devstack# env | grep OS
OS_PASSWORD=root
OS_AUTH_URL=http://127.0.0.1:5000/v2.0
OS_USERNAME=demo
OS_TENANT_NAME=demo
OS_NO_CACHE=1

1. Create container with admin creds
swift post -r '.r:*' ACLContainer
2. Verifying the meatadata
swift stat ACLContainer1 -v
Account: AUTH_4109e789e0314fff84426c47ac36c34a
Container: ACLContainer
  Objects: 0
    Bytes: 0
Read ACL: .r:*
Write ACL:
  Sync To:
Sync Key:
Accept-Ranges: bytes
X-Timestamp: 1355856841.98756
X-Trans-Id: tx76234dbbca7e41b5bba2539498deb4a9
Content-Type: text/plain; charset=utf-8

3.Object creation in the above container with same creds
swift upload ACLContainer /home/raj/.profile

4. Trying to GET object with another user auth token

curl -i http://10.233.52.230:8080/v1/AUTH_e6cfc64351a945fb98d874e9395d0a32?format=json -X GET -H "X-Auth-Token: MIIMCQYJKoZIhvcNAQcCoIIL+jCCC-YCAQExCTAHBgUrDgMCGjCCCuIGCSqGSIb3DQEHAaCCCtMEggrPeyJhY2Nlc3MiOiB7InRva2VuIjogeyJpc3N1ZWRfYXQiOiAiMjAxMi0xMi0xOFQxODoxNTo1Ni41NTkxNTkiLCAiZXhwaXJlcyI6ICIyMDEyLTEyLTE5VDE4OjE1OjU2WiIsICJpZCI6ICJwbGFjZWhvbGRlciIsICJ0ZW5hbnQiOiB7ImVuYWJsZWQiOiB0cnVlLCAiZGVzY3JpcHRpb24iOiBudWxsLCAibmFtZSI6ICJkZW1vIiwgImlkIjogIjM4OWUwMWM3NWM5YjQyYTNiNjk4NDljZmViYzkzZGE2In19LCAic2VydmljZUNhdGFsb2ciOiBbeyJlbmRwb2ludHMiOiBbeyJhZG1pblVSTCI6ICJodHRwOi8vMTAuMjMzLjUyLjIzMDo4Nzc0L3YyLzM4OWUwMWM3NWM5YjQyYTNiNjk4NDljZmViYzkzZGE2IiwgInJlZ2lvbiI6ICJSZWdpb25PbmUiLCAiaW50ZXJuYWxVUkwiOiAiaHR0cDovLzEwLjIzMy41Mi4yMzA6ODc3NC92Mi8zODllMDFjNzVjOWI0MmEzYjY5ODQ5Y2ZlYmM5M2RhNiIsICJpZCI6ICI2ZmE2YjIwYWM2NzM0ZTYxOTBmZGZjM2QyMjQ4YjhlYiIsICJwdWJsaWNVUkwiOiAiaHR0cDovLzEwLjIzMy41Mi4yMzA6ODc3NC92Mi8zODllMDFjNzVjOWI0MmEzYjY5ODQ5Y2ZlYmM5M2RhNiJ9XSwgImVuZHBvaW50c19saW5rcyI6IFtdLCAidHlwZSI6ICJjb21wdXRlIiwgIm5hbWUiOiAibm92YSJ9LCB7ImVuZHBvaW50cyI6IFt7ImFkbWluVVJMIjogImh0dHA6Ly8xMC4yMzMuNTIuMjMwOjMzMzMiLCAicmVnaW9uIjogIlJlZ2lvbk9uZSIsICJpbnRlcm5hbFVSTCI6ICJodHRwOi8vMTAuMjMzLjUyLjIzMDozMzMzIiwgImlkIjogImVhMzVkZGM5ZjI5YTQwMzZhY2Y5NTc1NzFkMDFiMjQ5IiwgInB1YmxpY1VSTCI6ICJodHRwOi8vMTAuMjMzLjUyLjIzMDozMzMzIn1dLCAiZW5kcG9pbnRzX2xpbmtzIjogW10sICJ0eXBlIjogInMzIiwgIm5hbWUiOiAiczMifSwgeyJlbmRwb2ludHMiOiBbeyJhZG1pblVSTCI6ICJodHRwOi8vMTAuMjMzLjUyLjIzMDo5MjkyIiwgInJlZ2lvbiI6ICJSZWdpb25PbmUiLCAiaW50ZXJuYWxVUkwiOiAiaHR0cDovLzEwLjIzMy41Mi4yMzA6OTI5MiIsICJpZCI6ICIyMWY4ZjdkODIxZDY0MjcxODkyZjY0NDM2OGQ3MGI5ZSIsICJwdWJsaWNVUkwiOiAiaHR0cDovLzEwLjIzMy41Mi4yMzA6OTI5MiJ9XSwgImVuZHBvaW50c19saW5rcyI6IFtdLCAidHlwZSI6ICJpbWFnZSIsICJuYW1lIjogImdsYW5jZSJ9LCB7ImVuZHBvaW50cyI6IFt7ImFkbWluVVJMIjogImh0dHA6Ly8xMC4yMzMuNTIuMjMwOjg3NzYvdjEvMzg5ZTAxYzc1YzliNDJhM2I2OTg0OWNmZWJjOTNkYTYiLCAicmVnaW9uIjogIlJlZ2lvbk9uZSIsICJpbnRlcm5hbFVSTCI6ICJodHRwOi8vMTAuMjMzLjUyLjIzMDo4Nzc2L3YxLzM4OWUwMWM3NWM5YjQyYTNiNjk4NDljZmViYzkzZGE2IiwgImlkIjogIjM3NTlkYzM2NmJmNjRiNzc4MTUxNTBjYTU3OTY4ZGE3IiwgInB1YmxpY1VSTCI6ICJodHRwOi8vMTAuMjMzLjUyLjIzMDo4Nzc2L3YxLzM4OWUwMWM3NWM5YjQyYTNiNjk4NDljZmViYzkzZGE2In1dLCAiZW5kcG9pbnRzX2xpbmtzIjogW10sICJ0eXBlIjogInZvbHVtZSIsICJuYW1lIjogImNpbmRlciJ9LCB7ImVuZHBvaW50cyI6IFt7ImFkbWluVVJMIjogImh0dHA6Ly8xMC4yMzMuNTIuMjMwOjg3NzMvc2VydmljZXMvQWRtaW4iLCAicmVnaW9uIjogIlJlZ2lvbk9uZSIsICJpbnRlcm5hbFVSTCI6ICJodHRwOi8vMTAuMjMzLjUyLjIzMDo4NzczL3NlcnZpY2VzL0Nsb3VkIiwgImlkIjogIjRmN2Y2Y2IzYTczZTQwMjViZTZiMjgzOTZlNGFiMjA1IiwgInB1YmxpY1VSTCI6ICJodHRwOi8vMTAuMjMzLjUyLjIzMDo4NzczL3NlcnZpY2VzL0Nsb3VkIn1dLCAiZW5kcG9pbnRzX2xpbmtzIjogW10sICJ0eXBlIjogImVjMiIsICJuYW1lIjogImVjMiJ9LCB7ImVuZHBvaW50cyI6IFt7ImFkbWluVVJMIjogImh0dHA6Ly8xMC4yMzMuNTIuMjMwOjgwODAiLCAicmVnaW9uIjogIlJlZ2lvbk9uZSIsICJpbnRlcm5hbFVSTCI6ICJodHRwOi8vMTAuMjMzLjUyLjIzMDo4MDgwL3YxL0FVVEhfMzg5ZTAxYzc1YzliNDJhM2I2OTg0OWNmZWJjOTNkYTYiLCAiaWQiOiAiMzFlMTU1ZTVlZTc2NDkwNjhmZTA3OGM5MzBlODRkNTgiLCAicHVibGljVVJMIjogImh0dHA6Ly8xMC4yMzMuNTIuMjMwOjgwODAvdjEvQVVUSF8zODllMDFjNzVjOWI0MmEzYjY5ODQ5Y2ZlYmM5M2RhNiJ9XSwgImVuZHBvaW50c19saW5rcyI6IFtdLCAidHlwZSI6ICJvYmplY3Qtc3RvcmUiLCAibmFtZSI6ICJzd2lmdCJ9LCB7ImVuZHBvaW50cyI6IFt7ImFkbWluVVJMIjogImh0dHA6Ly8xMC4yMzMuNTIuMjMwOjM1MzU3L3YyLjAiLCAicmVnaW9uIjogIlJlZ2lvbk9uZSIsICJpbnRlcm5hbFVSTCI6ICJodHRwOi8vMTAuMjMzLjUyLjIzMDo1MDAwL3YyLjAiLCAiaWQiOiAiOTQwOGE3OWJhMDBiNDBlYWJmNjdhNTY1NzJlZjg0N2MiLCAicHVibGljVVJMIjogImh0dHA6Ly8xMC4yMzMuNTIuMjMwOjUwMDAvdjIuMCJ9XSwgImVuZHBvaW50c19saW5rcyI6IFtdLCAidHlwZSI6ICJpZGVudGl0eSIsICJuYW1lIjogImtleXN0b25lIn1dLCAidXNlciI6IHsidXNlcm5hbWUiOiAiZGVtbyIsICJyb2xlc19saW5rcyI6IFtdLCAiaWQiOiAiY2I0YzFiZWRhMzhlNGRjMDgzMGVlYTYxM2VhOGQxNWMiLCAicm9sZXMiOiBbeyJuYW1lIjogIk1lbWJlciJ9LCB7Im5hbWUiOiAiYW5vdGhlcnJvbGUifV0sICJuYW1lIjogImRlbW8ifSwgIm1ldGFkYXRhIjogeyJpc19hZG1pbiI6IDAsICJyb2xlcyI6IFsiZDRmMzNhZmU3NDlkNDNhN2IzZTVkNjFmYThhOWExZWQiLCAiYjVhNDcxYmM3YWI4NDE0N2EwNzk3YTY0MjY1NjJhZWIiXX19fTGB-zCB-AIBATBcMFcxCzAJBgNVBAYTAlVTMQ4wDAYDVQQIEwVVbnNldDEOMAwGA1UEBxMFVW5zZXQxDjAMBgNVBAoTBVVuc2V0MRgwFgYDVQQDEw93d3cuZXhhbXBsZS5jb20CAQEwBwYFKw4DAhowDQYJKoZIhvcNAQEBBQAEgYCg-dWgO7e-IW7v0tK+eAqw24lFTxv2GyCYpyTOixcZeORADFPSMIvNkC7X8fqnvtgPJ03YFcrXfFSqpHWQpmpkJ0+k63Yw3BMc+CJaiusg0qJp8vecGlIDskqHZkIX1kf0Progov7tiDJ5PbIyTCqidYamBNWj2xX25JfHBweagw=="
HTTP/1.1 403 Forbidden
Via: 1.1 HYSPROXY1
Connection: Keep-Alive
Proxy-Connection: Keep-Alive
Content-Length: 73
Date: Tue, 18 Dec 2012 18:17:22 GMT
Content-Type: text/html; charset=UTF-8
X-Trans-Id: txa30fe2e3adfb4db8b1b88c3bb95597e6

Tags:

Revision history for this message

Martin Packman (gz) wrote on 2013-01-17:

Thanks for the report! Please see the existing bug for more details.

Davanum Srinivas (DIMS) (dims-v) on 2013-02-20

tags:

added: tempest

Report a bug

This report contains Public information

Everyone can see this information.

Duplicate of bug #1020722 Remove

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.