OpenStack Identity (keystone)

Swift not allow ACLs between different users in different tenants using KeyStone

Bug #999615 reported by zhangjialong on 2012-05-15

This bug affects 4 people

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Fix Released	Medium	Chmouel Boudjnah	OpenStack Identity (keystone) 2013.1 "grizzly"

Bug Description

I encountered some problems when i set permissions (ACLs) on Openstack Swift containers.
I installed swift-1.4.8(essex) and use keystone-2012.1 as authentication system on CentOS 6.2 .
My swift proxy-server.conf and keystone.conf are here:

http://pastebin.com/dUnHjKSj

Then,I use the script named opensatck_essex_data.sh(http://pastebin.com/LWGVZrK0 ) to initialize keystone.

After these operations,I got the token of demo:demo andnewuser:newuser

     curl -s -H 'Content-type: application/json' \
     -d '{"auth": {"tenantName": "demo", "passwordCredentials":{"username": "demo", "password": "admin"}}}' \
     http://127.0.0.1:5000/v2.0/tokens | python -mjson.tool

     curl -s -H 'Content-type: application/json' \
     -d '{"auth": {"tenantName": "newuser", "passwordCredentials": {"username": "newuser", "password": "admin"}}}' \
     http://127.0.0.1:5000/v2.0/tokens | python -mjson.tool

Then,enable read access to newuser:newuser

     curl -X PUT -i \
     -H "X-Auth-Token: <token of demo:demo>" \
     -H "X-Container-Read: newuser:newuser" \
    http://127.0.0.1:8080/v1/AUTH_f1723800c821453d9f22d42d1fbb334b/demodirc

Check the permission of the container:

curl -k -v -H 'X-Auth-Token:<token of demo:demo>' \
http://127.0.0.1:8080/v1/AUTH_f1723800c821453d9f22d42d1fbb334b/demodirc

This is the reply of the operation:

     HTTP/1.1 200 OK
     X-Container-Object-Count: 1
     X-Container-Read: newuser:newuser
     X-Container-Bytes-Used: 2735
     Accept-Ranges: bytes
     Content-Length: 24
     Content-Type: text/plain; charset=utf-8
     Date: Fri, 11 May 2012 07:30:23 GMT

opensatck_essex_data.sh

Now,the user newuser:newuser visit the container of demo:demo

curl -k -v -H 'X-Auth-Token:<token of newuser:newuser>' \
http://127.0.0.1:8080/v1/AUTH_f1723800c821453d9f22d42d1fbb334b/demodirc

While,I got 403 error.

In my opinion,swift acls should be support the sharing between different users in different tenants.

Tags:

zhangjialong (zhangjl) on 2012-05-15

affects:

openstack-manuals → keystone

Revision history for this message

Joseph Heck (heckj) wrote on 2012-05-20:

Chmouel,

Would you take a look at the above request? I don't know enough about the S3/swift internals to know if this is a bug, a feature request, or something that's antithetical to the design of ACL's in swift.

Changed in keystone:
status:	New → Triaged
assignee:	nobody → Chmouel Boudjnah (chmouel)

Chmouel Boudjnah (chmouel) on 2012-05-24

Changed in keystone:
status:	Triaged → Confirmed

Joseph Heck (heckj) on 2012-06-07

Changed in keystone:
importance:	Undecided → Medium

Joseph Heck (heckj) on 2012-07-12

tags:

removed: keystone

Revision history for this message

Chmouel Boudjnah (chmouel) wrote on 2012-12-20:

FIxed in https://review.openstack.org/#/c/17229/

Changed in keystone:
status:	Confirmed → Fix Committed

Thierry Carrez (ttx) on 2013-01-09

Changed in keystone:
milestone:	none → grizzly-2
status:	Fix Committed → Fix Released

Thierry Carrez (ttx) on 2013-04-04

Changed in keystone:
milestone:	grizzly-2 → 2013.1

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.