
<html>


<head>


<meta http-equiv="Content-Type" content="text/html; charset=utf-8">


</head>


<body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">


<br class="">


<div>


<blockquote type="cite" class="">


<div class="">On Aug 5, 2020, at 6:18 PM, Jason Anderson <<a href="mailto:jasonanderson@uchicago.edu" class="">jasonanderson@uchicago.edu</a>> wrote:</div>


<br class="Apple-interchange-newline">


<div class="">


<div class="">As an update, I think one of my problems was the dangling space after “_member_” in my ACL list, which was quite painful to discover. I think it was breaking the matching of my user, which had the role _member_ assigned.<br class="">


</div>


</div>


</blockquote>


<div><br class="">


</div>


<div>Sorry, I meant in my Ceph configuration, which had this line in the rgw section:</div>


<div><br class="">


</div>


</div>


<blockquote style="margin: 0 0 0 40px; border: none; padding: 0px;" class="">


<div>


<div><span style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);" class="">rgw keystone accepted roles =  _member_ , Member, admin</span></div>


</div>


</blockquote>


<div><br class="">


<blockquote type="cite" class="">


<div class="">


<div class="">And, it does look like read ACLs must be of the form “.r:*”, despite the Ceph docs. With this in place, public read ACL works. I still can’t get write ACLs to work though, and from looking at the code[1] I’m not sure how it’s supposed to work.<br class="">


<br class="">


/Jason<br class="">


<br class="">


[1]: <a href="https://github.com/ceph/ceph/blob/f52fb99f011d9b124ed91f3d001d3551e9a10c8d/src/rgw/rgw_acl_swift.cc" class="">


https://github.com/ceph/ceph/blob/f52fb99f011d9b124ed91f3d001d3551e9a10c8d/src/rgw/rgw_acl_swift.cc</a><br class="">


<br class="">


<blockquote type="cite" class="">On Aug 4, 2020, at 10:49 PM, Jason Anderson <<a href="mailto:jasonanderson@uchicago.edu" class="">jasonanderson@uchicago.edu</a>> wrote:<br class="">


<br class="">


Hi all,<br class="">


<br class="">


Just scratching my head at this for a while and though I’d ask here in case it saves some time. I’m running a Ceph cluster on the Nautilus release and it’s running Swift via the rgw. I have Keystone authentication turned on. Everything works fine in the normal


 case of creating containers, uploading files, listing containers, etc.<br class="">


<br class="">


However, I notice that ACLs don’t seem to work. I am not overriding "rgw enforce swift acls”, so it is set to the default of true. I can’t seem to share a container or make it public.<br class="">


<br class="">


(Side note, confusingly, the Ceph implementation has a different syntax for public read/write containers, ‘*’ as opposed to ‘*:*’ for public write for example.)<br class="">


<br class="">


Here’s what I’m doing<br class="">


<br class="">


(as admin)<br class="">


swift post —write-acl ‘*’ —read-acl ‘*’ public-container<br class="">


swift stat public-container<br class="">


                    Account: v1<br class="">


                  Container: public-container<br class="">


                    Objects: 1<br class="">


                      Bytes: 5801<br class="">


                   Read ACL: *<br class="">


                  Write ACL: *<br class="">


                    Sync To:<br class="">


                   Sync Key:<br class="">


                X-Timestamp: 1595883106.23179<br class="">


X-Container-Bytes-Used-Actual: 8192<br class="">


           X-Storage-Policy: default-placement<br class="">


            X-Storage-Class: STANDARD<br class="">


              Last-Modified: Wed, 05 Aug 2020 03:42:11 GMT<br class="">


                 X-Trans-Id: tx000000000000000662156-005f2a2bea-23478-default<br class="">


     X-Openstack-Request-Id: tx000000000000000662156-005f2a2bea-23478-default<br class="">


              Accept-Ranges: bytes<br class="">


               Content-Type: text/plain; charset=utf-8<br class="">


<br class="">


(as non-admin)<br class="">


swift upload public-container test.txt<br class="">


Warning: failed to create container 'public-container': 409 Conflict: BucketAlreadyExists<br class="">


Object HEAD failed: <a href="https://ceph.example.org:7480/swift/v1/public-container/README.md" class="">


https://ceph.example.org:7480/swift/v1/public-container/README.md</a> 403 Forbidden<br class="">


<br class="">


swift list public-container<br class="">


Container GET failed: <a href="https://ceph.example.org:7480/swift/v1/public-container?format=json" class="">


https://ceph.example.org:7480/swift/v1/public-container?format=json</a> 403 Forbidden  [first 60 chars of response] b'{"Code":"AccessDenied","BucketName”:”public-container","RequestId":"tx0'<br class="">


Failed Transaction ID: tx000000000000000662162-005f2a2c2a-23478-default<br class="">


<br class="">


What am I missing? Thanks in advance!<br class="">


<br class="">


/Jason<br class="">


</blockquote>


<br class="">


</div>


</div>


</blockquote>


</div>


<br class="">


</body>


</html>