[Openstack-operators] [swift] private read ACL set on container_segments results in 401

Vinsh, Adam adam.vinsh at twcable.com
Wed Dec 16 00:59:19 UTC 2015

Turns out, this is not expected.
Thanks for filing this for us Matthew.

From: CTG User <adam.vinsh at twcable.com<mailto:adam.vinsh at twcable.com>>
Date: Tuesday, December 15, 2015 at 6:07 PM
To: "openstack-operators at lists.openstack.org<mailto:openstack-operators at lists.openstack.org>" <openstack-operators at lists.openstack.org<mailto:openstack-operators at lists.openstack.org>>
Subject: [Openstack-operators] [swift] private read ACL set on container_segments results in 401


I am looking for advice on an interesting case a customer of our swift cluster has come with.

They have uploaded a large object (~5G) to a swift container "containerA".  Swift broke this object into segments, creating a container for those segments "containerA_segments".
If both containers are set to public, this object can be downloaded.

They want this container to be private and only serve up content to a specific refer domain.
So, they set the following ACL on "containerA"   ".r:<secret-key>.example.com,.rlistings
Where the secret-key is one their proxy re-directs requests to.

Now, they can not get the object in containerA.
Setting "containerA_segments" to the same ACL as containerA also does not work.

We have found that the only way to access this object is to set the ACL on "containerA_segments" to public.
This isn't desirable because it means the segments container is now public even though containerA is private.

Is this expected?



This E-mail and any of its attachments may contain Time Warner Cable proprietary information, which is privileged, confidential, or subject to copyright belonging to Time Warner Cable. This E-mail is intended solely for the use of the individual or entity to which it is addressed. If you are not the intended recipient of this E-mail, you are hereby notified that any dissemination, distribution, copying, or action taken in relation to the contents of and attachments to this E-mail is strictly prohibited and may be unlawful. If you have received this E-mail in error, please notify the sender immediately and permanently delete the original and any copy of this E-mail and any printout.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-operators/attachments/20151216/d9873f5e/attachment.html>

More information about the OpenStack-operators mailing list