[Openstack-security] [openstack/swift] SecurityImpact review request change If1983b0450a85f79f5bcd5ca6acd859d68de73e4
gerrit2 at review.openstack.org
gerrit2 at review.openstack.org
Thu Sep 18 22:03:57 UTC 2014
Hi, I'd like you to take a look at this patch for potential
SecurityImpact.
https://review.openstack.org/122541
Log:
commit fc5cee5f05692f7e6dd5ad5a6d0ae682dd4bf3e0
Author: Christian Schwede <christian.schwede at enovance.com>
Date: Mon Sep 15 17:22:54 2014 +0000
Allow filtering by region in swift-recon
The option "-r" is already used, thus only "--region" is used to specify
filter by region.
Change-Id: If769f2f3191c202933b03b48fe0f22b7c94a4dd6
Closes-Bug: 1369583
commit 423ac74e888dcd693129100e0b37a51428bb62e1
Author: Christian Schwede <christian.schwede at enovance.com>
Date: Sun Sep 14 23:41:19 2014 +0200
Fix internal link to keystoneauth in documentation
This patch fixes a broken link at the end of the table in
http://docs.openstack.org/developer/swift/logs.html#swift-source
Change-Id: I989173ac93e0f840997333be0d5cec07eb77b304
commit 64548420c87f3163ed543c9e9a02a4f1abec69e0
Author: Andreas Jaeger <aj at suse.de>
Date: Sat Sep 13 09:48:14 2014 +0200
Stop using intersphinx
Remove intersphinx from the docs build as it triggers network calls that
occasionally fail, and we don't really use intersphinx (links other
sphinx documents out on the internet)
This also removes the requirement for internet access during docs build.
This can cause docs jobs to fail if the project errors out on
warnings.
Change-Id: I71e941e2a639641a662a163c682eb86d51de42fb
Related-Bug: #1368910
commit 5c9835125802c51e2eb2823f5208d53c358a5e84
Author: Christian Schwede <christian.schwede at enovance.com>
Date: Fri Sep 12 14:37:04 2014 +0000
Fix RingBuilder._build_max_replicas_by_tier docstring
The current docstring doesn't include zones, and the order of the
entries is not up to date with the current code. Let's fix this.
Change-Id: Ibabd79427b83d9e8c86b2caeb93dee219c8274c0
commit a03732e142540e5a7d6cb11de5232f0642beb20d
Author: Alistair Coles <alistair.coles at hp.com>
Date: Fri Sep 12 10:20:19 2014 +0100
Add comments to clarify change to www-authenticate test
Trivial patch to tidy-up change to the functional test for
www-authenticate header and add a comment to explain
that multiple header values might be returned.
Change-Id: If62cb3fd9e11450a2be0cec71e80ecb74a959d04
Related-bug: 1368048
commit ab96796dc8d1da9037330da0822c8b8d2264d192
Author: Alistair Coles <alistair.coles at hp.com>
Date: Thu Sep 11 10:23:32 2014 +0100
Fix broken www-authenticate functional test
testQuotedWWWAuthenticateHeader functional test started failing
due to a change to keystonemiddleware.auth_token, which now adds
its own www-authenticate header in addition to the one that swift
keystoneauth adds.
This patch changes the functional test to check expected
swift generated header value is in the concatenation of
www-authenticate values.
Verified that functional tests still pass using tempauth.
Closes-Bug: 1368048
Change-Id: I913af077df800a559d259c1622f286ad10eae9df
commit f4d3facdf4b6ec8ee0dcacc7be8999731c68a8ec
Author: Matthew Oliver <matt at oliver.net.au>
Date: Thu Aug 14 14:39:18 2014 +1000
Treat 404s as 204 on object delete in proxy
This change adds an optional overrides map to _make_request method
in the base Controller class.
def make_requests(self, req, ring, part, method, path, headers,
query_string='', overrides=None)
Which will be passed on the the best_response method. If set and
no quorum it reached, the override map is used to attempt to find
quorum.
The overrides map is in the form:
{ <response>: <override response>, .. }
The ObjectController, in the DELETE method now passes an override map
to make_requests method in the base Controller class in the form of:
{ 404: 204 }
Statuses/responses that have been overridden are used in calculation
of the quorum but never returned to the user. They are replaced by:
(STATUS, '', '', '')
And left out of the search for best response.
Change-Id: Ibf969eac3a09d67668d5275e808ed626152dd7eb
Closes-Bug: 1318375
commit eff9ab74a4b88102e8938c52cb01b311f932949e
Author: David Goetz <dpgoetz at gmail.com>
Date: Fri Aug 15 15:54:05 2014 -0700
Delete expired objects in slightly smarter way.
When the expirer tries to delete customer objects, if it just walks through the
containers in order the deamon will tend to send DELETEs to the same container
highly concurrently. This will in turn create a lot of asyncs because of all
the concurrent deletes. If the deletes were spread out to multiple containers
it would improve performance and decrease the number of asyncs made.
Change-Id: I3d08118c197b7f18dd7e880bd5664508934ffd24
commit efdc27caaca96a42c5466131a2c672f92cfac63a
Author: Matt Riedemann <mriedem at us.ibm.com>
Date: Mon Sep 8 21:00:49 2014 -0700
Fix directory value for compile_catalog
Commit 7a192987c0a5edb9e239ffb4aba3b1dac083b41e sets
up swift for translation but the compile_catalog
directory option is pointing at the wrong location
to scan for po files.
Change-Id: Id4dd24ddfde735ef8ef064882bea045361b5db90
Closes-Bug: #1367086
commit d2a94bd43c383add237966c9f885be6b890a8141
Author: Richard (Rick) Hawkins <richard.hawkins at rackspace.com>
Date: Mon Sep 8 13:51:07 2014 -0500
Fix FormPOST max_file_size exceeded bug.
When using FormPOST, if the size of the file being posted exceeds
max_file_size, a HTTP 499 was being returned rather than HTTP 400.
Change-Id: I48c781735c66eccde3deb6f9c3c184aee964a4a5
commit fa23202b30c5a1ca89802749ccefd1363fac1d72
Author: Timothy Okwii <tokwii at cisco.com>
Date: Mon Sep 8 17:43:19 2014 -0700
Fixed Typo - dictonary to dictionary
Change-Id: Ia2a07bf1d1a77f6d6af0c8d9f53c2d47c2ba6d75
commit cb55e89bf1892c62a981df6b205d41ebfdee65ef
Author: Clay Gerrard <clay.gerrard at gmail.com>
Date: Mon Sep 8 12:25:54 2014 -0700
test tempurl header sanitization priority
Change-Id: I0bb3004a717da2f65196bc56b0f7baef49e649e8
commit 88d1d53d98c5e24896710dfeb829de01a85b2d2f
Author: YummyBian <yummy.bian at gmail.com>
Date: Mon Sep 8 22:43:53 2014 +0800
Too many if clauses in the _clean_incoming_headers and the
_clean_outgoing_headers routines of the tempurl module
Too many if clauses make code complicated. For more pythonic, you'd
better to use the for ... else clause instead of them.
Fix Bug #1363125
Change-Id: I837235ecb08dd912e56cdfb363c4b4a6cc053e7d
commit b7281cf2c584cde8f516ba206d90024af03236dd
Author: John Dickinson <me at not.mn>
Date: Mon Sep 1 11:22:53 2014 -0700
make the bind_port config setting required
In a long-term effort to change the recommended ports for Swift,
the first step is to require the bind_port in config files. Later,
we can change the recommended setting.
Anyone currently explicitly setting the ports will not be affected.
Anyone not setting the ports will need to specify them to match their
rings.
DocImpact
Change-Id: Icca83a263acdd0afc9016424a3e9f8c15e944789
commit 4dc718e8c3bd2a8bbe1f2d7a98ad03421a70217f
Author: Alistair Coles <alistair.coles at hp.com>
Date: Mon Sep 8 14:06:00 2014 +0100
Extra unit tests for check_delete_headers
A few extra tests to verify check_delete_headers in
constraints.py. A little duplication of coverage of existing
proxy/controllers/test_obj.py:TestObjController.test_POST_delete_at
but these tests call the recently refactored function directly,
and also add tests for X-Delete-After taking precedence over
X-Delete-At.
Change-Id: I129cef15a6feac8a60fd4efbb3535d93f0eaab36
commit 12268677589907e8d10aec6d5aa09c2f72c0ab77
Author: Prashanth Pai <ppai at redhat.com>
Date: Mon Sep 8 15:35:48 2014 +0530
Mention storage backends in Associated Projects
Change-Id: I6d88cfe668a557c41e6e6958cd73412ca50c6ba8
Signed-off-by: Prashanth Pai <ppai at redhat.com>
commit 9dcf15f8b50188c592acc4c34e333c738173d516
Author: Thiago da Silva <thiago at redhat.com>
Date: Thu Aug 21 10:33:30 2014 -0400
moving object validation checks to top of PUT method
This adds a sanity check on x-delete headers as
part of check_object_creation method
Change-Id: If5069469e433189235b1178ea203b5c8a926f553
Signed-off-by: Thiago da Silva <thiago at redhat.com>
commit 0221f1f8478fda595e0f1d266f5d04c06cb4e76f
Author: Samuel Merritt <sam at swiftstack.com>
Date: Fri Sep 5 14:08:03 2014 -0700
Pay attention to all punctual nodes
The proxy sends requests to all storage nodes, but it only needs a
quorum of them to respond before the proxy can, in turn, respond to
the client. Thus, it gets quorum, and then briefly waits to see if the
remainder of the storage nodes respond before giving up on them.
However, the proxy was not paying any attention to the responses from
the non-quorum storage nodes. This would lead to some odd behavior,
like a container PUT where the backends returned (201, 201, 202) would
become a 201 to the client, but the permutation (201, 202, 201) would
become 202. Further, on object PUT, if the last node responded with an
error code, that error wouldn't count towards error-limiting.
The fix is quite simple: after getting quorum, the make_requests()
method was calling a method that returns responses from the remainder
of the nodes, but it was ignoring that return value and making up
responses with dummy values instead. Now, prior to making up dummy
responses, the proxy first uses the responses it already has, and only
fills in dummy responses for nodes that really didn't respond in time.
Change-Id: I0206b6b2272b0e7dcc80fb6c51840d8dae25cee2
commit 315af1737be9a017a06634ae5f5ab89352e89cb5
Author: Samuel Merritt <sam at swiftstack.com>
Date: Fri Sep 5 11:39:36 2014 -0700
Error limit the right node on object PUT
If any node had an error on object PUT, the proxy would count the
error against the last-connected-to node instead of the one with the
error. Now it counts the error against the right node.
Change-Id: I884eb73cebe0c723473a6d5e390a148fcad0d3ed
commit 72385a6981b38c870dc3c46346fe7eff86f1bba3
Author: Lin Yang <lin.a.yang at intel.com>
Date: Fri Sep 5 15:51:07 2014 +0800
Change method _sort_key_for to static
This method does not reference to any attribute of this class, so it's better
to change it to classstatic.
Change-Id: I3ea0ca83cb29ceae9afb20da0c9817a9b044c084
Signed-off-by: Lin Yang <lin.a.yang at intel.com>
commit 2a8b43e5e73c899cc476428c82c1831fdc546b29
Author: saranjan <saranjan at cisco.com>
Date: Wed Sep 3 10:40:30 2014 -0700
Spelling mistakes corrected in comments.
Change-Id: Ibbd7511c3a2b08519feb4db18eca6e000603ea32
commit 1a561e67794f6813636377026d8de26f0fb7ad53
Author: Dolph Mathews <dolph.mathews at gmail.com>
Date: Wed Sep 3 12:03:40 2014 -0500
warn against sorting requirements
Change-Id: I64ae9191863564e278a35d42ec9cd743a233028e
Closes-Bug: 1365061
commit 84a1e17f2039e6e5ef732c8931fe47f44f770738
Author: Yuan Zhou <yuan.zhou at intel.com>
Date: Thu Apr 17 15:39:50 2014 +0800
Fix delete versioning objects when previous is expired
When deleteing versioned objects proxy will try to restore the previous
copy. The COPY request will fail if the previous version is expired but
not handled by object-expirer.
This patch checks COPY respones on the previous copy, if it's
HTTP_NOT_FOUND(mostly because it's expired) proxy will try to restore
with the version before previous.
Closes-Bug #1308446
Change-Id: I17f049ea3ef62723effae8086ec427f6e151cd9c
commit b9ae377eab9c7ceba4f5909cd1f4e804bf3a5b8f
Author: Alistair Coles <alistair.coles at hp.com>
Date: Tue Sep 2 15:46:16 2014 +0100
Check for change before container replicator updates db
As described in the related bug report, unnecessary updates
to the container db during replication can impact object
object GET performance in certain circumstances.
This patch changes swift/container/replicator.py so that
calls to merge_timestamps and update_reconciler_sync
are conditional on values having actually changed.
Related-Bug: 1332025
Change-Id: If498251656500ed7a3d7ca4b109ea1079b8513c2
commit 8e9b16a9eaef90add74b71e846371ef61396e19a
Author: Andrew Hale <andy at wwwdata.eu>
Date: Mon Sep 1 18:53:30 2014 +0100
Only bind SAIO daemons to localhost
The SAIO configs have no default bind_ip setting configured
which causes them to listen on all available IP addresses.
This can be dangerous on a test machine with public interfaces,
especially with the default passwords set. Its reasonable to
choose a more restrictive setup, especially in SAIO which uses
127.0.0.1 throughout ring-builder, example commands and the
probe tests.
Change-Id: I471c49705ce09e07ec7acc07ee42a1e220529b82
commit 33980c792d40803e8d4c68bd92d9fd869fb861fa
Author: Samuel Merritt <sam at swiftstack.com>
Date: Fri Aug 29 15:48:38 2014 -0700
Fix last_modified_date_to_timestamp on non-UTC systems
Before, we were calling datetime.datetime.strftime('%s.%f') to convert
a datetime to epoch seconds + microseconds. However, the '%s' format
isn't actually part of Python's library. Rather, Python passes that on
to the system C library, which is typically glibc. Now, glibc takes
the '%s' format and helpfully* applies the current timezone as an
offset. This gives bogus results on machines where UTC is not the
system timezone. (Yes, some people really do that.)
For example:
>>> import os
>>> from swift.common import utils
>>> os.environ['TZ'] = 'PST8PDT,M3.2.0,M11.1.0'
>>> float(utils.last_modified_date_to_timestamp('1970-01-01T00:00:00.000000'))
28800.0
>>>
That timestamp should obviously be 0.
This patch replaces the strftime() call with datetime arithmetic,
which is entirely in Python so the system timezone doesn't mess it up.
* unhelpfully
Change-Id: I56855acd79a5d8f2c98a771fa9fd2729e4f490b1
commit 849b21a4429e945e5499957b1b884eee9600281f
Author: David Goetz <dpgoetz at gmail.com>
Date: Thu Aug 28 14:31:29 2014 -0700
Combine acc/cont put_* methods and fix their lock problem.
The container backend is supposed to build a pending file and,
when it gets to a certain size, flush it all at once into the
sqlite db. Before this fix, many concurrent threads would ask
what the pending file size is to see if they should flush
instead of just appending to the pending file. The problem is
that many would ask, find it's too big, and try to get a lock.
The first one wins, flushes, but all the other waiting threads
still think they have to flush- which is a much slower opertaion
than just the append. This change gets the lock first and makes
sure that merge_items is only called when the pending file is full.
Change-Id: I29cfa13a48c8f7d16dd414b2288d50461adbafd2
commit 3a7f80aa472794951461cf95fac4ec029167c17d
Author: Kota Tsuyuzaki <tsuyuzaki.kota at lab.ntt.co.jp>
Date: Thu Aug 28 19:20:02 2014 -0700
Small Fix for FakeServerConnection
Current FakeServerConnection might cause 499 error
in some unit tests because sent (put) data will be
overridden by new one every time.
e.g. When calling conn.queue.put() twice and more in
an object PUT sequence, we can use only a last chunk as
the body. This fixes it to merge all chunks as a body.
Change-Id: I463e9e2b454e3f3eb26950b3af4c8b8167a9a971
commit 5616d98cc32a5c11014d5e31571fac87d795d113
Author: zhang-hare <zhuadl at cn.ibm.com>
Date: Wed Aug 27 11:42:06 2014 +0800
fix my name in AUTHORS
My author name is my gmail account name, change it to my real name.
Change-Id: Iafd94f694f7d007c54de086941309b119683f6cb
commit 21adf82cf11fa80479676225a8a61c0029387cb5
Author: Clay Gerrard <clay.gerrard at gmail.com>
Date: Fri Aug 8 02:14:27 2014 -0700
code shuffle post expired headers refactor
Change-Id: I62248d7d3d7e0a3696a30e3d567ac6c2bea3c8eb
commit 43ac76373a353fe74a520108a198b0b563c4f3a2
Author: Constantine Peresypkin <constantine.peresypk at rackspace.com>
Date: Wed Apr 30 15:00:49 2014 +0300
account to account copy implementation
Adds ability to copy objects between different accounts (on server side)
Adds new header to `PUT` request:
`X-Copy-From-Account: <account name>`
Account name corresponds to the last part of storage URL.
Adds new header to `COPY` request:
`Destination-Account: <account name>`
Account name corresponds to the last part of storage URL.
If your storage URL is: http://server:8080/v1/AUTH_test
Then the account name is `AUTH_test`
These headers should be used alongside `X-Copy-From` and `Destination` headers
The legacy headers should specify `<container name>/<object name>` path as usual.
DocImpact
Change-Id: I0285fe6a47df9e699ac20ae4a83b0bf23829e1e6
commit a4f634bd898603225d2218eec220b61a8fd9865c
Author: anc <alistair.coles at hp.com>
Date: Fri Mar 28 02:46:08 2014 +0000
Restrict keystone cross-tenant ACLs to IDs
The keystoneauth middleware supports cross-tenant access
control using the syntax <tenant>:<user> in container ACLs,
where <tenant> and <user> may currently be either a unique
id or a name. As a result of the keystone v3 API introducing
domains, names are no longer globally unique and are only
unique within a domain. The use of unqualified tenant and
user names in this ACL syntax is therefore not 'safe' in a
keystone v3 environment.
This patch modifies keystoneauth to restrict cross-tenant
ACL matching to use only ids for accounts that are not in
the default domain. For backwards compatibility,
names will still be matched in ACLs when both the requesting
user and tenant are known to be in the default domain AND the
account's tenant is also in the default domain (the default
domain being the domain to which existing tenants are
migrated).
Accounts existing prior to this patch are assumed to be for
tenants in the default domain. New accounts created using a
v2 token scoped on the tenant are also assumed to be in the
default domain. New accounts created using a v3 token scoped
on the tenant will learn their domain membership from the
token info. New accounts created using any unscoped token,
(i.e. with a reselleradmin role) will have unknown domain
membership and therefore be assumed to NOT be in the default
domain.
Despite this provision for backwards compatibility, names
must no longer be used when setting new ACLs in any account,
including new accounts in the default domain.
This change obviously impacts users accustomed to specifying
cross-tenant ACLs in terms of names, and further work will be
necessary to restore those use cases. Some ideas are
discussed under the bug report. With that caveat, this patch
removes the reported vulnerability when using
swift/keystoneauth with a keystone v3 API.
Note: to observe the new 'restricted' behaviour you will need
to setup keystone user(s) and tenant(s) in a non-default domain
and set auth_version = v3.0 in the auth_token middleware config
section of proxy-server.conf. You may also benefit from the
keystone v3 enabled swiftclient patch under review here:
https://review.openstack.org/#/c/91788/
DocImpact
blueprint keystone-v3-support
Closes-Bug: #1299146
Change-Id: Ib32df093f7450f704127da77ff06b595f57615cb
commit 6978275cdb04bb08aaf142d401b52a46527dac4c
Author: Nathan Kinder <nkinder at redhat.com>
Date: Fri Jul 25 20:47:11 2014 -0700
Avoid usage of insecure mktemp() function
This patch eliminates the use of the deprecated and insecure
tempfile.mktemp() function. It has been replaced with secure
alternatives where temporary files are actually required.
Change-Id: I0a13d6d44cd1abc4b66fa33f39eea407617a01d5
SecurityImpact
Closes-bug: #1348869
commit 7a192987c0a5edb9e239ffb4aba3b1dac083b41e
Author: Andreas Jaeger <aj at suse.de>
Date: Sun Jun 1 11:51:29 2014 +0200
Setup localization properly
To start translation of swift, we need to initially import the
translation file - and place it at the proper place so that
the usual CI scripts can handle it.
The proper place is for all python projects
$PROJECT/locale/$PROJECT.pot, so move locale/$PROJECT.pot to the new
location and regenerate the file.
Update setup.cfg with the new paths.
Further imports will be done by the OpenStack Proposal bot.
Change-Id: Ide4da91f2af71db529f4a06d6b1e30ba79883506
Partial-Bug: #608725
Closes-Bug: #1082805
More information about the Openstack-security
mailing list