<div dir="ltr">I may know the problem now. <div><br></div><div>You can have a look at @fbo's blog : <a href="http://blog.fsquat.net/?p=40" target="_blank">http://blog.fsquat.net/?p=40</a></div><div>I had a deep diving on the auth middleware today. </div>
<div><br></div><div>The authtoken middleware will reject the request if the token's tenant mapping is not matching to the one your requested. <br><br><font size="4"><b>[Debug log]</b></font><br><pre style="padding:6px 10px;font-family:Consolas,'Bitstream Vera Sans Mono',Courier,monospace;font-size:16px;border-top-left-radius:3px;border-top-right-radius:3px;border-bottom-right-radius:3px;border-bottom-left-radius:3px;margin-top:15px;margin-bottom:15px;line-height:19px;word-break:break-all;word-wrap:break-word;white-space:pre-line;background-color:rgb(248,248,248);border:1px solid rgb(204,204,204);outline:0px;vertical-align:baseline;overflow:auto">
<code style="color:inherit;padding:0px;font-family:'Bitstream Vera Sans Mono',Courier,monospace;font-size:12px;border-top-left-radius:3px;border-top-right-radius:3px;border-bottom-right-radius:3px;border-bottom-left-radius:3px;border:0px;margin:0px;outline:0px;vertical-align:baseline;background-image:none;white-space:pre-wrap">Nov 13 01:39:30 proxy-server </code><code style="padding:0px;font-family:'Bitstream Vera Sans Mono',Courier,monospace;font-size:12px;border-top-left-radius:3px;border-top-right-radius:3px;border-bottom-right-radius:3px;border-bottom-left-radius:3px;border:0px;margin:0px;outline:0px;vertical-align:baseline;background-image:none;white-space:pre-wrap"><font color="#ff0000">tenant mismatch: SWIFTSTACK_e2dbb13e5e18496aafe251c64aca8919 != 5c5791c3dca54885a862bbd214587759</font></code><code style="color:inherit;padding:0px;font-family:'Bitstream Vera Sans Mono',Courier,monospace;font-size:12px;border-top-left-radius:3px;border-top-right-radius:3px;border-bottom-right-radius:3px;border-bottom-left-radius:3px;border:0px;margin:0px;outline:0px;vertical-align:baseline;background-image:none;white-space:pre-wrap"> (txn: txc94a550c9adb4305b21a8-00528348d2) (client_ip: 192.168.1.222)
Nov 13 01:39:30 proxy-server tenant mismatch: SWIFTSTACK_e2dbb13e5e18496aafe251c64aca8919 != 5c5791c3dca54885a862bbd214587759 (txn: txc94a550c9adb4305b21a8-00528348d2) (client_ip: 192.168.1.222)
Nov 13 01:39:30 proxy-server 192.168.1.222 127.0.0.1 13/Nov/2013/09/39/30 GET /v1/SWIFTSTACK_e2dbb13e5e18496aafe251c64aca8919/share-U1 HTTP/1.0 403 - curl/7.22.0%20%28x86_64-pc-linux-gnu%29%20libcurl/7.22.0%20OpenSSL/1.0.1%20zlib/<a href="http://1.2.3.4" target="_blank">1.2.3.4</a>%20libidn/1.23%20librtmp/2.3 21371d0927a742e0b7ae79680548c49f - 73 - txc94a550c9adb4305b21a8-00528348d2 - 0.0125 - -</code></pre>
</div><div><br></div><div><b><font size="4">For your purpose, more efforts are needed.</font></b> </div><div><br></div><div>1. Create a role whatever you want. But the role should not in the operator's role list of keystone_auth middleware. Let's have one named *share*</div>
<div> keystone role-create --name share</div><div><br></div><div>2. Give the non-privilege role to user test2 of tenant test1 , for passing the authtoken middleware : </div><div> keystone user-role-add --user test2 --tenant test1 --role share</div>
<div><br></div><div>3. [<b><font color="#ff0000">Trick</font></b>] Set the read ACL on account AUTH_test1's container foo for <font color="#ff0000">test1:test2 (Tenant:UserName)</font> : </div><div> curl -i -X PUT -H "X-Auth-Token: $tokenTest1" -H "X-Container-Read: test1:test2" <span> <a href="http://192.168.3.100:8080/v1/AUTH_$tenantTest1/foo" target="_blank"><span>http://192.168.3.100:8080/v1/AUTH_$tenantTest1/foo</span></a></span></div>
<div><br></div><div>4. To retrieve the token of tenant test1 for user test2 rather then using tenant test2's token:</div><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><div><span style="font-family:arial,sans-serif;font-size:14px">curl -s -H 'Content-type: application/json' \</span></div>
</blockquote><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><div><span style="font-family:arial,sans-serif;font-size:14px"> -d '{"auth": {"tenantName": "<b><font color="#ff0000">test1</font></b>", "passwordCredentials":</span></div>
</blockquote></blockquote><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><div><span style="font-family:arial,sans-serif;font-size:14px"> {"username": "test2", "password": "test2"}}}' \</span></div>
</blockquote></blockquote><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><div><span style="font-family:arial,sans-serif;font-size:14px"> </span><a href="http://192.168.3.100:5000/v2.0/tokens" style="font-family:arial,sans-serif;font-size:14px" target="_blank">http://192.168.3.100:5000/v2.<u></u>0/tokens</a><span style="font-family:arial,sans-serif;font-size:14px"> | python -mjson.tool</span></div>
</blockquote></blockquote><div><span style="font-family:arial,sans-serif;font-size:14px"><br></span></div><div><span style="font-family:arial,sans-serif;font-size:14px"><br></span></div><div><span style="font-family:arial,sans-serif;font-size:14px">5. To get the object from test1/foo with this token. As I mentioned before, the default ACL is not allowing list objects in a list. You need to set </span>.rlistings in the header. </div>
<div> </div><div> curl -i -X PUT -H "X-Auth-Token: $tokenTest1" -H "X-Container-Read: test1:test2,<font color="#ff0000">.rlistings</font>" <span> <a href="http://192.168.3.100:8080/v1/AUTH_$tenantTest1/foo" target="_blank"><span>http://192.168.3.100:8080/v1/AUTH_$tenantTest1/foo</span></a></span><br>
</div><div><br></div><div><br></div><div><br></div><div>Hope it help</div><div><br></div><div class="gmail_extra"><div><div dir="ltr"><div>+Hugo Kuo+</div><div><a href="tel:%28%2B886%29%20935004793" value="+886935004793" target="_blank">(+886) 935004793</a><br>
</div><div>SwiftStack Inc.<br></div></div>
</div>
<br><br><div class="gmail_quote">2013/11/13 <span dir="ltr"><<a href="mailto:thorfinn@poivron.org" target="_blank">thorfinn@poivron.org</a>></span><br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
This syntax is correct:<br>
<br>
curl -i -X POST -H "X-Auth-Token: $tokenTest1" -H "X-Container-Read: *:*" -H " \<br>
X-Container-Write: *:*" <a href="http://192.168.3.100:8080/v1/AUTH_$tenantTest1/foo" target="_blank">http://192.168.3.100:8080/v1/<u></u>AUTH_$tenantTest1/foo</a><div><br>
<br>
curl -i -X GET -H "X-Auth-Token: $tokenTest2" <a href="http://192.168.3.100:8080/v1/AUTH_$tenantTest1/foo" target="_blank">http://192.168.3.100:8080/v1/<u></u>AUTH_$tenantTest1/foo</a><br></div><div>
HTTP/1.1 204 No Content<br>
Content-Length: 0<br>
X-Container-Object-Count: 0<br></div>
Accept-Ranges: bytes<br>
X-Timestamp: 1384268871.16508<div><br>
X-Container-Bytes-Used: 0<br>
Content-Type: text/html; charset=UTF-8<br></div>
Date: Wed, 13 Nov 2013 09:42:33 GMT<br>
Connection: close<br>
<br>
I don't understand why but today is ok for me.<br>
<br>
curl -i -X POST -H "X-Auth-Token: $tokenTest1" -H "X-container-Read: test2:test2" \<div><br>
-H "X-Container-Write: test2:test2" <a href="http://192.168.3.100:8080/v1/AUTH_$tenantTest1/foo" target="_blank">http://192.168.3.100:8080/v1/<u></u>AUTH_$tenantTest1/foo</a><br>
<br></div><div>
curl -i -X GET -H "X-Auth-Token: $tokenTest1" <a href="http://192.168.3.100:8080/v1/AUTH_$tenantTest1/foo" target="_blank">http://192.168.3.100:8080/v1/<u></u>AUTH_$tenantTest1/foo</a><br>
HTTP/1.1 204 No Content<br>
Content-Length: 0<br>
X-Container-Object-Count: 0<br></div><div>
X-Container-Write: test2:test2<br>
Accept-Ranges: bytes<br>
X-Timestamp: 1384268871.16508<br>
X-Container-Read: test2:test2<br>
X-Container-Bytes-Used: 0<br>
Content-Type: text/html; charset=UTF-8<br></div>
Date: Wed, 13 Nov 2013 09:58:09 GMT<div><br>
Connection: close<br>
<br>
curl -i -X GET -H "X-Auth-Token: $tokenTest2" <a href="http://192.168.3.100:8080/v1/AUTH_$tenantTest1/foo" target="_blank">http://192.168.3.100:8080/v1/<u></u>AUTH_$tenantTest1/foo</a><br></div><div>
HTTP/1.1 204 No Content<br>
Content-Length: 0<br>
X-Container-Object-Count: 0<br></div>
Accept-Ranges: bytes<br>
X-Timestamp: 1384268871.16508<div><br>
X-Container-Bytes-Used: 0<br>
Content-Type: text/html; charset=UTF-8<br></div>
Date: Wed, 13 Nov 2013 09:56:55 GMT<br>
Connection: close<br>
<br>
Thank you for help<div><div><br>
<br>
On 2013-11-13 10:31, <a href="mailto:thorfinn@poivron.org" target="_blank">thorfinn@poivron.org</a> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
@Dheerendra:<br>
the correct IP address is 192.168.3.100. It's a mistake. Same problem<br>
with correct ip adress.<br>
<br>
@Kuo Hugo:<br>
I don't understand the item 1.<br>
<br>
On the item 2:<br>
<br>
curl -i -X POST -H "X-Auth-Token: $tokenTest1" -H<br>
"X-Container-Read:test2" -H "X-Container-Write: test2"<br>
<a href="http://192.168.3.100:8080/v1/AUTH_$tenantTest1/foo" target="_blank">http://192.168.3.100:8080/v1/<u></u>AUTH_$tenantTest1/foo</a><br>
HTTP/1.1 204 No Content<br>
Content-Length: 0<br>
Content-Type: text/html; charset=UTF-8<br>
Date: Wed, 13 Nov 2013 08:55:57 GMT<br>
Connection: close<br>
<br>
curl -i -X GET -H "X-Auth-Token: $tokenTest1"<br>
<a href="http://192.168.3.100:8080/v1/AUTH_$tenantTest1/foo" target="_blank">http://192.168.3.100:8080/v1/<u></u>AUTH_$tenantTest1/foo</a><br>
HTTP/1.1 204 No Content<br>
Content-Length: 0<br>
X-Container-Object-Count: 0<br>
X-Container-Write: test2<br>
Accept-Ranges: bytes<br>
X-Timestamp: 1384268871.16508<br>
X-Container-Read: test2<br>
X-Container-Bytes-Used: 0<br>
Content-Type: text/html; charset=UTF-8<br>
Date: Wed, 13 Nov 2013 08:56:00 GMT<br>
Connection: close<br>
<br>
<br>
curl -i -X GET -H "X-Auth-Token: $tokenTest2"<br>
<a href="http://192.168.3.100:8080/v1/AUTH_$tenantTest1/foo" target="_blank">http://192.168.3.100:8080/v1/<u></u>AUTH_$tenantTest1/foo</a><br>
HTTP/1.1 403 Forbidden<br>
Content-Length: 73<br>
Content-Type: text/html; charset=UTF-8<br>
Date: Wed, 13 Nov 2013 08:56:18 GMT<br>
Connection: close<br>
<br>
Same problem. Can you test this please?<br>
<br>
<br>
<br>
On 2013-11-12 18:26, Kuo Hugo wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Hi <br>
<br>
>From my point of view. There may has two potential problems. <br>
<br>
1. The read ACL is not allowing to list objects in a container by<br>
default. And your request is for retrieving objects list of a<br>
container tho. <br>
<br>
2. For Keystone, I think the value of ACL header should be the<br>
username instead of username:tenant-name. <br>
<br>
For reference<br>
: <a href="http://docs.openstack.org/developer/swift/misc.html#acls" target="_blank">http://docs.openstack.org/<u></u>developer/swift/misc.html#acls</a> [11]<br>
<br>
Perhaps I can test it tomorrow morning. <br>
<br>
+Hugo Kuo+<br>
<a href="tel:%28%2B886%29%20935004793" value="+886935004793" target="_blank">(+886) 935004793</a><br>
<br>
SwiftStack Inc.<br>
<br>
2013/11/13 <<a href="mailto:thorfinn@poivron.org" target="_blank">thorfinn@poivron.org</a> [12]><br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Hi all,<br>
<br>
I use Openstack Havana (Storage + Identity)<br>
<br>
I encountered some problems when i set permissions (ACLs) on<br>
Openstack Swift containers.<br>
<br>
My swift proxy-server.conf is here:<br>
<a href="http://pastebin.com/0hpfebNp" target="_blank">http://pastebin.com/0hpfebNp</a> [1]<br>
<br>
My keystone.conf is here:<br>
<a href="http://pastebin.com/VUGYbcM5" target="_blank">http://pastebin.com/VUGYbcM5</a> [2]<br>
<br>
I have the token of test1:test1 and test2:test2<br>
<br>
curl -s -H 'Content-type: application/json'<br>
-d '{"auth": {"tenantName": "test1", "passwordCredentials":<br>
{"username": "test1", "password": "test1"}}}'<br>
<a href="http://192.168.3.100:5000/v2.0/tokens" target="_blank">http://192.168.3.100:5000/v2.<u></u>0/tokens</a> [3] | python -mjson.tool<br>
<br>
curl -s -H 'Content-type: application/json'<br>
-d '{"auth": {"tenantName": "test2", "passwordCredentials":<br>
{"username": "test2", "password": "test2"}}}'<br>
<a href="http://192.168.3.100:5000/v2.0/tokens" target="_blank">http://192.168.3.100:5000/v2.<u></u>0/tokens</a> [4] | python -mjson.tool<br>
<br>
Then,enable read access to test2:test2<br>
<br>
curl -i -X PUT -H "X-Auth-Token: $tokenTest1"<br>
-H "X-Container-Read:test2:test2"<br>
-H "X-Container-Write: test2:test2"<br>
<a href="http://192.168.3.100:8080/v1/AUTH_$tenantTest1/foo" target="_blank">http://192.168.3.100:8080/v1/<u></u>AUTH_$tenantTest1/foo</a> [5]<br>
<br>
Check the permission of the container:<br>
<br>
curl -k -v -H "X-Auth-Token:$tokenTest1"<br>
<a href="http://192.168.3.100:8080/v1/AUTH_$tenantTest1/foo" target="_blank">http://192.168.3.100:8080/v1/<u></u>AUTH_$tenantTest1/foo</a> [6]<br>
<br>
This is the reply of the operation:<br>
HTTP/1.1 204 No Content<br>
< Content-Length: 0<br>
< X-Container-Object-Count: 0<br>
< X-Container-Write: test2:test2<br>
< Accept-Ranges: bytes<br>
< X-Timestamp: 1384268871.16508<br>
< X-Container-Read: test2:test2<br>
< X-Container-Bytes-Used: 0<br>
< Content-Type: text/html; charset=UTF-8<br>
< Date: Tue, 12 Nov 2013 16:30:16 GMT<br>
<br>
Now,the user test2:test2 visit the container of test1:test1<br>
<br>
curl -k -v -H 'X-Auth-Token:$tokenTest2'<br>
<a href="http://127.0.0.1:8080/v1/AUTH_$tenantTest1/foo" target="_blank">http://127.0.0.1:8080/v1/<u></u>AUTH_$tenantTest1/foo</a> [7]<br>
<br>
< HTTP/1.1 403 Forbidden<br>
< Content-Length: 73<br>
< Content-Type: text/html; charset=UTF-8<br>
< Date: Tue, 12 Nov 2013 16:34:24 GMT<br>
< Connection: close<br>
<<br>
* Closing connection 0<br>
<html><h1>Forbidden</h1><p><u></u>Access was denied to this<br>
resource.</p></html><br>
<br>
While,I got 403 error.Can someone help me?<br>
<br>
Best Regards<br>
<br>
______________________________<u></u>_________________<br>
Mailing list:<br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" target="_blank">http://lists.openstack.org/<u></u>cgi-bin/mailman/listinfo/<u></u>openstack</a> [8]<br>
Post to : <a href="mailto:openstack@lists.openstack.org" target="_blank">openstack@lists.openstack.org</a> [9]<br>
Unsubscribe :<br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" target="_blank">http://lists.openstack.org/<u></u>cgi-bin/mailman/listinfo/<u></u>openstack</a> [10]<br>
</blockquote>
<br>
<br>
<br>
Links:<br>
------<br>
[1] <a href="http://pastebin.com/0hpfebNp" target="_blank">http://pastebin.com/0hpfebNp</a><br>
[2] <a href="http://pastebin.com/VUGYbcM5" target="_blank">http://pastebin.com/VUGYbcM5</a><br>
[3] <a href="http://192.168.3.100:5000/v2.0/tokens" target="_blank">http://192.168.3.100:5000/v2.<u></u>0/tokens</a><br>
[4] <a href="http://192.168.3.100:5000/v2.0/tokens" target="_blank">http://192.168.3.100:5000/v2.<u></u>0/tokens</a><br>
[5] <a href="http://192.168.3.100:8080/v1/AUTH_$tenantTest1/foo" target="_blank">http://192.168.3.100:8080/v1/<u></u>AUTH_$tenantTest1/foo</a><br>
[6] <a href="http://192.168.3.100:8080/v1/AUTH_$tenantTest1/foo" target="_blank">http://192.168.3.100:8080/v1/<u></u>AUTH_$tenantTest1/foo</a><br>
[7] <a href="http://127.0.0.1:8080/v1/AUTH_$tenantTest1/foo" target="_blank">http://127.0.0.1:8080/v1/AUTH_<u></u>$tenantTest1/foo</a><br>
[8] <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" target="_blank">http://lists.openstack.org/<u></u>cgi-bin/mailman/listinfo/<u></u>openstack</a><br>
[9] mailto:<a href="mailto:openstack@lists.openstack.org" target="_blank">openstack@lists.<u></u>openstack.org</a><br>
[10] <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" target="_blank">http://lists.openstack.org/<u></u>cgi-bin/mailman/listinfo/<u></u>openstack</a><br>
[11] <a href="http://docs.openstack.org/developer/swift/misc.html#acls" target="_blank">http://docs.openstack.org/<u></u>developer/swift/misc.html#acls</a><br>
[12] mailto:<a href="mailto:thorfinn@poivron.org" target="_blank">thorfinn@poivron.org</a><br>
</blockquote></blockquote>
<br>
<br>
______________________________<u></u>_________________<br>
Mailing list: <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" target="_blank">http://lists.openstack.org/<u></u>cgi-bin/mailman/listinfo/<u></u>openstack</a><br></div></div><div><div>
Post to : <a href="mailto:openstack@lists.openstack.org" target="_blank">openstack@lists.openstack.org</a><br>
Unsubscribe : <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" target="_blank">http://lists.openstack.org/<u></u>cgi-bin/mailman/listinfo/<u></u>openstack</a><br>
</div></div></blockquote></div><br></div></div>