[swift][ceph] Container ACLs don't seem to be respected on Ceph RGW
Hi all, Just scratching my head at this for a while and though I’d ask here in case it saves some time. I’m running a Ceph cluster on the Nautilus release and it’s running Swift via the rgw. I have Keystone authentication turned on. Everything works fine in the normal case of creating containers, uploading files, listing containers, etc. However, I notice that ACLs don’t seem to work. I am not overriding "rgw enforce swift acls”, so it is set to the default of true. I can’t seem to share a container or make it public. (Side note, confusingly, the Ceph implementation has a different syntax for public read/write containers, ‘*’ as opposed to ‘*:*’ for public write for example.) Here’s what I’m doing (as admin) swift post —write-acl ‘*’ —read-acl ‘*’ public-container swift stat public-container Account: v1 Container: public-container Objects: 1 Bytes: 5801 Read ACL: * Write ACL: * Sync To: Sync Key: X-Timestamp: 1595883106.23179 X-Container-Bytes-Used-Actual: 8192 X-Storage-Policy: default-placement X-Storage-Class: STANDARD Last-Modified: Wed, 05 Aug 2020 03:42:11 GMT X-Trans-Id: tx000000000000000662156-005f2a2bea-23478-default X-Openstack-Request-Id: tx000000000000000662156-005f2a2bea-23478-default Accept-Ranges: bytes Content-Type: text/plain; charset=utf-8 (as non-admin) swift upload public-container test.txt Warning: failed to create container 'public-container': 409 Conflict: BucketAlreadyExists Object HEAD failed: https://ceph.example.org:7480/swift/v1/public-container/README.md 403 Forbidden swift list public-container Container GET failed: https://ceph.example.org:7480/swift/v1/public-container?format=json 403 Forbidden [first 60 chars of response] b'{"Code":"AccessDenied","BucketName”:”public-container","RequestId":"tx0' Failed Transaction ID: tx000000000000000662162-005f2a2c2a-23478-default What am I missing? Thanks in advance! /Jason
As an update, I think one of my problems was the dangling space after “_member_” in my ACL list, which was quite painful to discover. I think it was breaking the matching of my user, which had the role _member_ assigned. And, it does look like read ACLs must be of the form “.r:*”, despite the Ceph docs. With this in place, public read ACL works. I still can’t get write ACLs to work though, and from looking at the code[1] I’m not sure how it’s supposed to work. /Jason [1]: https://github.com/ceph/ceph/blob/f52fb99f011d9b124ed91f3d001d3551e9a10c8d/s...
On Aug 4, 2020, at 10:49 PM, Jason Anderson <jasonanderson@uchicago.edu> wrote:
Hi all,
Just scratching my head at this for a while and though I’d ask here in case it saves some time. I’m running a Ceph cluster on the Nautilus release and it’s running Swift via the rgw. I have Keystone authentication turned on. Everything works fine in the normal case of creating containers, uploading files, listing containers, etc.
However, I notice that ACLs don’t seem to work. I am not overriding "rgw enforce swift acls”, so it is set to the default of true. I can’t seem to share a container or make it public.
(Side note, confusingly, the Ceph implementation has a different syntax for public read/write containers, ‘*’ as opposed to ‘*:*’ for public write for example.)
Here’s what I’m doing
(as admin) swift post —write-acl ‘*’ —read-acl ‘*’ public-container swift stat public-container Account: v1 Container: public-container Objects: 1 Bytes: 5801 Read ACL: * Write ACL: * Sync To: Sync Key: X-Timestamp: 1595883106.23179 X-Container-Bytes-Used-Actual: 8192 X-Storage-Policy: default-placement X-Storage-Class: STANDARD Last-Modified: Wed, 05 Aug 2020 03:42:11 GMT X-Trans-Id: tx000000000000000662156-005f2a2bea-23478-default X-Openstack-Request-Id: tx000000000000000662156-005f2a2bea-23478-default Accept-Ranges: bytes Content-Type: text/plain; charset=utf-8
(as non-admin) swift upload public-container test.txt Warning: failed to create container 'public-container': 409 Conflict: BucketAlreadyExists Object HEAD failed: https://ceph.example.org:7480/swift/v1/public-container/README.md 403 Forbidden
swift list public-container Container GET failed: https://ceph.example.org:7480/swift/v1/public-container?format=json 403 Forbidden [first 60 chars of response] b'{"Code":"AccessDenied","BucketName”:”public-container","RequestId":"tx0' Failed Transaction ID: tx000000000000000662162-005f2a2c2a-23478-default
What am I missing? Thanks in advance!
/Jason
On Aug 5, 2020, at 6:18 PM, Jason Anderson <jasonanderson@uchicago.edu<mailto:jasonanderson@uchicago.edu>> wrote: As an update, I think one of my problems was the dangling space after “_member_” in my ACL list, which was quite painful to discover. I think it was breaking the matching of my user, which had the role _member_ assigned. Sorry, I meant in my Ceph configuration, which had this line in the rgw section: rgw keystone accepted roles = _member_ , Member, admin And, it does look like read ACLs must be of the form “.r:*”, despite the Ceph docs. With this in place, public read ACL works. I still can’t get write ACLs to work though, and from looking at the code[1] I’m not sure how it’s supposed to work. /Jason [1]: https://github.com/ceph/ceph/blob/f52fb99f011d9b124ed91f3d001d3551e9a10c8d/s... On Aug 4, 2020, at 10:49 PM, Jason Anderson <jasonanderson@uchicago.edu<mailto:jasonanderson@uchicago.edu>> wrote: Hi all, Just scratching my head at this for a while and though I’d ask here in case it saves some time. I’m running a Ceph cluster on the Nautilus release and it’s running Swift via the rgw. I have Keystone authentication turned on. Everything works fine in the normal case of creating containers, uploading files, listing containers, etc. However, I notice that ACLs don’t seem to work. I am not overriding "rgw enforce swift acls”, so it is set to the default of true. I can’t seem to share a container or make it public. (Side note, confusingly, the Ceph implementation has a different syntax for public read/write containers, ‘*’ as opposed to ‘*:*’ for public write for example.) Here’s what I’m doing (as admin) swift post —write-acl ‘*’ —read-acl ‘*’ public-container swift stat public-container Account: v1 Container: public-container Objects: 1 Bytes: 5801 Read ACL: * Write ACL: * Sync To: Sync Key: X-Timestamp: 1595883106.23179 X-Container-Bytes-Used-Actual: 8192 X-Storage-Policy: default-placement X-Storage-Class: STANDARD Last-Modified: Wed, 05 Aug 2020 03:42:11 GMT X-Trans-Id: tx000000000000000662156-005f2a2bea-23478-default X-Openstack-Request-Id: tx000000000000000662156-005f2a2bea-23478-default Accept-Ranges: bytes Content-Type: text/plain; charset=utf-8 (as non-admin) swift upload public-container test.txt Warning: failed to create container 'public-container': 409 Conflict: BucketAlreadyExists Object HEAD failed: https://ceph.example.org:7480/swift/v1/public-container/README.md 403 Forbidden swift list public-container Container GET failed: https://ceph.example.org:7480/swift/v1/public-container?format=json 403 Forbidden [first 60 chars of response] b'{"Code":"AccessDenied","BucketName”:”public-container","RequestId":"tx0' Failed Transaction ID: tx000000000000000662162-005f2a2c2a-23478-default What am I missing? Thanks in advance! /Jason
participants (1)
-
Jason Anderson