[swift][ceph] Container ACLs don't seem to be respected on Ceph RGW

Jason Anderson jasonanderson at uchicago.edu
Wed Aug 5 03:49:55 UTC 2020

Hi all,

Just scratching my head at this for a while and though I’d ask here in case it saves some time. I’m running a Ceph cluster on the Nautilus release and it’s running Swift via the rgw. I have Keystone authentication turned on. Everything works fine in the normal case of creating containers, uploading files, listing containers, etc.

However, I notice that ACLs don’t seem to work. I am not overriding "rgw enforce swift acls”, so it is set to the default of true. I can’t seem to share a container or make it public.

(Side note, confusingly, the Ceph implementation has a different syntax for public read/write containers, ‘*’ as opposed to ‘*:*’ for public write for example.)

Here’s what I’m doing

(as admin)
swift post —write-acl ‘*’ —read-acl ‘*’ public-container
swift stat public-container
                      Account: v1
                    Container: public-container
                      Objects: 1
                        Bytes: 5801
                     Read ACL: *
                    Write ACL: *
                      Sync To:
                     Sync Key:
                  X-Timestamp: 1595883106.23179
X-Container-Bytes-Used-Actual: 8192
             X-Storage-Policy: default-placement
              X-Storage-Class: STANDARD
                Last-Modified: Wed, 05 Aug 2020 03:42:11 GMT
                   X-Trans-Id: tx000000000000000662156-005f2a2bea-23478-default
       X-Openstack-Request-Id: tx000000000000000662156-005f2a2bea-23478-default
                Accept-Ranges: bytes
                 Content-Type: text/plain; charset=utf-8

(as non-admin)
swift upload public-container test.txt
Warning: failed to create container 'public-container': 409 Conflict: BucketAlreadyExists
Object HEAD failed: https://ceph.example.org:7480/swift/v1/public-container/README.md 403 Forbidden

swift list public-container
Container GET failed: https://ceph.example.org:7480/swift/v1/public-container?format=json 403 Forbidden  [first 60 chars of response] b'{"Code":"AccessDenied","BucketName”:”public-container","RequestId":"tx0'
Failed Transaction ID: tx000000000000000662162-005f2a2c2a-23478-default

What am I missing? Thanks in advance!


More information about the openstack-discuss mailing list