[Openstack] Swift Object Storage ACLs with KeyStone
Kuo Hugo
tonytkdk at gmail.com
Wed Nov 13 10:49:35 UTC 2013
I may know the problem now.
You can have a look at @fbo's blog : http://blog.fsquat.net/?p=40
I had a deep diving on the auth middleware today.
The authtoken middleware will reject the request if the token's tenant
mapping is not matching to the one your requested.
*[Debug log]*
Nov 13 01:39:30 proxy-server tenant mismatch:
SWIFTSTACK_e2dbb13e5e18496aafe251c64aca8919 !=
5c5791c3dca54885a862bbd214587759 (txn:
txc94a550c9adb4305b21a8-00528348d2) (client_ip: 192.168.1.222)
Nov 13 01:39:30 proxy-server tenant mismatch:
SWIFTSTACK_e2dbb13e5e18496aafe251c64aca8919 !=
5c5791c3dca54885a862bbd214587759 (txn:
txc94a550c9adb4305b21a8-00528348d2) (client_ip: 192.168.1.222)
Nov 13 01:39:30 proxy-server 192.168.1.222 127.0.0.1
13/Nov/2013/09/39/30 GET
/v1/SWIFTSTACK_e2dbb13e5e18496aafe251c64aca8919/share-U1 HTTP/1.0 403
- curl/7.22.0%20%28x86_64-pc-linux-gnu%29%20libcurl/7.22.0%20OpenSSL/1.0.1%20zlib/1.2.3.4%20libidn/1.23%20librtmp/2.3
21371d0927a742e0b7ae79680548c49f - 73 -
txc94a550c9adb4305b21a8-00528348d2 - 0.0125 - -
*For your purpose, more efforts are needed.*
1. Create a role whatever you want. But the role should not in the
operator's role list of keystone_auth middleware. Let's have one named
*share*
keystone role-create --name share
2. Give the non-privilege role to user test2 of tenant test1 , for passing
the authtoken middleware :
keystone user-role-add --user test2 --tenant test1 --role share
3. [*Trick*] Set the read ACL on account AUTH_test1's container foo
for test1:test2
(Tenant:UserName) :
curl -i -X PUT -H "X-Auth-Token: $tokenTest1" -H "X-Container-Read:
test1:test2" http://192.168.3.100:8080/v1/AUTH_$tenantTest1/foo
4. To retrieve the token of tenant test1 for user test2 rather then using
tenant test2's token:
curl -s -H 'Content-type: application/json' \
-d '{"auth": {"tenantName": "*test1*", "passwordCredentials":
{"username": "test2", "password": "test2"}}}' \
http://192.168.3.100:5000/v2.0/tokens | python -mjson.tool
5. To get the object from test1/foo with this token. As I mentioned before,
the default ACL is not allowing list objects in a list. You need to
set .rlistings
in the header.
curl -i -X PUT -H "X-Auth-Token: $tokenTest1" -H "X-Container-Read:
test1:test2,.rlistings" http://192.168.3.100:8080/v1/AUTH_$tenantTest1/foo
Hope it help
+Hugo Kuo+
(+886) 935004793
SwiftStack Inc.
2013/11/13 <thorfinn at poivron.org>
> This syntax is correct:
>
> curl -i -X POST -H "X-Auth-Token: $tokenTest1" -H "X-Container-Read: *:*"
> -H " \
> X-Container-Write: *:*" http://192.168.3.100:8080/v1/
> AUTH_$tenantTest1/foo
>
>
> curl -i -X GET -H "X-Auth-Token: $tokenTest2"
> http://192.168.3.100:8080/v1/AUTH_$tenantTest1/foo
> HTTP/1.1 204 No Content
> Content-Length: 0
> X-Container-Object-Count: 0
> Accept-Ranges: bytes
> X-Timestamp: 1384268871.16508
>
> X-Container-Bytes-Used: 0
> Content-Type: text/html; charset=UTF-8
> Date: Wed, 13 Nov 2013 09:42:33 GMT
> Connection: close
>
> I don't understand why but today is ok for me.
>
> curl -i -X POST -H "X-Auth-Token: $tokenTest1" -H "X-container-Read:
> test2:test2" \
>
> -H "X-Container-Write: test2:test2" http://192.168.3.100:8080/v1/
> AUTH_$tenantTest1/foo
>
> curl -i -X GET -H "X-Auth-Token: $tokenTest1"
> http://192.168.3.100:8080/v1/AUTH_$tenantTest1/foo
> HTTP/1.1 204 No Content
> Content-Length: 0
> X-Container-Object-Count: 0
> X-Container-Write: test2:test2
> Accept-Ranges: bytes
> X-Timestamp: 1384268871.16508
> X-Container-Read: test2:test2
> X-Container-Bytes-Used: 0
> Content-Type: text/html; charset=UTF-8
> Date: Wed, 13 Nov 2013 09:58:09 GMT
>
> Connection: close
>
> curl -i -X GET -H "X-Auth-Token: $tokenTest2"
> http://192.168.3.100:8080/v1/AUTH_$tenantTest1/foo
> HTTP/1.1 204 No Content
> Content-Length: 0
> X-Container-Object-Count: 0
> Accept-Ranges: bytes
> X-Timestamp: 1384268871.16508
>
> X-Container-Bytes-Used: 0
> Content-Type: text/html; charset=UTF-8
> Date: Wed, 13 Nov 2013 09:56:55 GMT
> Connection: close
>
> Thank you for help
>
>
> On 2013-11-13 10:31, thorfinn at poivron.org wrote:
>
>> @Dheerendra:
>> the correct IP address is 192.168.3.100. It's a mistake. Same problem
>> with correct ip adress.
>>
>> @Kuo Hugo:
>> I don't understand the item 1.
>>
>> On the item 2:
>>
>> curl -i -X POST -H "X-Auth-Token: $tokenTest1" -H
>> "X-Container-Read:test2" -H "X-Container-Write: test2"
>> http://192.168.3.100:8080/v1/AUTH_$tenantTest1/foo
>> HTTP/1.1 204 No Content
>> Content-Length: 0
>> Content-Type: text/html; charset=UTF-8
>> Date: Wed, 13 Nov 2013 08:55:57 GMT
>> Connection: close
>>
>> curl -i -X GET -H "X-Auth-Token: $tokenTest1"
>> http://192.168.3.100:8080/v1/AUTH_$tenantTest1/foo
>> HTTP/1.1 204 No Content
>> Content-Length: 0
>> X-Container-Object-Count: 0
>> X-Container-Write: test2
>> Accept-Ranges: bytes
>> X-Timestamp: 1384268871.16508
>> X-Container-Read: test2
>> X-Container-Bytes-Used: 0
>> Content-Type: text/html; charset=UTF-8
>> Date: Wed, 13 Nov 2013 08:56:00 GMT
>> Connection: close
>>
>>
>> curl -i -X GET -H "X-Auth-Token: $tokenTest2"
>> http://192.168.3.100:8080/v1/AUTH_$tenantTest1/foo
>> HTTP/1.1 403 Forbidden
>> Content-Length: 73
>> Content-Type: text/html; charset=UTF-8
>> Date: Wed, 13 Nov 2013 08:56:18 GMT
>> Connection: close
>>
>> Same problem. Can you test this please?
>>
>>
>>
>> On 2013-11-12 18:26, Kuo Hugo wrote:
>>
>>> Hi
>>>
>>> From my point of view. There may has two potential problems.
>>>
>>> 1. The read ACL is not allowing to list objects in a container by
>>> default. And your request is for retrieving objects list of a
>>> container tho.
>>>
>>> 2. For Keystone, I think the value of ACL header should be the
>>> username instead of username:tenant-name.
>>>
>>> For reference
>>> : http://docs.openstack.org/developer/swift/misc.html#acls [11]
>>>
>>> Perhaps I can test it tomorrow morning.
>>>
>>> +Hugo Kuo+
>>> (+886) 935004793
>>>
>>> SwiftStack Inc.
>>>
>>> 2013/11/13 <thorfinn at poivron.org [12]>
>>>
>>> Hi all,
>>>>
>>>> I use Openstack Havana (Storage + Identity)
>>>>
>>>> I encountered some problems when i set permissions (ACLs) on
>>>> Openstack Swift containers.
>>>>
>>>> My swift proxy-server.conf is here:
>>>> http://pastebin.com/0hpfebNp [1]
>>>>
>>>> My keystone.conf is here:
>>>> http://pastebin.com/VUGYbcM5 [2]
>>>>
>>>> I have the token of test1:test1 and test2:test2
>>>>
>>>> curl -s -H 'Content-type: application/json'
>>>> -d '{"auth": {"tenantName": "test1", "passwordCredentials":
>>>> {"username": "test1", "password": "test1"}}}'
>>>> http://192.168.3.100:5000/v2.0/tokens [3] | python -mjson.tool
>>>>
>>>> curl -s -H 'Content-type: application/json'
>>>> -d '{"auth": {"tenantName": "test2", "passwordCredentials":
>>>> {"username": "test2", "password": "test2"}}}'
>>>> http://192.168.3.100:5000/v2.0/tokens [4] | python -mjson.tool
>>>>
>>>> Then,enable read access to test2:test2
>>>>
>>>> curl -i -X PUT -H "X-Auth-Token: $tokenTest1"
>>>> -H "X-Container-Read:test2:test2"
>>>> -H "X-Container-Write: test2:test2"
>>>> http://192.168.3.100:8080/v1/AUTH_$tenantTest1/foo [5]
>>>>
>>>> Check the permission of the container:
>>>>
>>>> curl -k -v -H "X-Auth-Token:$tokenTest1"
>>>> http://192.168.3.100:8080/v1/AUTH_$tenantTest1/foo [6]
>>>>
>>>> This is the reply of the operation:
>>>> HTTP/1.1 204 No Content
>>>> < Content-Length: 0
>>>> < X-Container-Object-Count: 0
>>>> < X-Container-Write: test2:test2
>>>> < Accept-Ranges: bytes
>>>> < X-Timestamp: 1384268871.16508
>>>> < X-Container-Read: test2:test2
>>>> < X-Container-Bytes-Used: 0
>>>> < Content-Type: text/html; charset=UTF-8
>>>> < Date: Tue, 12 Nov 2013 16:30:16 GMT
>>>>
>>>> Now,the user test2:test2 visit the container of test1:test1
>>>>
>>>> curl -k -v -H 'X-Auth-Token:$tokenTest2'
>>>> http://127.0.0.1:8080/v1/AUTH_$tenantTest1/foo [7]
>>>>
>>>> < HTTP/1.1 403 Forbidden
>>>> < Content-Length: 73
>>>> < Content-Type: text/html; charset=UTF-8
>>>> < Date: Tue, 12 Nov 2013 16:34:24 GMT
>>>> < Connection: close
>>>> <
>>>> * Closing connection 0
>>>> <html><h1>Forbidden</h1><p>Access was denied to this
>>>> resource.</p></html>
>>>>
>>>> While,I got 403 error.Can someone help me?
>>>>
>>>> Best Regards
>>>>
>>>> _______________________________________________
>>>> Mailing list:
>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack [8]
>>>> Post to : openstack at lists.openstack.org [9]
>>>> Unsubscribe :
>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack [10]
>>>>
>>>
>>>
>>>
>>> Links:
>>> ------
>>> [1] http://pastebin.com/0hpfebNp
>>> [2] http://pastebin.com/VUGYbcM5
>>> [3] http://192.168.3.100:5000/v2.0/tokens
>>> [4] http://192.168.3.100:5000/v2.0/tokens
>>> [5] http://192.168.3.100:8080/v1/AUTH_$tenantTest1/foo
>>> [6] http://192.168.3.100:8080/v1/AUTH_$tenantTest1/foo
>>> [7] http://127.0.0.1:8080/v1/AUTH_$tenantTest1/foo
>>> [8] http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>>> [9] mailto:openstack at lists.openstack.org
>>> [10] http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>>> [11] http://docs.openstack.org/developer/swift/misc.html#acls
>>> [12] mailto:thorfinn at poivron.org
>>>
>>
>
> _______________________________________________
> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/
> openstack
> Post to : openstack at lists.openstack.org
> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/
> openstack
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20131113/108b76fd/attachment.html>
More information about the Openstack
mailing list