Alejandro, you are indeed correct people in operator_roles should not be able to issue a DELETE on the account, but i can't seem to reproduce this as I am getting a 405 when trying to do that, can you please show us how do you do that ? :
# Making sure the admin has the admin role
stack@devstack:~/devstack$ keystone user-role-list --user admin
+----------------------------------+-------+----------------------------------+----------------------------------+
| id | name | user_id | tenant_id |
+----------------------------------+-------+----------------------------------+----------------------------------+
| 06e77ba20bc0406e91da2b01a87e84c3 | admin | 058d18862233418bb55b0fee730e22e9 | 19cae1368377431bb6a3bb610b9ec37e |
+----------------------------------+-------+----------------------------------+----------------------------------+
stack@devstack:~/devstack$ keystone role-get 06e77ba20bc0406e91da2b01a87e84c3
+----------+----------------------------------+
| Property | Value |
+----------+----------------------------------+
| id | 06e77ba20bc0406e91da2b01a87e84c3 |
| name | admin |
+----------+----------------------------------+
# operator_roles has admin as role to authorize
stack@devstack:~/devstack$ grep -w operator_roles /etc/swift/proxy-server.conf
operator_roles = Member, admin
Alejandro, you are indeed correct people in operator_roles should not be able to issue a DELETE on the account, but i can't seem to reproduce this as I am getting a 405 when trying to do that, can you please show us how do you do that ? :
# Making sure the admin has the admin role ~/devstack$ keystone user-role-list --user admin ------- ------- ------- ------- +------ -+----- ------- ------- ------- ------- -+----- ------- ------- ------- ------- -+ ------- ------- ------- ------- +------ -+----- ------- ------- ------- ------- -+----- ------- ------- ------- ------- -+ e91da2b01a87e84 c3 | admin | 058d18862233418 bb55b0fee730e22 e9 | 19cae1368377431 bb6a3bb610b9ec3 7e | ------- ------- ------- ------- +------ -+----- ------- ------- ------- ------- -+----- ------- ------- ------- ------- -+ ~/devstack$ keystone role-get 06e77ba20bc0406 e91da2b01a87e84 c3 ----+-- ------- ------- ------- ------- ----+ ----+-- ------- ------- ------- ------- ----+ e91da2b01a87e84 c3 | ----+-- ------- ------- ------- ------- ----+
stack@devstack:
+------
| id | name | user_id | tenant_id |
+------
| 06e77ba20bc0406
+------
stack@devstack:
+------
| Property | Value |
+------
| id | 06e77ba20bc0406
| name | admin |
+------
# operator_roles has admin as role to authorize ~/devstack$ grep -w operator_roles /etc/swift/ proxy-server. conf
stack@devstack:
operator_roles = Member, admin
# Using http:// p.chmouel. com/ks script, getting a token for admin user ~/devstack$ ks -s localhost admin:admin ADMIN 4a22807037e1465 a8c3c0918fca62a 47' 46.231. 128.140: 8080/v1/ AUTH_19cae13683 77431bb6a3bb610 b9ec37e' localhost: 5000/v2. 0/tokens'
stack@devstack:
TOKEN='
STORAGE_URL='http://
KEYSTONE_URL='http://
# curl -H "X-Auth-Token: ${TOKEN}" ${STORAGE_URL}
# Trying to do a delete of the account ~/devstack$ curl -v -X DELETE -H "X-Auth-Token: ${TOKEN}" ${STORAGE_URL} 19cae1368377431 bb6a3bb610b9ec3 7e HTTP/1.1 pc-linux- gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3 a8c3c0918fca62a 47 0dea6f04- 005190e04a </p></html> stack@devstack: ~/devstack$
stack@devstack:
* About to connect() to 46.231.128.140 port 8080 (#0)
* Trying 46.231.128.140... connected
> DELETE /v1/AUTH_
> User-Agent: curl/7.22.0 (x86_64-
> Host: 46.231.128.140:8080
> Accept: */*
> X-Auth-Token: 4a22807037e1465
>
< HTTP/1.1 405 Method Not Allowed
< Content-Length: 91
< Content-Type: text/html; charset=UTF-8
< Allow: HEAD, GET, POST, OPTIONS
< X-Trans-Id: tx408c29ef0e094
< Date: Mon, 13 May 2013 12:44:58 GMT
<
* Connection #0 to host 46.231.128.140 left intact
* Closing connection #0
<html><h1>Method Not Allowed</h1><p>The method is not allowed for this resource.