Swift3

Swift3 does not accurately translate swift container ACLs

Bug #1381735 reported by ariday on 2014-10-15

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	Swift3	Confirmed	Undecided	Unassigned

Bug Description

--Create a "swiftContainer" with swift where allow public read access and listings of "swiftContainer":
# swift post -r ".r:*,.rlistings" swiftContainer
POST /v1/AUTH_ebb69dad9beb413ba4ab147aa195fdf9/swiftContainer HTTP/1.1
Host: 9.18.76.57:8080
Content-Length: 0
Accept-Encoding: gzip, deflate
Accept: */*
user-agent: python-swiftclient-2.1.0
x-container-read: .r:*,.rlistings
x-auth-token: PKIZ_eJyVVsuSozgW3fMVva-oKJBNZrKYhXhaFIIEg4S045HJGzvLDwxfPzKuqs7pie6IdgQOW9KV7rnnniO-fhUf3XKQ_4eB9_c_XyWMkFNMzP1-4Ki-Fj4MC-MgxrhpGPoADRhaNyOGO71KfpgVNpxWjOPOMfYfzh7lG8kMrR3MxKB3sKpqD95mt2bA74sNboJGf0ZjdM0AuaD2UIm5Y7HxFU6jd5aGYh42Em7hzTfkGxaPT8Kb3x4WbB4U39guOE7kwEwaz4ANT-spS92-mNETMtCMTUv2YmuSxJdCTGsTtHgK2kSmDTohwz1y477QnXLHbjmtr7kT9cVjTuZUrfMxXDOU0CAmgD9nqS5nVFtTzUdyyo2pQgO5MOqeOF0Xy8VI-ns2GX2kz6nbSH7bd4yGKhtI45vWwgZLZhTdfLOsWWypPuUdb7sVRj7YZ75fM6uLQcSlXSO97-8n2Qp3ejkFfbditE-Nb9djlGgTj_k-cQjg9HiMnPOBpfzMZ7dc40a_l4qRHxkgJkujOne08Q6Bbk4iPbUrHO2Yj9Hya4zR6JxRlSTdtELIdpEsFebh6i3dBcfVxV_YxY-Lp8CEW2ysBZs5LY852K4BxUDGe51ioPaouWfeX6TSIbPAdiLExfeT0FDL5Q4-efOL6rXW1msL4LWJYKmaxMbXsrWuISHJ3tZ6NiAgBTSqudmLlJGMY79hcVSz1pJ9YNc47hQ-REOw_0yt6AEHbQNqD3jpW4m3SOatCGxJH8QhwAuTuRkCNmDVn9fAqRRUZtT_H-y_oEv_j10DeK_phEQoBURszFTu2F1A3Z614Q0Dt_Ydu8FxuGHUuklBTAbuMBWNSrm27Kfqp-B2zIfzgwVFXrvwLdX7R620JhtIK5WGspSONvMHTtF5ymPB6G8yymU0isDd39Mq_ZXXBzZLaHE7i-cmmBAawQpeko23YbPXwrUrf1EqPU5zew76a95pl5-Z3E_qi0GIxib7-CGsQ7mLpqB5ueK4EBsh8Vj3IsInP4bTWrxmO_1skG7duGVCzvXAY7gEDl78VmgGhGpAw1nEAaEVReLUrvmQyGvgqCtsuB2Z8s-nfj5UWk_91wz0nVgrZ2mkSo-UBVaaPAoJiFpsoms-JM07WQOVApD5p6Wtvz_J-izlQF146s53j3tUVzvx1H_Pnf6SPXwxT_ef69I3GFhKEJc1BkyR_DhqA8q22Ow2DFhC96KdW7v3WwYedXGFnZHf3H82Fe4oRylvXM0zhPt-gpECpc9F6xb9yy8YfzbYoFxzYSTF6Nal4WrSalWUCBuL6tKxHlY-9KKIdpfTfvVIbPwlkxltMI0GwcQi4aVScMyElNEmiAvRcWwRwhKqrIWc_R6vjYWAEI8qbF7wfw-sZD5YKosLVeJmtfg0kTFItowywO5-lyoaZkivYsOAqXy_nabU1FMcniYjZCYJQ8eaXJIsViBhODlQSSwDTjahd0bCm9lCrFc-0WGBha4vgjoZh9vJhGvwdxMScq9DaVpMwjpbN4DT9Fpuyo03EJGJIi6U5MKAdoaVpWNYOPr-FMAJZRjKv-9FcS3qEgwTqCOkQxQa0_Plw0Oyd9tF9vYprV-hc-F0_yWXh12sbDz3zctBev64cavAed18y-gXaaTpWJz817mHWyW12SmL393J25U179Nc3cof1VM1Hv0TY1FeRe3rdu6mZdioL9oLCJXv0gzS8mWi7iWBxUukbbWb7riXoTN-aOenmxtm2xLczJCGtoXMw2LJ8bNiXZUP2wVfQFBh6XRErsXZ-2F6D8NX9qM7yZcMRnVYnuXpA5-ex8au2MGjF5g-P1H3YFphdaIOV4_Qjp1WMmVHVr7xb_kI-zlR-_AtKfZvcaC9epWiRaR5OaeHohjkzQAi90vhl6-u_rEfwfOFu9ahlQaanb7VxS2Vx3Sva2-vspvjlw__TH68D4fiP9L6ImP55p8vNf8FEdPtYQ==

HTTP/1.1 404 Not Found
Content-Length: 70
Content-Type: text/html; charset=UTF-8
X-Trans-Id: txd25de6613cb848b0b532f-00543ea13e
Date: Wed, 15 Oct 2014 16:30:54 GMT

<html><h1>Not Found</h1><p>The resource could not be found.</p></html>PUT /v1/AUTH_ebb69dad9beb413ba4ab147aa195fdf9/swiftContainer HTTP/1.1
Host: 9.18.76.57:8080
Content-Length: 0
Accept-Encoding: gzip, deflate
Accept: */*
user-agent: python-swiftclient-2.1.0
x-container-read: .r:*,.rlistings
x-auth-token: PKIZ_eJyVVsuSozgW3fMVva-oKJBNZrKYhXhaFIIEg4S045HJGzvLDwxfPzKuqs7pie6IdgQOW9KV7rnnniO-fhUf3XKQ_4eB9_c_XyWMkFNMzP1-4Ki-Fj4MC-MgxrhpGPoADRhaNyOGO71KfpgVNpxWjOPOMfYfzh7lG8kMrR3MxKB3sKpqD95mt2bA74sNboJGf0ZjdM0AuaD2UIm5Y7HxFU6jd5aGYh42Em7hzTfkGxaPT8Kb3x4WbB4U39guOE7kwEwaz4ANT-spS92-mNETMtCMTUv2YmuSxJdCTGsTtHgK2kSmDTohwz1y477QnXLHbjmtr7kT9cVjTuZUrfMxXDOU0CAmgD9nqS5nVFtTzUdyyo2pQgO5MOqeOF0Xy8VI-ns2GX2kz6nbSH7bd4yGKhtI45vWwgZLZhTdfLOsWWypPuUdb7sVRj7YZ75fM6uLQcSlXSO97-8n2Qp3ejkFfbditE-Nb9djlGgTj_k-cQjg9HiMnPOBpfzMZ7dc40a_l4qRHxkgJkujOne08Q6Bbk4iPbUrHO2Yj9Hya4zR6JxRlSTdtELIdpEsFebh6i3dBcfVxV_YxY-Lp8CEW2ysBZs5LY852K4BxUDGe51ioPaouWfeX6TSIbPAdiLExfeT0FDL5Q4-efOL6rXW1msL4LWJYKmaxMbXsrWuISHJ3tZ6NiAgBTSqudmLlJGMY79hcVSz1pJ9YNc47hQ-REOw_0yt6AEHbQNqD3jpW4m3SOatCGxJH8QhwAuTuRkCNmDVn9fAqRRUZtT_H-y_oEv_j10DeK_phEQoBURszFTu2F1A3Z614Q0Dt_Ydu8FxuGHUuklBTAbuMBWNSrm27Kfqp-B2zIfzgwVFXrvwLdX7R620JhtIK5WGspSONvMHTtF5ymPB6G8yymU0isDd39Mq_ZXXBzZLaHE7i-cmmBAawQpeko23YbPXwrUrf1EqPU5zew76a95pl5-Z3E_qi0GIxib7-CGsQ7mLpqB5ueK4EBsh8Vj3IsInP4bTWrxmO_1skG7duGVCzvXAY7gEDl78VmgGhGpAw1nEAaEVReLUrvmQyGvgqCtsuB2Z8s-nfj5UWk_91wz0nVgrZ2mkSo-UBVaaPAoJiFpsoms-JM07WQOVApD5p6Wtvz_J-izlQF146s53j3tUVzvx1H_Pnf6SPXwxT_ef69I3GFhKEJc1BkyR_DhqA8q22Ow2DFhC96KdW7v3WwYedXGFnZHf3H82Fe4oRylvXM0zhPt-gpECpc9F6xb9yy8YfzbYoFxzYSTF6Nal4WrSalWUCBuL6tKxHlY-9KKIdpfTfvVIbPwlkxltMI0GwcQi4aVScMyElNEmiAvRcWwRwhKqrIWc_R6vjYWAEI8qbF7wfw-sZD5YKosLVeJmtfg0kTFItowywO5-lyoaZkivYsOAqXy_nabU1FMcniYjZCYJQ8eaXJIsViBhODlQSSwDTjahd0bCm9lCrFc-0WGBha4vgjoZh9vJhGvwdxMScq9DaVpMwjpbN4DT9Fpuyo03EJGJIi6U5MKAdoaVpWNYOPr-FMAJZRjKv-9FcS3qEgwTqCOkQxQa0_Plw0Oyd9tF9vYprV-hc-F0_yWXh12sbDz3zctBev64cavAed18y-gXaaTpWJz817mHWyW12SmL393J25U179Nc3cof1VM1Hv0TY1FeRe3rdu6mZdioL9oLCJXv0gzS8mWi7iWBxUukbbWb7riXoTN-aOenmxtm2xLczJCGtoXMw2LJ8bNiXZUP2wVfQFBh6XRErsXZ-2F6D8NX9qM7yZcMRnVYnuXpA5-ex8au2MGjF5g-P1H3YFphdaIOV4_Qjp1WMmVHVr7xb_kI-zlR-_AtKfZvcaC9epWiRaR5OaeHohjkzQAi90vhl6-u_rEfwfOFu9ahlQaanb7VxS2Vx3Sva2-vspvjlw__TH68D4fiP9L6ImP55p8vNf8FEdPtYQ==

HTTP/1.1 201 Created
Content-Length: 0
Content-Type: text/html; charset=UTF-8
X-Trans-Id: txe73b906765124af18cbbc-00543ea13e
Date: Wed, 15 Oct 2014 16:30:55 GMT

--Display "swiftContainer" container information with swift, and can see that "X-Container-Read" header is displaying correctly the ACL set up in the previous step--
# swift stat swiftContainer
HEAD /v1/AUTH_ebb69dad9beb413ba4ab147aa195fdf9/swiftContainer HTTP/1.1
Host: 9.18.76.57:8080
user-agent: python-swiftclient-2.1.0
Accept-Encoding: gzip, deflate
Accept: */*
x-auth-token: PKIZ_eJyVVsuSozgW3fMVs6-oSBDgTBaz4GUMtkSCQULseDh5CjvTDwxfPzKu6s7pie6IcQQOW9KV7rnnniN-_uQfw3Zc9C8T7h9_fgrQdZ1ipN72mLr1rUB6UJhHPpZapmkw3dQD-25G-sao4i-rgqbT8nHYOeb-09m7uSxYgb3RMz64O9pVtQeHyaspQH0hw8ZvjFd3CG8ZwFe3PVZ87lTISEpJ-EGTgM_rjQBb_Y5M8Q75g3BwR-1xhtFxhJMCfKuSUVQ1O1Nv0qQes8Tri8lduaY7QcsWd5E9CvxLwpYt-y28-60-k8Y9u6Z3Ss3HQm_MnXWbkvqWO2FfPOfElKh1PgRLhoLL-ARAU5YYYka0JdV8wOfcHCuX4Ssl3jkly2KxGHD_yCYjz_RT4jUCavuOkkClDDfIsmfKbJES946ssqaRrSKSdmnbLTBytr6k-yWzumA8Luka4WP_OGktpU4vJqDvFozrc1MSTYJxeomZGsWmdIQYm9AO00PbT-nklUvcgHqhGNITBdiiSVjnjjY8IBD5zNNTu8LRTvkQzr_HKAkvGVFx3I0LhGwTikJhHW-7ubvCqLqimV5RVKx8S1eguRRsSkl5yoGyBBQMD486RUDt3eaReX8VSgdPHNsZYw8-TnJZLZYbfbWb3tRdayu7tgC7NuYsVSPf-Fa29i3AON6vtZ4yFwg-CevU6nnKrggj1NAorGlriwisaxh1UspC5u-_U8t7wHEVn6wZnPtWSFtXTFse2OLejwIAZyqmVgAogyqalsCx5FRmBP0X9t_Qhf_FrgG41wyMQzcBmG9M1dRZdz7xetoGdwi8GjnrBkaBTIl9F_wIs9ShqjtI5dKy36qfgPspZ5cnC5K4dOEhMfpnrbQmY7gVSlOaS0eb0idO3nnSc8GA5IykojvwwM3f0yr8ldcnNptrUZn4c-dMjFwnEpxjeSfTadfqS1f-plR4nub1Kehveaddf2XyOKkvGBfNGu-jp7CO5SYc_ebtBqOCb-Tyx34UUV-hSB-X4jXK-KtBumXjloq-VbM00mffgTNquWZAoPokmHgc4FqRhJSs65TF4hI4GBJl9xOV_vnU74cKy6n_NwN9x9eKWRKqwjNljpXEz0ICrBZyeMtZ3HzgJVAqAJ5-Wdry-5usL0IO1DlNvOnhcc_qauc0QR-501-zpy_myf57XfoGAlvyo7KGgEoCisLWJ1SBVidTYAPuPgC26x61FDzr4nE7w39w_91UUkc6CXnjaTuTu-83GAmQ-py3btG__YbxZ4Mx6ZZzIykGry5NTxMWqyKY21hYl479tHLW8yKuu5z0i0dC8y-ZTK4MScg4E7MA50qCEeVSdmU_KnjH0ZkLi6uy5nJGPVwaywVcPCqMYs7_I7ASU2arNCpUIbWqGZFYhCBWKKGAPvwukTRIXaOKTFNPxMftNCaWkcDgPJoBtXAQOPbo4Xi2fQHqo6NLsW3q4xqTByPB3Wp1aFQIG3oBua6vnDoRBspo6Uvw1tIxftShtGwqQIMuG-jj-F7KpbxjmGci8QslvlKgXfTKNqBeOMb-7Oujm0Fd_ONe5NeiIehBrBuua-gbYDB32svU-LwfPrX6M2ZfJsxgbuHP8tWULfA2rIr7dbd932QWtIvPlwa_zsLbV7e9oPvwknxZyQt7C17OHfVfV-E0fa3n7bGonAo7Xfm13W8CBk7YnIvZDPqPLFZmJL8Jb2wtM6Vk71JwPJwPWnG8qf06Vw8yv3C7TZkYliP9mC7YLlGyGwyt34pQC6tpK-8nhYupZM4qVzQlvDtxbPwgl_JTJId3c9NkloRO3vB2GWL2MqzwB359vVwipcz1OyHb9-6ytiwqKCky9psabsMpLtrRfD-8e6hdbW9FNSkEHUjPzm6lGuA0vGT7H6-50k8fU6adPCPZFeAmrGL50JqxvdmeNW2_00-m1axAdNYtF6GX-N_C8iJjI-vPl5r_AFnd7SY=

HTTP/1.1 204 No Content
Content-Length: 0
X-Container-Object-Count: 0
Accept-Ranges: bytes
X-Storage-Policy: Policy-0
X-Container-Read: .r:*,.rlistings
X-Container-Bytes-Used: 0
X-Timestamp: 1413390197.44739
Content-Type: text/plain; charset=utf-8
X-Trans-Id: tx53193b3aab3c427ba964f-00543ea147
Date: Wed, 15 Oct 2014 16:31:03 GMT

--Display "swiftContainer" ACL with Swift3 (authenticated with the container owner "monserrat") and the output do not list READ permission for GROUP "All Users"
# /root/swift3/swift3/test/functional/s3curl.pl --id monserrat_ks -- http://es-node1:8080/swiftContainer?acl
GET /swiftContainer?acl HTTP/1.1
User-Agent: curl/7.29.0
Host: es-node1:8080
Accept: */*
Date: Wed, 15 Oct 2014 16:31:30 +0000
Authorization: AWS f78452a596024f65beae309e4cadea1b:0XV4cIUkLdEXf5ULO/dWqSHej5k=

HTTP/1.1 200 OK
x-amz-id-2: tx155b38179ffb4afdad955-00543ea162
Content-Length: 470
x-amz-request-id: tx155b38179ffb4afdad955-00543ea162
Content-Type: text/plain
X-Trans-Id: tx155b38179ffb4afdad955-00543ea162
Date: Wed, 15 Oct 2014 16:31:30 GMT

<?xml version='1.0' encoding='UTF-8'?>
<AccessControlPolicy xmlns="http://s3.amazonaws.com/doc/2006-03-01/"><Owner><ID>ariday:monserrat</ID><DisplayName>ariday:monserrat</DisplayName></Owner><AccessControlList><Grant><Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="CanonicalUser"><ID>ariday:monserrat</ID><DisplayName>ariday:monserrat</DisplayName></Grantee><Permission>FULL_CONTROL</Permission></Grant></AccessControlList></AccessControlPolicy>

--Display "swiftContainer" ACL with Swift3 (authenticated with user "balderas" that has only READ permission) and the output displays user "balderas" has full_control.-- (Not expected)

# /root/swift3/swift3/test/functional/s3curl.pl --id balderas_ks -- http://es-node1:8080/swiftContainer?acl
GET /swiftContainer?acl HTTP/1.1
User-Agent: curl/7.29.0
Host: es-node1:8080
Accept: */*
Date: Wed, 15 Oct 2014 16:32:41 +0000
Authorization: AWS 7b0e0d40d00a4faeb64bd4000e7370a5:0Wza7BiB6yNr9rrmZgiut+DyafA=

HTTP/1.1 200 OK
x-amz-id-2: txfaa9a24f8c1c4ee596995-00543ea1a9
Content-Length: 466
x-amz-request-id: txfaa9a24f8c1c4ee596995-00543ea1a9
Content-Type: text/plain
X-Trans-Id: txfaa9a24f8c1c4ee596995-00543ea1a9
Date: Wed, 15 Oct 2014 16:32:41 GMT

<?xml version='1.0' encoding='UTF-8'?>
<AccessControlPolicy xmlns="http://s3.amazonaws.com/doc/2006-03-01/"><Owner><ID>ariday:balderas</ID><DisplayName>ariday:balderas</DisplayName></Owner><AccessControlList><Grant><Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="CanonicalUser"><ID>ariday:balderas</ID><DisplayName>ariday:balderas</DisplayName></Grantee><Permission>FULL_CONTROL</Permission></Grant></AccessControlList></AccessControlPolicy>

--Try to upload an object into swiftContainer, to demostrate that has no write permissions, and it returns AccessDenied error.-- (Expected)
# /root/swift3/swift3/test/functional/s3curl.pl --id balderas_ks --put openrc --:8080/swiftContainer/openrc -v
* About to connect() to es-node1 port 8080 (#0)
* Trying 172.22.1.10...
* Connected to es-node1 (172.22.1.10) port 8080 (#0)
> PUT /swiftContainer/openrc HTTP/1.1
> User-Agent: curl/7.29.0
> Host: es-node1:8080
> Accept: */*
> Date: Wed, 15 Oct 2014 17:04:48 +0000
> Authorization: AWS 7b0e0d40d00a4faeb64bd4000e7370a5:V0jUaV/+Ak4Cf7iMToaWFelW7Ug=
> Content-Length: 136
> Expect: 100-continue
>
< HTTP/1.1 403 Forbidden
< x-amz-id-2: tx59981ae54bae4a7d8ee11-00543ea930
< x-amz-request-id: tx59981ae54bae4a7d8ee11-00543ea930
< Content-Type: text/xml
< X-Trans-Id: tx59981ae54bae4a7d8ee11-00543ea930
< Date: Wed, 15 Oct 2014 17:04:48 GMT
< Transfer-Encoding: chunked
* HTTP error before end of send, stop sending
<
<?xml version='1.0' encoding='UTF-8'?>
* Closing connection 0
<Error><Code>AccessDenied</Code><Message>Access Denied.</Message><RequestId>tx59981ae54bae4a7d8ee11-00543ea930</RequestId></Error>

Expected:
Swift3 accurately translate Swift container ACLs, to public-read:
<?xml version='1.0' encoding='UTF-8'?>
<AccessControlPolicy xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
  <Owner>
    <ID>ariday:monserrat</ID>
    <DisplayName>ariday:monserrat</DisplayName>
  </Owner>
  <AccessControlList>
    <Grant>
      <Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="CanonicalUser">
        <ID>ariday:monserrat</ID>
        <DisplayName>ariday:monserrat</DisplayName>
      </Grantee>
      <Permission>FULL_CONTROL</Permission>
    </Grant>
    <Grant>
      <Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="Group">
        <URI xmlns="">http://acs.amazonaws.com/groups/global/AllUsers</URI>
      </Grantee>
      <Permission>READ</Permission>
    </Grant>
  </AccessControlList>
</AccessControlPolicy>

--Keystone users of tenant ariday(ebb69dad9beb413ba4ab147aa195fdf9)--
{"users": [{"username": "balderas", "name": "balderas", "id": "4f212b4e794148d597405546147debf1", "enabled": true, "email": "<email address hidden>", "tenantId": "ebb69dad9beb413ba4ab147aa195fdf9"}, {"username": "monserrat", "name": "monserrat", "id": "9b3a597a3f554c9f8097ca6ed621e666", "enabled": true, "email": "<email address hidden>", "tenantId": "ebb69dad9beb413ba4ab147aa195fdf9"}, {"username": "ariday", "name": "ariday", "id": "d5758131cc494a06aa6540ca1344aa95", "enabled": true, "email": null, "tenantId": "ebb69dad9beb413ba4ab147aa195fdf9"}, {"username": "alba", "name": "alba", "id": "ee2ee175421a4134ab4dd0bed5e182d7", "enabled": true, "email": "<email address hidden>", "tenantId": "ebb69dad9beb413ba4ab147aa195fdf9"}]}

Kota Tsuyuzaki (tsuyuzaki-kota) on 2014-10-17

Changed in swift3:
status:	New → Confirmed

Revision history for this message

Kota Tsuyuzaki (tsuyuzaki-kota) wrote on 2014-10-17:

Hi, ariday. Thanks for reporting.

I confirmed this bug. It seems to be put by source code refactoring.
We should fix swift3 to work correctly.

Do you have any plan to make a code to fix this?

Revision history for this message

ariday (ariday) wrote on 2014-10-17:

Hi Kota Tsuyuzaki:
I'm not able to write the code fix at this time, Please could you provide a fix for this?

Revision history for this message

Kota Tsuyuzaki (tsuyuzaki-kota) wrote on 2014-10-20:

> ariday
Ok, I have an idea to fix it and am going to put the work into my schedule:) Please wait a while. Sorry for inconvenience.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.