Bug 1430536

Summary: RGW: using swift CLI create/update container ACL failed with keystone
Product: [Red Hat Storage] Red Hat Ceph Storage Reporter: Vikhyat Umrao <vumrao>
Component: RGWAssignee: Marcus Watts <mwatts>
Status: CLOSED ERRATA QA Contact: Vidushi Mishra <vimishra>
Severity: high Docs Contact:
Priority: high    
Version: 1.3.3CC: anharris, cbodley, ceph-eng-bugs, hnallurv, jbrier, kbader, kdreyer, linuxkidd, mbenjamin, mwatts, owasserm, rfreire, sweil, tchandra, tserlin
Target Milestone: rcKeywords: TestOnly, Triaged
Target Release: 3.1   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: RHEL: ceph-12.2.4-10.el7cp Ubuntu: ceph_12.2.4-14redhat1 Doc Type: Enhancement
Doc Text:
.Improved Swift container ACL conformance has been added Previously, {product} did not support certain ACL use cases, including setting of container ACLs whose subject is a Keystone project/tenant. With this update of Ceph, many Swift container ACLs which were previously unsupported are now supported.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2018-09-26 18:16:41 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1584264    
Attachments:
Description Flags
logs for command: swift post testcontainer --read-acl ".r:*" --write-acl "*:*"
none
# swift post newtestcontainer1 -r "25ff852798de400891613b271320d2b7:*" # swift post newtestcontainer2 -w "25ff852798de400891613b271320d2b7:*" none

Description Vikhyat Umrao 2017-03-08 21:36:48 UTC 
Description of problem:
RGW: using swift CLI create/update container ACL failed with keystone 

Version-Release number of selected component (if applicable):
Red Hat Ceph Storage 1.3.3 - 0.94.9-9.el7cp
Red Hat Openstack Platform 8

How reproducible:
Always

Steps to Reproduce:
1. Integrate RGW with OpenStack keystone
2. Trying to set the ACL
3. Setting ACL fails

Able to reproduce in the test environment.

Additional info:
=======================

We had some known issues:

http://tracker.ceph.com/issues/15976
http://tracker.ceph.com/issues/16694 
Fixed in jewel: 10.2.3 

But these both the bugs tell that the issue is only in updating the container(post) ACL but it works well while creating the container with ACL.

I am only able to set read ACL, write ACL is not working with keystone integration.

Without keystone integration, all works fine.

Test cases and test results:
--------------------------------

- Without keystone integration:


# swift -A http://radosgw1.gsslab.com/auth/v2 -U testuser:swift -K 'i5dF5PdRIVonV26l6xZfNbm7BSI4qh8tDZzYtzGc' post test-bucket -w "testuser2"
# swift -A http://radosgw1.gsslab.com/auth/v2 -U testuser:swift -K 'i5dF5PdRIVonV26l6xZfNbm7BSI4qh8tDZzYtzGc' stat test-bucket
                      Account: v1
                    Container: test-bucket
                      Objects: 2
                        Bytes: 41487824
                     Read ACL:
                    Write ACL: testuser2 <===================================
                      Sync To:
                     Sync Key:
                Accept-Ranges: bytes
             X-Storage-Policy: default-placement
X-Container-Bytes-Used-Actual: 41492480
                  X-Timestamp: 1485992096.00000
                   X-Trans-Id: tx000000000000000000006-0058b8972e-1c4986e-default
                 Content-Type: text/plain; charset=utf-8


# swift -A http://radosgw1.gsslab.com/auth/v2 -U testuser:swift -K 'i5dF5PdRIVonV26l6xZfNbm7BSI4qh8tDZzYtzGc' post test-bucket -w "testuser2" -r "testuser2"
#  swift -A http://radosgw1.gsslab.com/auth/v2 -U testuser:swift -K 'i5dF5PdRIVonV26l6xZfNbm7BSI4qh8tDZzYtzGc' stat test-bucket
                      Account: v1
                    Container: test-bucket
                      Objects: 2
                        Bytes: 41487824
                     Read ACL: testuser2 <===========
                    Write ACL: testuser2 <=============
                      Sync To:
                     Sync Key:
                Accept-Ranges: bytes
                   X-Trans-Id: tx000000000000000000013-0058b89a59-1c81fab-default
             X-Storage-Policy: default-placement
X-Container-Bytes-Used-Actual: 41492480
                  X-Timestamp: 1485992096.00000
                 Content-Type: text/plain; charset=utf-8



All looks good.
--------------------------

http://docs.ceph.com/docs/master/radosgw/keystone/

[client.rgw.radosgw1]
host = radosgw1
keyring = /etc/ceph/ceph.client.radosgw.keyring
log file = /var/log/radosgw/client.radosgw.gateway.log
rgw_frontends = "civetweb port=80"
#rgw_enable_usage_log = true
rgw keystone url = http://192.168.128.27:35357
rgw keystone admin user = swift
rgw keystone admin password = 80746f03e9584805
rgw keystone admin tenant = services
rgw keystone token cache size = 1000
rgw keystone revocation interval = 600
rgw keystone accepted roles = Member,admin
rgw s3 auth use keystone = true
nss db path = /var/ceph/nss


# openstack endpoint create --region RegionOne \
>      --publicurl   "http://radosgw1.redhat.com:80/swift/v1" \
>      --adminurl    "http://radosgw1.redhat.com:80/swift/v1" \
>      --internalurl "http://radosgw1.redhat.com:80/swift/v1" \
>      swift
+--------------+---------------------------------------------------+
| Field        | Value                                             |
+--------------+---------------------------------------------------+
| adminurl     | http://radosgw1.redhat.com:80/swift/v1 |
| id           | 44047368c03148a7815f8307d995584b                  |
| internalurl  | http://radosgw1.redhat.com:80/swift/v1 |
| publicurl    | http://radosgw1.redhat.com:80/swift/v1 |
| region       | RegionOne                                         |
| service_id   | 3d763eaafd5a458cbdd2dcca8b696b97                  |
| service_name | swift                                             |
| service_type | object-store                                      |
+--------------+---------------------------------------------------+


mkdir /var/ceph/nss

openssl x509 -in /etc/keystone/ssl/certs/ca.pem -pubkey | \
        certutil -d /var/ceph/nss -A -n ca -t "TCu,Cu,Tuw"
openssl x509 -in /etc/keystone/ssl/certs/signing_cert.pem -pubkey | \
        certutil -A -d /var/ceph/nss -n signing_cert -t "P,P,P"

# swift post test-bucket4
[root@dell-per630-5 ~(keystone_admin)]# swift list 
test-bucket4

# swift upload test-bucket4 packstack-remove.sh
packstack-remove.sh


# swift stat test-bucket4
                      Account: v1
                    Container: test-bucket4
                      Objects: 1
                        Bytes: 1159
                     Read ACL:
                    Write ACL:
                      Sync To:
                     Sync Key:
                Accept-Ranges: bytes
             X-Storage-Policy: default-placement
X-Container-Bytes-Used-Actual: 4096
                  X-Timestamp: 1488992278.00000
                   X-Trans-Id: tx000000000000000000019-0058c0399e-1ca3f90-default
                 Content-Type: text/plain; charset=utf-8


# swift list test-bucket4
packstack-remove.sh


# radosgw-admin bucket stats --bucket=test-bucket4
{
    "bucket": "test-bucket4",
    "pool": ".rgw.buckets",
    "index_pool": ".rgw.buckets.index",
    "id": "default.30031760.1",
    "marker": "default.30031760.1",
    "owner": "9330794e3e614cc084d0aca90c919837",
    "ver": "0#3",
    "master_ver": "0#0",
    "mtime": "2017-03-08 22:27:58.000000",
    "max_marker": "0#",
    "usage": {
        "rgw.main": {
            "size_kb": 2,
            "size_kb_actual": 4,
            "num_objects": 1
        }
    },
    "bucket_quota": {
        "enabled": false,
        "max_size_kb": -1,
        "max_objects": -1
    }
}


# cat keystonerc_swift 
unset OS_SERVICE_TOKEN
export OS_USERNAME=swift
export OS_PASSWORD=80746f03e9584805
export OS_AUTH_URL=http://192.168.128.27:5000/v2.0
export PS1='[\u@\h \W(keystone_swift)]\$ '

export OS_TENANT_NAME=services
export OS_REGION_NAME=RegionOne

# swift post test-bucket5
[root@dell-per630-5 ~(keystone_swift)]# swift list
test-bucket5
[root@dell-per630-5 ~(keystone_swift)]# swift upload test-bucket5 packstack-remove.sh
packstack-remove.sh
[root@dell-per630-5 ~(keystone_swift)]# swift list test-bucket5
packstack-remove.sh

# swift post -w "*:*" test-bucket5
[root@dell-per630-5 ~(keystone_swift)]# swift stat test-bucket5
                      Account: v1
                    Container: test-bucket5
                      Objects: 1
                        Bytes: 1159
                     Read ACL:
                    Write ACL:
                      Sync To:
                     Sync Key:
                Accept-Ranges: bytes
             X-Storage-Policy: default-placement
X-Container-Bytes-Used-Actual: 4096
                  X-Timestamp: 1488993222.00000
                   X-Trans-Id: tx000000000000000000014-0058c03cf4-1c77945-default
                 Content-Type: text/plain; charset=utf-8

2017-03-08 22:53:59.506398 7f518efed700  1 ====== starting new request req=0x7f51c8021fa0 =====
2017-03-08 22:53:59.602991 7f518efed700  0 validated token: services:swift expires: 1488997440
2017-03-08 22:53:59.612915 7f518efed700  1 ====== req done req=0x7f51c8021fa0 http_status=204 ======
2017-03-08 22:53:59.612960 7f518efed700  1 civetweb: 0x7f51c80056c0: 10.74.128.27 - - [08/Mar/2017:22:53:59 +0530] "POST /swift/v1/test-bucket5 HTTP/1.1" 204 0 - python-swiftclient-2.6.0


# openstack user create testswift --password testswift
+----------+----------------------------------+
| Field    | Value                            |
+----------+----------------------------------+
| email    | None                             |
| enabled  | True                             |
| id       | 25ff852798de400891613b271320d2b7 |
| name     | testswift                        |
| username | testswift                        |
+----------+----------------------------------+

https://docs.openstack.org/developer/swift/overview_acl.html
https://www.swiftstack.com/docs/cookbooks/swift_usage/container_acl.html

# swift post www --read-acl ".r:*" --write-acl "*:*"
[root@dell-per630-5 ~(keystone_swift)]# swift stat www
                      Account: v1
                    Container: www
                      Objects: 0
                        Bytes: 0
                     Read ACL: .r:*
                    Write ACL:
                      Sync To:
                     Sync Key:
                Accept-Ranges: bytes
                   X-Trans-Id: tx000000000000000000026-0058c078d3-1ca4db2-default
             X-Storage-Policy: default-placement
X-Container-Bytes-Used-Actual: 0
                  X-Timestamp: 1489008843.00000
                 Content-Type: text/plain; charset=utf-8


If we check above only read ACL is set.
Comment 1 Vikhyat Umrao 2017-03-08 21:51:24 UTC 
# swift post testcontainer --read-acl ".r:*" --write-acl "*:*"
Logs from my reproducer: http://pastebin.test.redhat.com/462785 (debug_rgw=20).
Comment 2 Vikhyat Umrao 2017-03-08 21:51:59 UTC 
# swift stat testcontainer
                      Account: v1
                    Container: testcontainer
                      Objects: 0
                        Bytes: 0
                     Read ACL: .r:*
                    Write ACL:
                      Sync To:
                     Sync Key:
                Accept-Ranges: bytes
                   X-Trans-Id: tx000000000000000000029-0058c07cf1-1ca4db2-default
             X-Storage-Policy: default-placement
X-Container-Bytes-Used-Actual: 0
                  X-Timestamp: 1489009784.00000
                 Content-Type: text/plain; charset=utf-8
Comment 3 Vikhyat Umrao 2017-03-08 21:55:29 UTC 
Created attachment 1261390 [details]
logs for command:  swift post testcontainer --read-acl ".r:*" --write-acl "*:*"
Comment 4 Vikhyat Umrao 2017-03-08 22:09:17 UTC 
I tested with specific user setting that and in that both read and write ACLs are not working.

# openstack user show testswift
+----------+----------------------------------+
| Field    | Value                            |
+----------+----------------------------------+
| email    | None                             |
| enabled  | True                             |
| id       | 25ff852798de400891613b271320d2b7 |
| name     | testswift                        |
| username | testswift                        |
+----------+----------------------------------+


# swift post newtestcontainer1 -r "25ff852798de400891613b271320d2b7:*"

# swift post newtestcontainer2 -w "25ff852798de400891613b271320d2b7:*"

# swift stat newtestcontainer1
                      Account: v1
                    Container: newtestcontainer1
                      Objects: 0
                        Bytes: 0
                     Read ACL:
                    Write ACL:
                      Sync To:
                     Sync Key:
                Accept-Ranges: bytes
             X-Storage-Policy: default-placement
X-Container-Bytes-Used-Actual: 0
                  X-Timestamp: 1489010742.00000
                   X-Trans-Id: tx00000000000000000002f-0058c080d1-1ca4db2-default
                 Content-Type: text/plain; charset=utf-8

# swift stat newtestcontainer2
                      Account: v1
                    Container: newtestcontainer2
                      Objects: 0
                        Bytes: 0
                     Read ACL:
                    Write ACL:
                      Sync To:
                     Sync Key:
                Accept-Ranges: bytes
             X-Storage-Policy: default-placement
X-Container-Bytes-Used-Actual: 0
                  X-Timestamp: 1489010756.00000
                   X-Trans-Id: tx000000000000000000030-0058c080d4-1ca4db2-default
                 Content-Type: text/plain; charset=utf-8
Comment 5 Vikhyat Umrao 2017-03-08 22:10:33 UTC 
Created attachment 1261392 [details]
# swift post newtestcontainer1 -r "25ff852798de400891613b271320d2b7:*"  # swift post newtestcontainer2 -w "25ff852798de400891613b271320d2b7:*"
Comment 6 Vikhyat Umrao 2017-03-08 22:11:14 UTC 
Log for comment#4 are in comment#5.
Comment 56 errata-xmlrpc 2018-09-26 18:16:41 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:2819