Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1314579

Summary: User has escalated permissions (can create containers) in project where username == projectname
Product: Red Hat OpenStack Reporter: Luiz Gustavo Chiaretto <luizgustavo>
Component: openstack-swiftAssignee: Pete Zaitcev <zaitcev>
Status: CLOSED ERRATA QA Contact: Mike Abrams <mabrams>
Severity: low Docs Contact:
Priority: unspecified    
Version: unspecifiedCC: cschwede, derekh, egafford, jjoyce, luizgustavo, mabrams, pgrist, scohen, sgotliv, srevivo, zaitcev
Target Milestone: rcKeywords: Triaged
Target Release: 10.0 (Newton)   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: puppet-swift-9.4.1-2.el7ost Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-12-14 15:25:22 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Luiz Gustavo Chiaretto 2016-03-04 00:23:03 UTC 
Description of problem:

User with the same project name and ‘_member_’ role can create containers on Swift Object Storage. For example, if i have a project named ‘chiaretto’ and a user also named ‘chiaretto’ the user ‘chiaretto’ can access ‘Object Storage -> Containers’ on Horizon and create containers. If i change the project’s name to ‘chiaretto1’ the user chiaretto loses the create permission and the message ‘Error: Unable to create container.’ is shown on Horizon dashboard.

Version-Release number of selected component (if applicable):

Red Hat Enterprise Linux Server release 7.2 (Maipo)
Openstack version 2015.1.2
Repo rhel-7-server-openstack-7.0-rpms/7Server/x86_64

How reproducible/Steps to Reproduce:

1. Install Openstack and enable modules below:

== Nova ==
== Glance ==
== Keystone ==
== Horizon ==
== Neutron ==
== Swift ==
== Cinder ==
== Ceilometer ==
== Heat ==

2. As 'admin' user create a project named 'chiaretto'
3. As 'admin' user create a user named 'chiaretto', project default 'chiaretto' and role '_member_'
4. Go to ‘Object Storage -> Containers’ and the button ‘Create Container’ is enabled and the user can create containers.

Actual results:

User with same name as it’s projects and ‘_member_’ role can create containers 

Expected results:

Users with roles ‘_member_’ cannot create containers. 

Does the user ‘chiaretto’ with role ‘_member_’ can create containers on ‘chiaretto’ project?
Comment 2 Christian Schwede (cschwede) 2016-07-21 09:10:32 UTC 
This behavior is expected with older Swift releases; it has been deprecated since 1.8.0 (Grizzly) and was removed in Mitaka: https://github.com/openstack/swift/commit/335d5861

In RDO, RHEL OSP and director the corresponding setting "is_admin" will be set to true. For reference: https://access.redhat.com/documentation/en/red-hat-enterprise-linux-openstack-platform/7/configuration-reference/chapter-10-object-storage#idm140067302396848 Note that this defaults to False upstream only.
Comment 3 Pete Zaitcev 2016-09-15 21:56:48 UTC 
The report seemed so obvious that we forgot to verify if is_admin was
in fact set. Luiz, please attach the actual proxy-server.conf to this bug.
Comment 8 errata-xmlrpc 2016-12-14 15:25:22 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2016-2948.html