Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
This project is now read‑only. Starting Monday, February 2, please use https://ibm-ceph.atlassian.net/ for all bug tracking management.

Bug 1526222

Summary: radosgw ACL are not correctly working with Swift CLI
Product: [Red Hat Storage] Red Hat Ceph Storage Reporter: Christina Meno <gmeno>
Component: RGWAssignee: Marcus Watts <mwatts>
Status: CLOSED DUPLICATE QA Contact: ceph-qe-bugs <ceph-qe-bugs>
Severity: high Docs Contact:
Priority: high    
Version: 2.4CC: amaumene, cbodley, ceph-eng-bugs, dcadzow, gmeno, jdurgin, jefbrown, kbader, kschinck, lhh, mbenjamin, nlevine, owasserm, srevivo, sweil, tserlin, yrabl
Target Milestone: rc   
Target Release: 2.5   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1516099 Environment:
Last Closed: 2017-12-20 21:57:23 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1516099, 1552234    
Bug Blocks:    

Description Christina Meno 2017-12-15 03:14:32 UTC 
+++ This bug was initially created as a clone of Bug #1516099 +++

Description of problem:
Setting an ACL when posting with Swift ACL is not always working correctly.

Version-Release number of selected component (if applicable):
OSP11

How reproducible:
Every time

Steps to Reproduce:
1. swift post TESTCONTAINER
2. swift stat TESTCONTAINER
3. swift post -r '.r:*,.rlistings' -w '*:*' TESTCONTAINER
4. swift stat TESTCONTAINER

Actual results:
swift stat TESTCONTAINER
                      Account: v1
                    Container: TESTCONTAINER
                      Objects: 0
                        Bytes: 0
                     Read ACL: .r:*
                    Write ACL:
                      Sync To:
                     Sync Key:
                Accept-Ranges: bytes
                   X-Trans-Id: tx0000000000000000000ef-005a14f88c-2d0d0-def=
ault
             X-Storage-Policy: default-placement
X-Container-Bytes-Used-Actual: 0
                  X-Timestamp: 1511323785.72340
                 Content-Type: text/plain; charset=3Dutf-8

Expected results (with proper Swift):
swift stat TESTCONTAINER
               Account: AUTH_ef90a334c2e744038f8b93eeec17dd7f
             Container: TESTCONTAINER
               Objects: 0
                 Bytes: 0
              Read ACL: .r:*,.rlistings
             Write ACL: *:*
               Sync To:
              Sync Key:
         Accept-Ranges: bytes
            X-Trans-Id: tx52a54224918248e4821f6-005a14f7f1
      X-Storage-Policy: Policy-0
         Last-Modified: Wed, 22 Nov 2017 04:07:13 GMT
           X-Timestamp: 1511323628.00466
          Content-Type: text/plain; charset=3Dutf-8
X-Openstack-Request-Id: tx52a54224918248e4821f6-005a14f7f1

Additional info:
The Ceph doc at http://docs.ceph.com/docs/master/radosgw/swift/containerops=
/#update-a-container-s-acls says:

"You may also specify * in the X-Container-Read or X-Container-Write settin=
gs, which effectively enables all users to either read from or write to the=
 container. Setting * makes the container public."

However that doesn't work either:

$ swift post -r '*' -w '*' TESTCONTAINER ; swift stat TESTCONTAINER
                      Account: v1
                    Container: TESTCONTAINER
                      Objects: 0
                        Bytes: 0
                     Read ACL:
                    Write ACL:
                      Sync To:
                     Sync Key:
                Accept-Ranges: bytes
             X-Storage-Policy: default-placement
X-Container-Bytes-Used-Actual: 0
                  X-Timestamp: 1511323785.72340
                   X-Trans-Id: tx000000000000000000172-005a14f8e3-2abe4-def=
ault
                 Content-Type: text/plain; charset=3Dutf-8

--- Additional comment from Keith Schincke on 2017-12-06 23:00:32 EST ---

Performed the following tests with OSP11/Ocata using example command from (1):

* Set read and write(world writeable) ACLs on a bucket:
stack@undercloud ~]$ swift post --read-acl ".r:*" --write-acl "*:*" my_test
[stack@undercloud ~]$ echo $?
0
[stack@undercloud ~]$ swift stat my_test
                      Account: v1
                    Container: my_test
                      Objects: 0
                        Bytes: 0
                     Read ACL: .r:*
                    Write ACL:
                      Sync To:
                     Sync Key:
                Accept-Ranges: bytes
                   X-Trans-Id: tx00000000000000000000b-005a28b987-5e48-default
             X-Storage-Policy: default-placement
X-Container-Bytes-Used-Actual: 0
                  X-Timestamp: 1512618054.03552
                 Content-Type: text/plain; charset=utf-8

* Set project writable on a bucket:
[stack@undercloud ~]$ swift post --read-acl ".r:*" --write-acl "admin" my_test
[stack@undercloud ~]$ swift stat my_test
                      Account: v1
                    Container: my_test
                      Objects: 0
                        Bytes: 0
                     Read ACL: .r:*
                    Write ACL:
                      Sync To:
                     Sync Key:
                Accept-Ranges: bytes
                   X-Trans-Id: tx00000000000000000000d-005a28ba1d-5e48-default
             X-Storage-Policy: default-placement
X-Container-Bytes-Used-Actual: 0
                  X-Timestamp: 1512618054.03552
                 Content-Type: text/plain; charset=utf-8

Performed the following test with OSP latest and Ceph Luminous:

* set world writable acl on bucket:
(overcloud) [stack@undercloud ~]$ swift list
(overcloud) [stack@undercloud ~]$ swift post my_test2
(overcloud) [stack@undercloud ~]$ swift stat my_test2
                      Account: v1
                    Container: my_test2
                      Objects: 0
                        Bytes: 0
                     Read ACL:
                    Write ACL:
                      Sync To:
                     Sync Key:
                Accept-Ranges: bytes
             X-Storage-Policy: default-placement
X-Container-Bytes-Used-Actual: 0
                  X-Timestamp: 1512577698.94967
                   X-Trans-Id: tx000000000000000000601-005a281aac-1021-default
                 Content-Type: text/plain; charset=utf-8
       X-Openstack-Request-Id: tx000000000000000000601-005a281aac-1021-default
(overcloud) [stack@undercloud ~]$ swift post --write-acl '*:*' my_test2
(overcloud) [stack@undercloud ~]$ swift stat my_test2
                      Account: v1
                    Container: my_test2
                      Objects: 0
                        Bytes: 0
                     Read ACL:
                    Write ACL: *:*
                      Sync To:
                     Sync Key:
                Accept-Ranges: bytes
             X-Storage-Policy: default-placement
X-Container-Bytes-Used-Actual: 0
                  X-Timestamp: 1512577698.94967
                   X-Trans-Id: tx000000000000000000618-005a281ad7-1021-default
                 Content-Type: text/plain; charset=utf-8
       X-Openstack-Request-Id: tx000000000000000000618-005a281ad7-1021-default


We will talk about this issue on the team and recommend additional action or reassignment of this BZ. 
 

1: https://docs.openstack.org/swift/latest/overview_acl.html
Comment 7 Matt Benjamin (redhat) 2017-12-20 21:57:23 UTC 

*** This bug has been marked as a duplicate of bug 1516099 ***