Actions
Bug #13197
closedrgw: creating user by admin api returns 403 access deny
Status:
Rejected
Priority:
Normal
Assignee:
-
Target version:
-
% Done:
0%
Source:
other
Tags:
Backport:
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
Pull request ID:
Crash signature (v1):
Crash signature (v2):
Description
Having added caps of "users=*" to an admin user, I can neither create nor delete a user by admin op api.
user info:
{ "user_id": "adminuser", "display_name": "adminuser", "email": "", "suspended": 0, "max_buckets": 1000, "auid": 0, "subusers": [], "keys": [ { "user": "knight", "access_key": "BQ24BGYD21ZRN2B98V49", "secret_key": "JjZx3AS+JZW1pTHd40xE82pdt+E0nbKbGCG31DgK" } ], "swift_keys": [], "caps": [ { "type": "buckets", "perm": "*" }, { "type": "metadata", "perm": "*" }, { "type": "usage", "perm": "*" }, { "type": "users", "perm": "write" }, { "type": "zone", "perm": "*" } ], "op_mask": "read, write, delete", "default_placement": "", "placement_tags": [], "bucket_quota": { "enabled": false, "max_size_kb": -1, "max_objects": -1 }, "user_quota": { "enabled": false, "max_size_kb": 98, "max_objects": -1 }, "temp_url_keys": [] }
radosgw debug log:
2015-09-22 16:58:08.103136 7f4952f95700 20 enqueued request req=0x7f49a0042290 2015-09-22 16:58:08.103161 7f4952f95700 20 RGWWQ: 2015-09-22 16:58:08.103163 7f4952f95700 20 req: 0x7f49a0042290 2015-09-22 16:58:08.103171 7f4952f95700 10 allocated request req=0x7f49a0042a80 2015-09-22 16:58:08.103279 7f4951792700 20 dequeued request req=0x7f49a0042290 2015-09-22 16:58:08.103285 7f4951792700 20 RGWWQ: empty 2015-09-22 16:58:08.103360 7f4951792700 20 CONTENT_LENGTH=41 2015-09-22 16:58:08.103363 7f4951792700 20 CONTEXT_DOCUMENT_ROOT=/var/www 2015-09-22 16:58:08.103364 7f4951792700 20 CONTEXT_PREFIX= 2015-09-22 16:58:08.103365 7f4951792700 20 DOCUMENT_ROOT=/var/www 2015-09-22 16:58:08.103366 7f4951792700 20 FCGI_ROLE=RESPONDER 2015-09-22 16:58:08.103367 7f4951792700 20 GATEWAY_INTERFACE=CGI/1.1 2015-09-22 16:58:08.103368 7f4951792700 20 HTTP_ACCEPT=*/* 2015-09-22 16:58:08.103369 7f4951792700 20 HTTP_ACCEPT_ENCODING=gzip, deflate 2015-09-22 16:58:08.103370 7f4951792700 20 HTTP_AUTHORIZATION=AWS BQ24BGYD21ZRN2B98V49:Rus5KuyRmr8rABdnnJinhZOPivA= 2015-09-22 16:58:08.103371 7f4951792700 20 HTTP_CONNECTION=keep-alive 2015-09-22 16:58:08.103372 7f4951792700 20 HTTP_DATE=Tue, 22 Sep 2015 08:58:07 GMT 2015-09-22 16:58:08.103373 7f4951792700 20 HTTP_HOST=mys3.com 2015-09-22 16:58:08.103374 7f4951792700 20 HTTP_USER_AGENT=python-requests/2.7.0 CPython/2.7.3 Linux/3.2.0-4-amd64 2015-09-22 16:58:08.103375 7f4951792700 20 PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin 2015-09-22 16:58:08.103376 7f4951792700 20 proxy-nokeepalive=1 2015-09-22 16:58:08.103377 7f4951792700 20 QUERY_STRING=format=json 2015-09-22 16:58:08.103378 7f4951792700 20 REMOTE_ADDR=10.120.173.50 2015-09-22 16:58:08.103408 7f4951792700 20 REMOTE_PORT=63302 2015-09-22 16:58:08.103409 7f4951792700 20 REQUEST_METHOD=PUT 2015-09-22 16:58:08.103410 7f4951792700 20 REQUEST_SCHEME=http 2015-09-22 16:58:08.103411 7f4951792700 20 REQUEST_URI=/admin/user?format=json 2015-09-22 16:58:08.103412 7f4951792700 20 SCRIPT_FILENAME=proxy:fcgi://localhost:9000/admin/user 2015-09-22 16:58:08.103413 7f4951792700 20 SCRIPT_NAME=/admin/user 2015-09-22 16:58:08.103414 7f4951792700 20 SCRIPT_URI=http://mys3.com/admin/user 2015-09-22 16:58:08.103415 7f4951792700 20 SCRIPT_URL=/admin/user 2015-09-22 16:58:08.103416 7f4951792700 20 SERVER_ADDR=10.63.7.201 2015-09-22 16:58:08.103417 7f4951792700 20 SERVER_ADMIN=adminuser@mys3.com 2015-09-22 16:58:08.103418 7f4951792700 20 SERVER_NAME=mys3.com 2015-09-22 16:58:08.103419 7f4951792700 20 SERVER_PORT=80 2015-09-22 16:58:08.103420 7f4951792700 20 SERVER_PROTOCOL=HTTP/1.1 2015-09-22 16:58:08.103421 7f4951792700 20 SERVER_SIGNATURE= 2015-09-22 16:58:08.103422 7f4951792700 20 SERVER_SOFTWARE=Apache/2.4.10 (Debian) 2015-09-22 16:58:08.103424 7f4951792700 1 ====== starting new request req=0x7f49a0042290 ===== 2015-09-22 16:58:08.103451 7f4951792700 2 req 1:0.000027::PUT /admin/user::initializing 2015-09-22 16:58:08.103459 7f4951792700 10 host=mys3.com 2015-09-22 16:58:08.103467 7f4951792700 20 subdomain= domain=mys3.com in_hosted_domain=1 2015-09-22 16:58:08.103567 7f4951792700 2 req 1:0.000142::PUT /admin/user::getting op 2015-09-22 16:58:08.103574 7f4951792700 2 req 1:0.000149::PUT /admin/user:create_user:authorizing 2015-09-22 16:58:08.103626 7f4951792700 20 get_obj_state: rctx=0x7f4951790aa0 obj=.nt-rg1.users:BQ24BGYD21ZRN2B98V49 state=0x7f49980368f0 s->prefetch_data=0 2015-09-22 16:58:08.103636 7f4951792700 10 cache get: name=.nt-rg1.users+BQ24BGYD21ZRN2B98V49 : miss 2015-09-22 16:58:08.103757 7f4951792700 1 -- 10.63.7.201:0/1015557 --> 10.63.7.201:6800/9498 -- osd_op(client.4452.0:171 BQ24BGYD21ZRN2B98V49 [getxattrs,stat] 14.aff5353c ack+read+known_if_redirected e114) v5 -- ?+0 0x7f4998037820 con 0x7f498c034410 2015-09-22 16:58:08.104997 7f49a42f3700 1 -- 10.63.7.201:0/1015557 <== osd.0 10.63.7.201:6800/9498 20 ==== osd_op_reply(171 BQ24BGYD21ZRN2B98V49 [getxattrs,stat] v0'0 uv3 ondisk = 0) v6 ==== 229+0+20 (3879135710 0 333160874) 0x7f499003eb10 con 0x7f498c034410 2015-09-22 16:58:08.105412 7f4951792700 10 cache put: name=.nt-rg1.users+BQ24BGYD21ZRN2B98V49 2015-09-22 16:58:08.105424 7f4951792700 10 adding .nt-rg1.users+BQ24BGYD21ZRN2B98V49 to cache LRU end 2015-09-22 16:58:08.105432 7f4951792700 20 get_obj_state: s->obj_tag was set empty 2015-09-22 16:58:08.105438 7f4951792700 10 cache get: name=.nt-rg1.users+BQ24BGYD21ZRN2B98V49 : type miss (requested=1, cached=6) 2015-09-22 16:58:08.105443 7f4951792700 20 get_obj_state: rctx=0x7f4951790aa0 obj=.nt-rg1.users:BQ24BGYD21ZRN2B98V49 state=0x7f49980368f0 s->prefetch_data=0 2015-09-22 16:58:08.105446 7f4951792700 20 rados->read ofs=0 len=524288 2015-09-22 16:58:08.105494 7f4951792700 1 -- 10.63.7.201:0/1015557 --> 10.63.7.201:6800/9498 -- osd_op(client.4452.0:172 BQ24BGYD21ZRN2B98V49 [read 0~524288] 14.aff5353c ack+read+known_if_redirected e114) v5 -- ?+0 0x7f4998038390 con 0x7f498c034410 2015-09-22 16:58:08.106085 7f49a42f3700 1 -- 10.63.7.201:0/1015557 <== osd.0 10.63.7.201:6800/9498 21 ==== osd_op_reply(172 BQ24BGYD21ZRN2B98V49 [read 0~10] v0'0 uv3 ondisk = 0) v6 ==== 187+0+10 (1336204755 0 3091687205) 0x7f499003eb10 con 0x7f498c034410 2015-09-22 16:58:08.106196 7f4951792700 20 rados->read r=0 bl.length=10 2015-09-22 16:58:08.106245 7f4951792700 10 cache put: name=.nt-rg1.users+BQ24BGYD21ZRN2B98V49 2015-09-22 16:58:08.106248 7f4951792700 10 moving .nt-rg1.users+BQ24BGYD21ZRN2B98V49 to cache LRU end 2015-09-22 16:58:08.106263 7f4951792700 20 get_obj_state: rctx=0x7f4951790820 obj=.nt-rg1.users.uid:adminuser state=0x7f4998038820 s->prefetch_data=0 2015-09-22 16:58:08.106269 7f4951792700 10 cache get: name=.nt-rg1.users.uid+adminuser : miss 2015-09-22 16:58:08.106329 7f4951792700 1 -- 10.63.7.201:0/1015557 --> 10.63.7.202:6800/3802 -- osd_op(client.4452.0:173 adminuser [call version.read,getxattrs,stat] 17.a5c13b2 ack+read+known_if_redirected e114) v5 -- ?+0 0x7f499803a650 con 0x4423570 2015-09-22 16:58:08.108316 7f49ac395700 1 -- 10.63.7.201:0/1015557 <== osd.1 10.63.7.202:6800/3802 60 ==== osd_op_reply(173 adminuser [call,getxattrs,stat] v0'0 uv33 ondisk = 0) v6 ==== 257+0+139 (2435325276 0 1677365063) 0x7f498c03f7b0 con 0x4423570 2015-09-22 16:58:08.108387 7f4951792700 10 cache put: name=.nt-rg1.users.uid+adminuser 2015-09-22 16:58:08.108394 7f4951792700 10 adding .nt-rg1.users.uid+adminuser to cache LRU end 2015-09-22 16:58:08.108399 7f4951792700 20 get_obj_state: s->obj_tag was set empty 2015-09-22 16:58:08.108403 7f4951792700 10 cache get: name=.nt-rg1.users.uid+adminuser : type miss (requested=17, cached=22) 2015-09-22 16:58:08.108407 7f4951792700 20 get_obj_state: rctx=0x7f4951790820 obj=.nt-rg1.users.uid:adminuser state=0x7f4998038820 s->prefetch_data=0 2015-09-22 16:58:08.108491 7f4951792700 20 rados->read ofs=0 len=524288 2015-09-22 16:58:08.108515 7f4951792700 1 -- 10.63.7.201:0/1015557 --> 10.63.7.202:6800/3802 -- osd_op(client.4452.0:174 adminuser [call version.check_conds,call version.read,read 0~524288] 17.a5c13b2 ack+read+known_if_redirected e114) v5 -- ?+0 0x7f499803e250 con 0x4423570 2015-09-22 16:58:08.110136 7f49ac395700 1 -- 10.63.7.201:0/1015557 <== osd.1 10.63.7.202:6800/3802 61 ==== osd_op_reply(174 adminuser [call,call,read 0~352] v0'0 uv33 ondisk = 0) v6 ==== 257+0+400 (1925025250 0 3684141187) 0x7f498c03f7b0 con 0x4423570 2015-09-22 16:58:08.110202 7f4951792700 20 rados->read r=0 bl.length=352 2015-09-22 16:58:08.110213 7f4951792700 10 cache put: name=.nt-rg1.users.uid+adminuser 2015-09-22 16:58:08.110216 7f4951792700 10 moving .nt-rg1.users.uid+adminuser to cache LRU end 2015-09-22 16:58:08.110246 7f4951792700 10 chain_cache_entry: cache_locator=.nt-rg1.users.uid+adminuser 2015-09-22 16:58:08.110299 7f4951792700 10 get_canon_resource(): dest=/admin/user 2015-09-22 16:58:08.110302 7f4951792700 10 auth_hdr: PUT Tue, 22 Sep 2015 08:58:07 GMT /admin/user 2015-09-22 16:58:08.110391 7f4951792700 15 calculated digest=Rus5KuyRmr8rABdnnJinhZOPivA= 2015-09-22 16:58:08.110394 7f4951792700 15 auth_sign=Rus5KuyRmr8rABdnnJinhZOPivA= 2015-09-22 16:58:08.110395 7f4951792700 15 compare=0 2015-09-22 16:58:08.110399 7f4951792700 2 req 1:0.006975::PUT /admin/user:create_user:reading permissions 2015-09-22 16:58:08.110402 7f4951792700 2 req 1:0.006978::PUT /admin/user:create_user:init op 2015-09-22 16:58:08.110416 7f4951792700 2 req 1:0.006992::PUT /admin/user:create_user:verifying op mask 2015-09-22 16:58:08.110426 7f4951792700 20 required_mask= 0 user.op_mask=7 2015-09-22 16:58:08.110428 7f4951792700 2 req 1:0.007004::PUT /admin/user:create_user:verifying op permissions 2015-09-22 16:58:08.110433 7f4951792700 2 req 1:0.007008::PUT /admin/user:create_user:verifying op params 2015-09-22 16:58:08.110435 7f4951792700 2 req 1:0.007011::PUT /admin/user:create_user:executing 2015-09-22 16:58:08.110489 7f4951792700 2 req 1:0.007065::PUT /admin/user:create_user:http status=403 2015-09-22 16:58:08.110493 7f4951792700 1 ====== req done req=0x7f49a0042290 http_status=403 ====== 2015-09-22 16:58:08.110503 7f4951792700 20 process_request() returned -13
Actions