Bug #22896
openrgw: (jewel) swift acls silently drop invalid acl elements.
0%
Description
So, when specifying invalid elements in swift acls for jewel, ceph silently eats that acl element. This is not good human design; it forces people to play guessing games to see if ceph will take an acl. It's also not what openstack swift does. Here's what it does,
degu$ swift post ba6 w .r:foo.com
Container POST failed: https://alef.eng.arb.redhat.com:8443/v1/AUTH_ebb6e54a617a466ba0958bdbf73b2607/ba6 400 Bad Request Referrers not allowed in write ACL: '.r:foo.com'
Failed Transaction ID: tx1379e7fd97694ab898b2e-005a60533a
degu$ swift post ba7 -r .r:
Container POST failed: https://alef.eng.arb.redhat.com:8443/v1/AUTH_ebb6e54a617a466ba0958bdbf73b2607/ba7 400 Bad Request [first 60 chars of response] No host/domain value after referrer designation in ACL: '.r:
Failed Transaction ID: txb71378a456434e28b4fa6-005a605340
degu$ swift post ba8 -r .r:
Container POST failed: https://alef.eng.arb.redhat.com:8443/v1/AUTH_ebb6e54a617a466ba0958bdbf73b2607/ba8 400 Bad Request [first 60 chars of response] No host/domain value after referrer designation in ACL: '.r:
Failed Transaction ID: txa7ab34868f5f44b3bdd30-005a605344
degu$ swift post ba9 -r '.evil:person'
Container POST failed: https://alef.eng.arb.redhat.com:8443/v1/AUTH_ebb6e54a617a466ba0958bdbf73b2607/ba9 400 Bad Request Unknown designator '.evil' in ACL: '.evil:person'
Failed Transaction ID: txfb13b0082f904337819f8-005a605348
degu$
Swift here responds with an error message, and the error message includes useful information on just what wasn't acceptable and why. That is good human design.
Also, note error 400 - that matters. Turns out returning 500 causes swift to retry it, not so useful.
For jewel, I think it's too much to revise the error path to get the useful error details into the output. But I think coming back with a 400 error is very reasonable. I have an experimental patch that enables just this behavior, currently part of PR # 20257.
No data to display