Project

General

Profile

Bug #22897

rgw: (jewel) can't delete swift acls with swift command.

Added by Marcus Watts over 1 year ago. Updated about 1 year ago.

Status:
Pending Backport
Priority:
Normal
Assignee:
-
Target version:
-
Start date:
02/02/2018
Due date:
% Done:

0%

Source:
Tags:
Backport:
luminous, jewel
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
Pull request ID:

Description

The swift cli command can be used to set acls on buckets or objects: -r acl, -w acl. To delete an acl, it's supposed to be possible to do this by specifying an empty string. This causes swift to post to the endpoint with a header field of "x-container-read" (or write) with an empty string. This works with openstack swift, and there's no other method provided with the swift command to delete acls.

The api documentation is also not wonderfully clear on this. It does document use of "x-container-read" and "x-container-write" to set acls, and it describes use of "x-remove-container-read" "x-remove-container-write" to remove acls. The latter two appear to be provided for the benefit of client implementations that don't have a way to send empty header strings, such as (apparently) old versions of curl.

The existing logic in radosgw can't tell the difference between an empty header field, and a missing header field. So attempting to remove a swift acl using the swift command silently fails. Of course, in jewel, one could delete a swift acl by supplying an acl string including only invalid elements, but that would be wrong, and it won't work in master.

I have a commit that fixes this for jewel as part of a longer sequence in PR # 20257 . I'll pull that out and make a version of that for master too.


Related issues

Copied to rgw - Backport #24302: luminous: rgw: (jewel) can't delete swift acls with swift command. Resolved
Copied to rgw - Backport #24303: jewel: rgw: (jewel) can't delete swift acls with swift command. In Progress

History

#1 Updated by Nathan Cutler over 1 year ago

  • Backport set to luminous, jewel

#2 Updated by Nathan Cutler over 1 year ago

There is no master PR yet, but the jewel backport is already a WIP in https://github.com/ceph/ceph/pull/20257

#3 Updated by Marcus Watts over 1 year ago

I've made a PR for master with this change,
https://github.com/ceph/ceph/pull/20471
I believe this should apply trivially to luminous.

#4 Updated by Orit Wasserman about 1 year ago

  • Status changed from New to Pending Backport

#5 Updated by Nathan Cutler about 1 year ago

  • Copied to Backport #24302: luminous: rgw: (jewel) can't delete swift acls with swift command. added

#6 Updated by Nathan Cutler about 1 year ago

  • Copied to Backport #24303: jewel: rgw: (jewel) can't delete swift acls with swift command. added

#7 Updated by Nathan Cutler about 1 year ago

  • Backport changed from luminous, jewel to mimic, luminous, jewel

#9 Updated by Nathan Cutler about 1 year ago

  • Backport changed from mimic, luminous, jewel to luminous, jewel

Deleting mimic backport issue because, according to @PrashantD, the commits in question are already in mimic:

The relevant changes for tracker#22897 are already in mimic :

$ git blame -i src/rgw/rgw_acl_swift.cc|grep -A 3 "int parse_list" 
1fc69243bdf (Marcus Watts 2018-01-31 15:46:57 -0500 26) static int parse_list(const char* uid_list,
656b69da02b (Radoslaw Zarzynski 2016-05-19 19:05:12 +0200 27) std::vector<std::string>& uids) /* out */
2824c07f8d8 (Yehuda Sadeh 2012-02-23 13:56:22 -0800 28) {
1fc69243bdf (Marcus Watts 2018-01-31 15:46:57 -0500 29) char *s = strdup(uid_list);

$ git branch -a --contains 1fc69243bdf|grep "upstream/mimic" 
remotes/upstream/mimic

Also available in: Atom PDF