Project

General

Profile

Bug #11076

Bucket owner isn't changed after unlink/link

Added by Italo Santos over 7 years ago. Updated over 6 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Target version:
-
% Done:

0%

Source:
Community (user)
Tags:
Backport:
infernalis, hammer
Regression:
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
Pull request ID:
Crash signature (v1):
Crash signature (v2):

Description

I’m building a object storage environment and I’m in trouble with some administration ops, to manage the entire environment I decided create an admin user and use that to manage the client users which I’ll create further.

Using the admin (called “italux") I created a new user (called "cliente”) and after that I created a new bucket with the admin user (called cliente-bucket). After that, still using the admin, I change the permissions of the "cliente-bucket” (which is owned by admin) granting FULL_CONTROL to the “cliente” user.

So, using the admin API I unlink the “cliente-bucket” from the admin user and link to the “cliente” user, changing the ownership of the bucket:

In [86]: url = 'http://radosgw.example.com/admin/bucket?format=json&bucket=cliente-bucket'
In [87]: r = requests.get(url, auth=S3Auth(access_key, secret_key, server))
In [88]: r.content
Out88: '{"bucket":"cliente-bucket","pool":".rgw.buckets","index_pool":".rgw.buckets.index","id":"default.4361528.1","marker":"default.4361528.1","owner":"cliente","ver":1,"master_ver":0,"mtime":1425670280,"max_marker":"","usage":{},"bucket_quota":{"enabled":false,"max_size_kb":-1,"max_objects":-1}}’

After that, when I try change the permissions/acls of the bucket using the “cliente” user and I’m getting AccessDenied. Looking to the raw debug logs it seems that the owner of the bucket wasn’t change. Anyone knows why?

RadosGW debug logs:

2015-03-06 16:32:55.943167 7fd32bf57700 1 ====== starting new request req=0x3cf78a0 =====
2015-03-06 16:32:55.943183 7fd32bf57700 2 req 2:0.000016::PUT /::initializing
2015-03-06 16:32:55.943189 7fd32bf57700 10 host=cliente-bucket.radosgw.example.com rgw_dns_name=object-storage.locaweb.com.br
2015-03-06 16:32:55.943220 7fd32bf57700 10 s->object=<NULL> s->bucket=cliente-bucket
2015-03-06 16:32:55.943225 7fd32bf57700 2 req 2:0.000057:s3:PUT /::getting op
2015-03-06 16:32:55.943230 7fd32bf57700 2 req 2:0.000062:s3:PUT /:put_acls:authorizing
2015-03-06 16:32:55.943269 7fd32bf57700 10 get_canon_resource(): dest=/cliente-bucket/?acl
2015-03-06 16:32:55.943272 7fd32bf57700 10 auth_hdr:
PUT

Fri, 06 Mar 2015 19:32:55 GMT
/cliente-bucket/?acl
2015-03-06 16:32:55.943370 7fd32bf57700 15 calculated digest=xtSrQR+GsHyqjqGLdiPmjoP62x4=
2015-03-06 16:32:55.943375 7fd32bf57700 15 auth_sign=xtSrQR+GsHyqjqGLdiPmjoP62x4=
2015-03-06 16:32:55.943377 7fd32bf57700 15 compare=0
2015-03-06 16:32:55.943384 7fd32bf57700 2 req 2:0.000216:s3:PUT /:put_acls:reading permissions
2015-03-06 16:32:55.943425 7fd32bf57700 15 Read AccessControlPolicy<AccessControlPolicy xmlns="http://s3.amazonaws.com/doc/2006-03-01/"><Owner><ID>italux</ID><DisplayName>Italo Santos</DisplayName></Owner><AccessControlList><Grant><Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="CanonicalUser"><ID>cliente</ID><DisplayName>Cliente</DisplayName></Grantee><Permission>FULL_CONTROL</Permission></Grant></AccessControlList></AccessControlPolicy>
2015-03-06 16:32:55.943441 7fd32bf57700 2 req 2:0.000273:s3:PUT /:put_acls:init op
2015-03-06 16:32:55.943447 7fd32bf57700 2 req 2:0.000280:s3:PUT /:put_acls:verifying op mask
2015-03-06 16:32:55.943451 7fd32bf57700 20 required_mask= 2 user.op_mask=7
2015-03-06 16:32:55.943453 7fd32bf57700 2 req 2:0.000286:s3:PUT /:put_acls:verifying op permissions
2015-03-06 16:32:55.943457 7fd32bf57700 5 Searching permissions for uid=cliente mask=56
2015-03-06 16:32:55.943461 7fd32bf57700 5 Found permission: 15
2015-03-06 16:32:55.943462 7fd32bf57700 5 Searching permissions for group=1 mask=56
2015-03-06 16:32:55.943464 7fd32bf57700 5 Permissions for group not found
2015-03-06 16:32:55.943466 7fd32bf57700 5 Searching permissions for group=2 mask=56
2015-03-06 16:32:55.943468 7fd32bf57700 5 Permissions for group not found
2015-03-06 16:32:55.943469 7fd32bf57700 5 Getting permissions id=cliente owner=italux perm=8
2015-03-06 16:32:55.943471 7fd32bf57700 10 uid=cliente requested perm (type)=8, policy perm=8, user_perm_mask=8, acl perm=8
2015-03-06 16:32:55.943475 7fd32bf57700 2 req 2:0.000308:s3:PUT /:put_acls:verifying op params
2015-03-06 16:32:55.943480 7fd32bf57700 2 req 2:0.000313:s3:PUT /:put_acls:executing
2015-03-06 16:32:55.943547 7fd32bf57700 15 read len=831 data=<AccessControlPolicy xmlns="http://s3.amazonaws.com/doc/2006-03-01/"><Owner><ID>italux</ID><DisplayName>Italo Santos</DisplayName></Owner><AccessControlList><Grant><Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="CanonicalUser"><ID>italux</ID><DisplayName>Italo Santos</DisplayName></Grantee><Permission>READ</Permission></Grant><Grant><Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="CanonicalUser"><ID>italux</ID><DisplayName>Italo Santos</DisplayName></Grantee><Permission>WRITE</Permission></Grant><Grant><Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="CanonicalUser"><ID>cliente</ID><DisplayName>Cliente</DisplayName></Grantee><Permission>FULL_CONTROL</Permission></Grant></AccessControlList></AccessControlPolicy>

2015-03-06 16:32:55.943750 7fd32bf57700 15 Old AccessControlPolicy<AccessControlPolicy xmlns="http://s3.amazonaws.com/doc/2006-03-01/"><Owner><ID>italux</ID><DisplayName>Italo Santos</DisplayName></Owner><AccessControlList><Grant><Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="CanonicalUser"><ID>cliente</ID><DisplayName>Cliente</DisplayName></Grantee><Permission>FULL_CONTROL</Permission></Grant><Grant><Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="CanonicalUser"><ID>italux</ID><DisplayName>Italo Santos</DisplayName></Grantee><Permission>READ</Permission></Grant><Grant><Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="CanonicalUser"><ID>italux</ID><DisplayName>Italo Santos</DisplayName></Grantee><Permission>WRITE</Permission></Grant></AccessControlList></AccessControlPolicy>
2015-03-06 16:32:55.943977 7fd32bf57700 2 req 2:0.000809:s3:PUT /:put_acls:http status=403
2015-03-06 16:32:55.943986 7fd32bf57700 1 ====== req done req=0x3cf78a0 http_status=403 ======


Related issues

Copied to rgw - Backport #15088: infernalis: Bucket owner isn't changed after unlink/link Rejected
Copied to rgw - Backport #15089: hammer: Bucket owner isn't changed after unlink/link Resolved

Associated revisions

Revision 4d59b1d3 (diff)
Added by Zengran Zhang over 6 years ago

rgw:bucket link now set the bucket.instance acl

Fixes: #11076

Signed-off-by: Zengran Zhang <>

Revision 3c03eee0 (diff)
Added by Zengran Zhang over 6 years ago

rgw:bucket link now set the bucket.instance acl

Fixes: #11076

Signed-off-by: Zengran Zhang <>
(cherry picked from commit 4d59b1d36f8924290c3ecb5b7608747191470188)

Conflicts:

src/rgw/rgw_bucket.cc
1. Do not use the rgw_user structure and remove the tenant parameter that describes as below
2. user_id is not used so just remove the line
3. instead of system_obj_set_attr you can use the method set_attr

Backport Change:
We do not use the rgw_user structure and remove the `tenant` parameter
because this feature is not introduced on hammer version.
The rgw multi-tenant feature is introduced on pr#6784 (https://github.com/ceph/ceph/pull/6784)
This feature is supported from v10.0.2 and later version.

History

#1 Updated by Yehuda Sadeh over 6 years ago

  • Status changed from New to Pending Backport
  • Backport set to infernalis, hammer

PR 8037

#2 Updated by Nathan Cutler over 6 years ago

  • Copied to Backport #15088: infernalis: Bucket owner isn't changed after unlink/link added

#3 Updated by Nathan Cutler over 6 years ago

  • Copied to Backport #15089: hammer: Bucket owner isn't changed after unlink/link added

#5 Updated by Loïc Dachary over 6 years ago

  • Status changed from Pending Backport to Resolved

Also available in: Atom PDF