Project

General

Profile

Bug #12890

rgw: the swift key remains after removing a subuser

Added by Sandy Xu over 7 years ago. Updated over 6 years ago.

Status:
Resolved
Priority:
High
Assignee:
-
Target version:
-
% Done:

0%

Source:
other
Tags:
Backport:
hammer
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
Pull request ID:
Crash signature (v1):
Crash signature (v2):

Description

After removing a subuser without explicitly purging its keys, the user info may like this:
ceph@ceph1:~$ radosgw-admin subuser rm --subuser=test:swift

"user_id": "test",
"display_name": "Test",
"email": "",
"suspended": 0,
"max_buckets": 1000,
"auid": 0,
"subusers": [],
"keys": [ {
"user": "test:swift",
"access_key": "VYQL38E0OSKFVGNJ499B",
"secret_key": ""
}, {
"user": "test",
"access_key": "W1DLB74QTBVKOE4SL6VF",
"secret_key": "7yeir2mkzNfCbQE1mrAHZqeNdcxenyNhrC1W2f3w"
}
],
"swift_keys": [ {
"user": "test:swift",
"secret_key": "rtYyABeKIeMRDCbKB64DiF0tBzXgbom4ijaXDUjd"
}
],

The subuser is deleted in the "subusers" section, but its swift key remains. This raises at least two problems:
  • The removed subuser can still pass authentication and list containers. When it tries to go deeper to see objects, the system returns an error code: 401 Unauthorized, rather than code: 403 Forbidden. The behavior is the same as a valid subuser with permission: <none>. (I'm not sure if a subuser without any permission should be able to get the container list, it might be another issue.)
  • If we create a subuser with the same name as the deleted one, the original swift key can still work. This may cause potential security problems.

Would it be more reasonable to set the '--purge-keys' as the default option? Or is there any particular design concerns not to do this?


Related issues

Copied to rgw - Backport #14328: hammer: rgw: the swift key remains after removing a subuser Resolved

Associated revisions

Revision e7b7e1af (diff)
Added by Sandy Xu almost 7 years ago

rgw: add a method to purge all associate keys when removing a subuser

Fixes: #12890

When removing a subuser, make sure all of its keys, including the swift key and possible s3 keys, are also deleted.

Signed-off-by: Sangdi Xu <>

Revision f9637743 (diff)
Added by Sandy Xu over 6 years ago

rgw: add a method to purge all associate keys when removing a subuser

Fixes: #12890

When removing a subuser, make sure all of its keys, including the swift key and possible s3 keys, are also deleted.

Signed-off-by: Sangdi Xu <>
(cherry picked from commit e7b7e1afc7a81c3f97976f7442fbdc5118b532b5)

History

#1 Updated by Loïc Dachary about 7 years ago

  • Project changed from Ceph to rgw

#2 Updated by Yehuda Sadeh about 7 years ago

  • Priority changed from Normal to High

#3 Updated by Matt Benjamin about 7 years ago

  • Status changed from New to Fix Under Review

#4 Updated by Yehuda Sadeh almost 7 years ago

  • Status changed from Fix Under Review to Pending Backport
  • Backport set to infernalis, hammer

#5 Updated by Loïc Dachary almost 7 years ago

  • Copied to Backport #14327: infernalis: rgw: the swift key remains after removing a subuser added

#6 Updated by Loïc Dachary almost 7 years ago

  • Copied to Backport #14328: hammer: rgw: the swift key remains after removing a subuser added

#7 Updated by Loïc Dachary over 6 years ago

  • Backport changed from infernalis, hammer to hammer

infernalis is EOL

#8 Updated by Loïc Dachary over 6 years ago

  • Copied to deleted (Backport #14327: infernalis: rgw: the swift key remains after removing a subuser)

#9 Updated by Nathan Cutler over 6 years ago

  • Status changed from Pending Backport to Resolved

Also available in: Atom PDF