Project

General

Profile

Bug #13197

rgw: creating user by admin api returns 403 access deny

Added by knight zhou over 8 years ago. Updated over 8 years ago.

Status:
Rejected
Priority:
Normal
Assignee:
-
Target version:
-
% Done:

0%

Source:
other
Tags:
Backport:
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
Pull request ID:
Crash signature (v1):
Crash signature (v2):

Description

Having added caps of "users=*" to an admin user, I can neither create nor delete a user by admin op api.

user info:

{
    "user_id": "adminuser",
    "display_name": "adminuser",
    "email": "",
    "suspended": 0,
    "max_buckets": 1000,
    "auid": 0,
    "subusers": [],
    "keys": [
        {
            "user": "knight",
            "access_key": "BQ24BGYD21ZRN2B98V49",
            "secret_key": "JjZx3AS+JZW1pTHd40xE82pdt+E0nbKbGCG31DgK" 
        }
    ],
    "swift_keys": [],
    "caps": [
        {
            "type": "buckets",
            "perm": "*" 
        },
        {
            "type": "metadata",
            "perm": "*" 
        },
        {
            "type": "usage",
            "perm": "*" 
        },
        {
            "type": "users",
            "perm": "write" 
        },
        {
            "type": "zone",
            "perm": "*" 
        }
    ],
    "op_mask": "read, write, delete",
    "default_placement": "",
    "placement_tags": [],
    "bucket_quota": {
        "enabled": false,
        "max_size_kb": -1,
        "max_objects": -1
    },
    "user_quota": {
        "enabled": false,
        "max_size_kb": 98,
        "max_objects": -1
    },
    "temp_url_keys": []
}

radosgw debug log:

2015-09-22 16:58:08.103136 7f4952f95700 20 enqueued request req=0x7f49a0042290
2015-09-22 16:58:08.103161 7f4952f95700 20 RGWWQ:
2015-09-22 16:58:08.103163 7f4952f95700 20 req: 0x7f49a0042290
2015-09-22 16:58:08.103171 7f4952f95700 10 allocated request req=0x7f49a0042a80
2015-09-22 16:58:08.103279 7f4951792700 20 dequeued request req=0x7f49a0042290
2015-09-22 16:58:08.103285 7f4951792700 20 RGWWQ: empty
2015-09-22 16:58:08.103360 7f4951792700 20 CONTENT_LENGTH=41
2015-09-22 16:58:08.103363 7f4951792700 20 CONTEXT_DOCUMENT_ROOT=/var/www
2015-09-22 16:58:08.103364 7f4951792700 20 CONTEXT_PREFIX=
2015-09-22 16:58:08.103365 7f4951792700 20 DOCUMENT_ROOT=/var/www
2015-09-22 16:58:08.103366 7f4951792700 20 FCGI_ROLE=RESPONDER
2015-09-22 16:58:08.103367 7f4951792700 20 GATEWAY_INTERFACE=CGI/1.1
2015-09-22 16:58:08.103368 7f4951792700 20 HTTP_ACCEPT=*/*
2015-09-22 16:58:08.103369 7f4951792700 20 HTTP_ACCEPT_ENCODING=gzip, deflate
2015-09-22 16:58:08.103370 7f4951792700 20 HTTP_AUTHORIZATION=AWS BQ24BGYD21ZRN2B98V49:Rus5KuyRmr8rABdnnJinhZOPivA=
2015-09-22 16:58:08.103371 7f4951792700 20 HTTP_CONNECTION=keep-alive
2015-09-22 16:58:08.103372 7f4951792700 20 HTTP_DATE=Tue, 22 Sep 2015 08:58:07 GMT
2015-09-22 16:58:08.103373 7f4951792700 20 HTTP_HOST=mys3.com
2015-09-22 16:58:08.103374 7f4951792700 20 HTTP_USER_AGENT=python-requests/2.7.0 CPython/2.7.3 Linux/3.2.0-4-amd64
2015-09-22 16:58:08.103375 7f4951792700 20 PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
2015-09-22 16:58:08.103376 7f4951792700 20 proxy-nokeepalive=1
2015-09-22 16:58:08.103377 7f4951792700 20 QUERY_STRING=format=json
2015-09-22 16:58:08.103378 7f4951792700 20 REMOTE_ADDR=10.120.173.50
2015-09-22 16:58:08.103408 7f4951792700 20 REMOTE_PORT=63302
2015-09-22 16:58:08.103409 7f4951792700 20 REQUEST_METHOD=PUT
2015-09-22 16:58:08.103410 7f4951792700 20 REQUEST_SCHEME=http
2015-09-22 16:58:08.103411 7f4951792700 20 REQUEST_URI=/admin/user?format=json
2015-09-22 16:58:08.103412 7f4951792700 20 SCRIPT_FILENAME=proxy:fcgi://localhost:9000/admin/user
2015-09-22 16:58:08.103413 7f4951792700 20 SCRIPT_NAME=/admin/user
2015-09-22 16:58:08.103414 7f4951792700 20 SCRIPT_URI=http://mys3.com/admin/user
2015-09-22 16:58:08.103415 7f4951792700 20 SCRIPT_URL=/admin/user
2015-09-22 16:58:08.103416 7f4951792700 20 SERVER_ADDR=10.63.7.201
2015-09-22 16:58:08.103417 7f4951792700 20 SERVER_ADMIN=adminuser@mys3.com
2015-09-22 16:58:08.103418 7f4951792700 20 SERVER_NAME=mys3.com
2015-09-22 16:58:08.103419 7f4951792700 20 SERVER_PORT=80
2015-09-22 16:58:08.103420 7f4951792700 20 SERVER_PROTOCOL=HTTP/1.1
2015-09-22 16:58:08.103421 7f4951792700 20 SERVER_SIGNATURE=
2015-09-22 16:58:08.103422 7f4951792700 20 SERVER_SOFTWARE=Apache/2.4.10 (Debian)
2015-09-22 16:58:08.103424 7f4951792700  1 ====== starting new request req=0x7f49a0042290 =====
2015-09-22 16:58:08.103451 7f4951792700  2 req 1:0.000027::PUT /admin/user::initializing
2015-09-22 16:58:08.103459 7f4951792700 10 host=mys3.com
2015-09-22 16:58:08.103467 7f4951792700 20 subdomain= domain=mys3.com in_hosted_domain=1
2015-09-22 16:58:08.103567 7f4951792700  2 req 1:0.000142::PUT /admin/user::getting op
2015-09-22 16:58:08.103574 7f4951792700  2 req 1:0.000149::PUT /admin/user:create_user:authorizing
2015-09-22 16:58:08.103626 7f4951792700 20 get_obj_state: rctx=0x7f4951790aa0 obj=.nt-rg1.users:BQ24BGYD21ZRN2B98V49 state=0x7f49980368f0 s->prefetch_data=0
2015-09-22 16:58:08.103636 7f4951792700 10 cache get: name=.nt-rg1.users+BQ24BGYD21ZRN2B98V49 : miss
2015-09-22 16:58:08.103757 7f4951792700  1 -- 10.63.7.201:0/1015557 --> 10.63.7.201:6800/9498 -- osd_op(client.4452.0:171 BQ24BGYD21ZRN2B98V49 [getxattrs,stat] 14.aff5353c ack+read+known_if_redirected e114) v5 -- ?+0 0x7f4998037820 con 0x7f498c034410
2015-09-22 16:58:08.104997 7f49a42f3700  1 -- 10.63.7.201:0/1015557 <== osd.0 10.63.7.201:6800/9498 20 ==== osd_op_reply(171 BQ24BGYD21ZRN2B98V49 [getxattrs,stat] v0'0 uv3 ondisk = 0) v6 ==== 229+0+20 (3879135710 0 333160874) 0x7f499003eb10 con 0x7f498c034410
2015-09-22 16:58:08.105412 7f4951792700 10 cache put: name=.nt-rg1.users+BQ24BGYD21ZRN2B98V49
2015-09-22 16:58:08.105424 7f4951792700 10 adding .nt-rg1.users+BQ24BGYD21ZRN2B98V49 to cache LRU end
2015-09-22 16:58:08.105432 7f4951792700 20 get_obj_state: s->obj_tag was set empty
2015-09-22 16:58:08.105438 7f4951792700 10 cache get: name=.nt-rg1.users+BQ24BGYD21ZRN2B98V49 : type miss (requested=1, cached=6)
2015-09-22 16:58:08.105443 7f4951792700 20 get_obj_state: rctx=0x7f4951790aa0 obj=.nt-rg1.users:BQ24BGYD21ZRN2B98V49 state=0x7f49980368f0 s->prefetch_data=0
2015-09-22 16:58:08.105446 7f4951792700 20 rados->read ofs=0 len=524288
2015-09-22 16:58:08.105494 7f4951792700  1 -- 10.63.7.201:0/1015557 --> 10.63.7.201:6800/9498 -- osd_op(client.4452.0:172 BQ24BGYD21ZRN2B98V49 [read 0~524288] 14.aff5353c ack+read+known_if_redirected e114) v5 -- ?+0 0x7f4998038390 con 0x7f498c034410
2015-09-22 16:58:08.106085 7f49a42f3700  1 -- 10.63.7.201:0/1015557 <== osd.0 10.63.7.201:6800/9498 21 ==== osd_op_reply(172 BQ24BGYD21ZRN2B98V49 [read 0~10] v0'0 uv3 ondisk = 0) v6 ==== 187+0+10 (1336204755 0 3091687205) 0x7f499003eb10 con 0x7f498c034410
2015-09-22 16:58:08.106196 7f4951792700 20 rados->read r=0 bl.length=10
2015-09-22 16:58:08.106245 7f4951792700 10 cache put: name=.nt-rg1.users+BQ24BGYD21ZRN2B98V49
2015-09-22 16:58:08.106248 7f4951792700 10 moving .nt-rg1.users+BQ24BGYD21ZRN2B98V49 to cache LRU end
2015-09-22 16:58:08.106263 7f4951792700 20 get_obj_state: rctx=0x7f4951790820 obj=.nt-rg1.users.uid:adminuser state=0x7f4998038820 s->prefetch_data=0
2015-09-22 16:58:08.106269 7f4951792700 10 cache get: name=.nt-rg1.users.uid+adminuser : miss
2015-09-22 16:58:08.106329 7f4951792700  1 -- 10.63.7.201:0/1015557 --> 10.63.7.202:6800/3802 -- osd_op(client.4452.0:173 adminuser [call version.read,getxattrs,stat] 17.a5c13b2 ack+read+known_if_redirected e114) v5 -- ?+0 0x7f499803a650 con 0x4423570
2015-09-22 16:58:08.108316 7f49ac395700  1 -- 10.63.7.201:0/1015557 <== osd.1 10.63.7.202:6800/3802 60 ==== osd_op_reply(173 adminuser [call,getxattrs,stat] v0'0 uv33 ondisk = 0) v6 ==== 257+0+139 (2435325276 0 1677365063) 0x7f498c03f7b0 con 0x4423570
2015-09-22 16:58:08.108387 7f4951792700 10 cache put: name=.nt-rg1.users.uid+adminuser
2015-09-22 16:58:08.108394 7f4951792700 10 adding .nt-rg1.users.uid+adminuser to cache LRU end
2015-09-22 16:58:08.108399 7f4951792700 20 get_obj_state: s->obj_tag was set empty
2015-09-22 16:58:08.108403 7f4951792700 10 cache get: name=.nt-rg1.users.uid+adminuser : type miss (requested=17, cached=22)
2015-09-22 16:58:08.108407 7f4951792700 20 get_obj_state: rctx=0x7f4951790820 obj=.nt-rg1.users.uid:adminuser state=0x7f4998038820 s->prefetch_data=0
2015-09-22 16:58:08.108491 7f4951792700 20 rados->read ofs=0 len=524288
2015-09-22 16:58:08.108515 7f4951792700  1 -- 10.63.7.201:0/1015557 --> 10.63.7.202:6800/3802 -- osd_op(client.4452.0:174 adminuser [call version.check_conds,call version.read,read 0~524288] 17.a5c13b2 ack+read+known_if_redirected e114) v5 -- ?+0 0x7f499803e250 con 0x4423570
2015-09-22 16:58:08.110136 7f49ac395700  1 -- 10.63.7.201:0/1015557 <== osd.1 10.63.7.202:6800/3802 61 ==== osd_op_reply(174 adminuser [call,call,read 0~352] v0'0 uv33 ondisk = 0) v6 ==== 257+0+400 (1925025250 0 3684141187) 0x7f498c03f7b0 con 0x4423570
2015-09-22 16:58:08.110202 7f4951792700 20 rados->read r=0 bl.length=352
2015-09-22 16:58:08.110213 7f4951792700 10 cache put: name=.nt-rg1.users.uid+adminuser
2015-09-22 16:58:08.110216 7f4951792700 10 moving .nt-rg1.users.uid+adminuser to cache LRU end
2015-09-22 16:58:08.110246 7f4951792700 10 chain_cache_entry: cache_locator=.nt-rg1.users.uid+adminuser
2015-09-22 16:58:08.110299 7f4951792700 10 get_canon_resource(): dest=/admin/user
2015-09-22 16:58:08.110302 7f4951792700 10 auth_hdr:
PUT

Tue, 22 Sep 2015 08:58:07 GMT
/admin/user
2015-09-22 16:58:08.110391 7f4951792700 15 calculated digest=Rus5KuyRmr8rABdnnJinhZOPivA=
2015-09-22 16:58:08.110394 7f4951792700 15 auth_sign=Rus5KuyRmr8rABdnnJinhZOPivA=
2015-09-22 16:58:08.110395 7f4951792700 15 compare=0
2015-09-22 16:58:08.110399 7f4951792700  2 req 1:0.006975::PUT /admin/user:create_user:reading permissions
2015-09-22 16:58:08.110402 7f4951792700  2 req 1:0.006978::PUT /admin/user:create_user:init op
2015-09-22 16:58:08.110416 7f4951792700  2 req 1:0.006992::PUT /admin/user:create_user:verifying op mask
2015-09-22 16:58:08.110426 7f4951792700 20 required_mask= 0 user.op_mask=7
2015-09-22 16:58:08.110428 7f4951792700  2 req 1:0.007004::PUT /admin/user:create_user:verifying op permissions
2015-09-22 16:58:08.110433 7f4951792700  2 req 1:0.007008::PUT /admin/user:create_user:verifying op params
2015-09-22 16:58:08.110435 7f4951792700  2 req 1:0.007011::PUT /admin/user:create_user:executing
2015-09-22 16:58:08.110489 7f4951792700  2 req 1:0.007065::PUT /admin/user:create_user:http status=403
2015-09-22 16:58:08.110493 7f4951792700  1 ====== req done req=0x7f49a0042290 http_status=403 ======
2015-09-22 16:58:08.110503 7f4951792700 20 process_request() returned -13

History

#1 Updated by Yehuda Sadeh over 8 years ago

The request is missing params, e.g., uid=, display-name=, etc.
It looks like the caps actually are configured correctly.

#2 Updated by knight zhou over 8 years ago

Got it
I passed uid and display-name in data instead of params.
I add the missing params to url, like this http://{domain}/admin/user?format=json&uid=tuser&display-name=tuser.
It's ok now.
Really thanks for your help.

#3 Updated by Yehuda Sadeh over 8 years ago

  • Status changed from New to Rejected

Also available in: Atom PDF