Bug #19264: rgw: bucket name that include slash causes public access failed - rgw - Ceph

Actions

Copy link

Bug #19264

closed

rgw: bucket name that include slash causes public access failed

Added by Albert Tu about 7 years ago. Updated about 4 years ago.

Status:

Resolved

Priority:

Normal

Assignee:

Target version:

% Done:

Source:

Tags:

Backport:

Regression:

Severity:

3 - minor

Reviewed:

Affected Versions:

ceph-qa-suite:

Pull request ID:

Crash signature (v1):

Crash signature (v2):

Description

When bucket is created from Horizon, the bucket name will include OpenStack project ID

$ radosgw-admin bucket list
[
    "025e52a44acb4a058b1c36bd90b8167d\/test" 
]

And then it was split into two parts because next_tok() split URL based on "/"

133015 2017-03-09 15:32:27.039645 7f345c092700 10 ver=v1 first=025e52a44acb4a058b1c36bd90b8167d req=test

133022 2017-03-09 15:32:27.039661 7f345c092700 10 s->object=test s->bucket=025e52a44acb4a058b1c36bd90b8167d

This makes user got “NoSuchBucket” when visting http://172.22.12.1:6780/swift/v1/025e52a44acb4a058b1c36bd90b8167d/test

Actions

Copy link

Updated by Chang Liu about 7 years ago

try to urlencode ?

Actions

Copy link

Updated by Albert Tu about 7 years ago

Chang Liu wrote:

try to urlencode ?

It's not work because the URL will be decoded in RGWREST::preprocess()

Actions

Copy link

Updated by Chang Liu about 7 years ago

Albert Tu wrote:

Chang Liu wrote:

try to urlencode ?

It's not work because the URL will be decoded in RGWREST::preprocess()

Albert, AWS's document says that bucket name contains alpha, number and '.' only. Maybe We should add more check in BucketCreate process.

Actions

Copy link

Updated by Robin Johnson about 7 years ago

The swift container rules are very lax compared to S3: 256 bytes of UTF-8 characters and no slash. https://docs.openstack.org/developer/swift/api/object_api_v1_overview.html

The S3 rules are here: http://docs.aws.amazon.com/AmazonS3/latest/dev/BucketRestrictions.html
Note that Ceph has previously allowed most of the AWS US-East-1 style with some strict elements.

I'll spin a patch that enforces no slash in swift containers.

Actions

Copy link

Updated by Robin Johnson about 7 years ago

https://github.com/ceph/ceph/pull/13992

Actions

Copy link

Updated by Chang Liu about 7 years ago

Yep, I will try to add limitation for S3 bucket name

Actions

Copy link

Updated by Chang Liu about 7 years ago

https://github.com/ceph/ceph/pull/14016

Actions

Copy link

Updated by Albert Tu about 7 years ago

The missing part.

https://github.com/ceph/ceph/pull/14062

Actions

Copy link

Updated by Casey Bodley about 7 years ago

The entries returned by 'radosgw-admin bucket list' are prefixed with tenant names. If you need to refer to these buckets externally, you will need to manually parse and remove the 'tenant/' part yourself.

Actions

Copy link

#10