Project

General

Profile

Bug #19264

rgw: bucket name that include slash causes public access failed

Added by Albert Tu over 2 years ago. Updated over 2 years ago.

Status:
Need Review
Priority:
Normal
Assignee:
-
Target version:
-
Start date:
03/13/2017
Due date:
% Done:

0%

Source:
Tags:
Backport:
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
Pull request ID:

Description

When bucket is created from Horizon, the bucket name will include OpenStack project ID

$ radosgw-admin bucket list
[
    "025e52a44acb4a058b1c36bd90b8167d\/test" 
]

And then it was split into two parts because next_tok() split URL based on "/"

133015 2017-03-09 15:32:27.039645 7f345c092700 10 ver=v1 first=025e52a44acb4a058b1c36bd90b8167d req=test

133022 2017-03-09 15:32:27.039661 7f345c092700 10 s->object=test s->bucket=025e52a44acb4a058b1c36bd90b8167d

This makes user got “NoSuchBucket” when visting http://172.22.12.1:6780/swift/v1/025e52a44acb4a058b1c36bd90b8167d/test

History

#1 Updated by Chang Liu over 2 years ago

try to urlencode ?

#2 Updated by Albert Tu over 2 years ago

Chang Liu wrote:

try to urlencode ?

It's not work because the URL will be decoded in RGWREST::preprocess()

#3 Updated by Chang Liu over 2 years ago

Albert Tu wrote:

Chang Liu wrote:

try to urlencode ?

It's not work because the URL will be decoded in RGWREST::preprocess()

Albert, AWS's document says that bucket name contains alpha, number and '.' only. Maybe We should add more check in BucketCreate process.

#4 Updated by Robin Johnson over 2 years ago

The swift container rules are very lax compared to S3: 256 bytes of UTF-8 characters and no slash. https://docs.openstack.org/developer/swift/api/object_api_v1_overview.html

The S3 rules are here: http://docs.aws.amazon.com/AmazonS3/latest/dev/BucketRestrictions.html
Note that Ceph has previously allowed most of the AWS US-East-1 style with some strict elements.

I'll spin a patch that enforces no slash in swift containers.

#6 Updated by Chang Liu over 2 years ago

Yep, I will try to add limitation for S3 bucket name

#9 Updated by Casey Bodley over 2 years ago

The entries returned by 'radosgw-admin bucket list' are prefixed with tenant names. If you need to refer to these buckets externally, you will need to manually parse and remove the 'tenant/' part yourself.

#11 Updated by Nathan Cutler over 2 years ago

  • Status changed from New to Need Review

Also available in: Atom PDF