Bug #22897
closedrgw: (jewel) can't delete swift acls with swift command.
0%
Description
The swift cli command can be used to set acls on buckets or objects: -r acl, -w acl. To delete an acl, it's supposed to be possible to do this by specifying an empty string. This causes swift to post to the endpoint with a header field of "x-container-read" (or write) with an empty string. This works with openstack swift, and there's no other method provided with the swift command to delete acls.
The api documentation is also not wonderfully clear on this. It does document use of "x-container-read" and "x-container-write" to set acls, and it describes use of "x-remove-container-read" "x-remove-container-write" to remove acls. The latter two appear to be provided for the benefit of client implementations that don't have a way to send empty header strings, such as (apparently) old versions of curl.
The existing logic in radosgw can't tell the difference between an empty header field, and a missing header field. So attempting to remove a swift acl using the swift command silently fails. Of course, in jewel, one could delete a swift acl by supplying an acl string including only invalid elements, but that would be wrong, and it won't work in master.
I have a commit that fixes this for jewel as part of a longer sequence in PR # 20257 . I'll pull that out and make a version of that for master too.
Updated by Nathan Cutler about 6 years ago
There is no master PR yet, but the jewel backport is already a WIP in https://github.com/ceph/ceph/pull/20257
Updated by Marcus Watts about 6 years ago
I've made a PR for master with this change,
https://github.com/ceph/ceph/pull/20471
I believe this should apply trivially to luminous.
Updated by Orit Wasserman almost 6 years ago
- Status changed from New to Pending Backport
Updated by Nathan Cutler almost 6 years ago
- Copied to Backport #24302: luminous: rgw: (jewel) can't delete swift acls with swift command. added
Updated by Nathan Cutler almost 6 years ago
- Copied to Backport #24303: jewel: rgw: (jewel) can't delete swift acls with swift command. added
Updated by Nathan Cutler almost 6 years ago
- Backport changed from luminous, jewel to mimic, luminous, jewel
Updated by Nathan Cutler almost 6 years ago
- Backport changed from mimic, luminous, jewel to luminous, jewel
Deleting mimic backport issue because, according to @PrashantD, the commits in question are already in mimic:
The relevant changes for tracker#22897 are already in mimic :
$ git blame -i src/rgw/rgw_acl_swift.cc|grep -A 3 "int parse_list" 1fc69243bdf (Marcus Watts 2018-01-31 15:46:57 -0500 26) static int parse_list(const char* uid_list, 656b69da02b (Radoslaw Zarzynski 2016-05-19 19:05:12 +0200 27) std::vector<std::string>& uids) /* out */ 2824c07f8d8 (Yehuda Sadeh 2012-02-23 13:56:22 -0800 28) { 1fc69243bdf (Marcus Watts 2018-01-31 15:46:57 -0500 29) char *s = strdup(uid_list); $ git branch -a --contains 1fc69243bdf|grep "upstream/mimic" remotes/upstream/mimic
Updated by Nathan Cutler over 4 years ago
- Status changed from Pending Backport to Resolved