Project

General

Profile

Bug #48382

Broken public Swift bucket access with Keystone integration

Added by Pietari Hyvärinen about 2 months ago. Updated about 1 month ago.

Status:
New
Priority:
Normal
Assignee:
Target version:
% Done:

0%

Source:
Tags:
Backport:
Regression:
No
Severity:
2 - major
Reviewed:
ceph-qa-suite:
rgw
Pull request ID:
Crash signature:

Description

Public swift bucket access is broken. Prevents upgrading towards 14.2.12 or newer.

In reference to:

https://lists.ceph.io/hyperkitty/list/ceph-users@ceph.io/thread/Y2KTC7RXQYW

We are seeing similar behavior with public Swift bucket access being broken.

In this case RadosGW Nautilus integrated to OpenStack Queens Keystone.

Public Swift containers have worked fine from Luminous era up to Nautilus
14.2.11, and started to break when upgrading RadosGW to 14.2.12 or newer.

Unsure if this is related to the backport of "rgw: Swift API anonymous access
should 401 (pr#37438", or some other rgw change within 14.2.12.)
Additionally maybe related bug (https://tracker.ceph.com/issues/48001)

I believe the following ceph.conf we use is relevant:

rgw_swift_account_in_url = true
rgw_keystone_implicit_tenants = false

As well as the configured endpoint format:

https://fqdn:443/swift/v1/AUTH_%(tenant_id)s

Steps to reproduce:

Horizon:
--------

1) Public container access

- Create a container with "Container Access" set to Public
- Click on the Horizon provided Link which is of the format
https://fqdn/swift/v1/AUTH_projectUUID/public-test-container/

Expected result: Empty bucket listing
Actual result: "AccessDenied"

2) Public object access

- Upload an object to the public container
- Try to access the object via unauthenticated browser session

Expected result: Object downloaded or loaded into browser
Actual result: "NoSuchBucket"

Also getting similar behavior with Swift CLI tools (ACL '.r:*') from what I
can see.

Any suggestions how to troubleshoot further?

Happy to provide more debug log and configuration details if need be, as well
as pointers if something might be actually wrong in our configuration.

History

#1 Updated by Casey Bodley about 1 month ago

  • Assignee set to Or Friedmann

Also available in: Atom PDF