Project

General

Profile

Actions

Bug #48382

closed

Broken public Swift bucket access with Keystone integration

Added by Pietari Hyvärinen over 3 years ago. Updated 24 days ago.

Status:
Duplicate
Priority:
High
Assignee:
Target version:
% Done:

0%

Source:
Tags:
swift keystone
Backport:
Regression:
No
Severity:
2 - major
Reviewed:
ceph-qa-suite:
rgw
Pull request ID:
Crash signature (v1):
Crash signature (v2):

Description

Public swift bucket access is broken. Prevents upgrading towards 14.2.12 or newer.

In reference to:

https://lists.ceph.io/hyperkitty/list/ceph-users@ceph.io/thread/Y2KTC7RXQYW

We are seeing similar behavior with public Swift bucket access being broken.

In this case RadosGW Nautilus integrated to OpenStack Queens Keystone.

Public Swift containers have worked fine from Luminous era up to Nautilus
14.2.11, and started to break when upgrading RadosGW to 14.2.12 or newer.

Unsure if this is related to the backport of "rgw: Swift API anonymous access
should 401 (pr#37438", or some other rgw change within 14.2.12.)
Additionally maybe related bug (https://tracker.ceph.com/issues/48001)

I believe the following ceph.conf we use is relevant:

rgw_swift_account_in_url = true
rgw_keystone_implicit_tenants = false

As well as the configured endpoint format:

https://fqdn:443/swift/v1/AUTH_%(tenant_id)s

Steps to reproduce:

Horizon:
--------

1) Public container access

- Create a container with "Container Access" set to Public
- Click on the Horizon provided Link which is of the format
https://fqdn/swift/v1/AUTH_projectUUID/public-test-container/

Expected result: Empty bucket listing
Actual result: "AccessDenied"

2) Public object access

- Upload an object to the public container
- Try to access the object via unauthenticated browser session

Expected result: Object downloaded or loaded into browser
Actual result: "NoSuchBucket"

Also getting similar behavior with Swift CLI tools (ACL '.r:*') from what I
can see.

Any suggestions how to troubleshoot further?

Happy to provide more debug log and configuration details if need be, as well
as pointers if something might be actually wrong in our configuration.


Files

build-error.txt (42.8 KB) build-error.txt Susanta Gautam, 11/02/2021 02:54 PM

Related issues 1 (0 open1 closed)

Related to rgw - Bug #48001: Brocken SwiftAPI anonymous accessResolvedMarcus Watts

Actions
Actions #1

Updated by Casey Bodley over 3 years ago

  • Assignee set to Or Friedmann
Actions #2

Updated by Rafal Wadolowski about 3 years ago

Hi Pietari,

Can you try this?

https://github.com/ceph/ceph/pull/38319

It helps us

Actions #3

Updated by Pietari Hyvärinen about 3 years ago

Rafal Wadolowski wrote:

Hi Pietari,

Can you try this?

https://github.com/ceph/ceph/pull/38319

It helps us

https://github.com/ceph/ceph/blob/v14.2.16/src/rgw/rgw_rest_swift.cc differs from master
and build fails with error:

rpmbuild/BUILD/ceph-14.2.16/src/rgw/rgw_rest_swift.cc: In member function ‘virtual int RGWHandler_REST_SWIFT::postauth_init()’:
rpmbuild/BUILD/ceph-14.2.16/src/rgw/rgw_rest_swift.cc:2796:33: error: ‘struct RGWUserInfo’ has no member named ‘get_tenant’; did you mean ‘get_key’?
     s->bucket_tenant = s->user->get_tenant();
                                 ^~~~~~~~~~
                                 get_key

for 14.2.16, there is a need for bit more backporting....

Actions #4

Updated by Pietari Hyvärinen about 3 years ago

this bug is still affected in 14.2.18

Actions #5

Updated by Pietari Hyvärinen almost 3 years ago

Rafal Wadolowski wrote:

Hi Pietari,

Can you try this?

https://github.com/ceph/ceph/pull/38319

It helps us

This pullreq is somehow stalled on the queue? would someone push this forward, please?

 Pull Request Labeler / labeler (pull_request_target) Failing after 4s — labeler
Actions #6

Updated by Mohammed Naser over 2 years ago

this has just hit us and it seems like a huge regression, i'm trying this patch now.

Actions #7

Updated by Pietari Hyvärinen over 2 years ago

Mohammed Naser wrote:

this has just hit us and it seems like a huge regression, i'm trying this patch now.

a Hack to "fix" issue with centos7+nautilus

yum install -y screen

wget https://copr.fedorainfracloud.org/coprs/jsynacek/systemd-backports-for-centos-7/repo/epel-7/jsynacek-systemd-backports-for-centos-7-epel-7.repo -O /etc/yum.repos.d/jsynacek-systemd-centos-7.repo
yum -y update systemd
# :-)

yum install -y epel-release
yum install -y git wget sudo which jq
yum install -y rpm-build rpmdevtools rpm-build createrepo cmake3
yum install -y python-pip python-virtualenv
yum install -y centos-release-scl
yum -y install devtoolset-8
scl enable devtoolset-8 bash

git clone https://github.com/ceph/ceph
cd ceph
git checkout v14.2.22
git revert 82b49688f7a1b8a852732957e5351d7cc2ddca18
git apply patch.diff

$ # don't be root, it screws up npm
$ ./make-srpm.sh
$ ./install-deps.sh
$ rpmbuild --rebuild ceph-14.2.22-1.g42142cf.el7.src.rpm
                                    ^^^^^^^^ build dependent

---

$ cat patch.diff
diff --git a/ceph.spec.in b/ceph.spec.in
index 0c94ee8..e96d8dc 100644
--- a/ceph.spec.in
+++ b/ceph.spec.in
@@ -298,7 +298,6 @@ BuildRequires:      libtool-ltdl-devel
 BuildRequires: python%{_python_buildid}-cherrypy
 BuildRequires: python%{_python_buildid}-jwt
 BuildRequires: python%{_python_buildid}-routes
-BuildRequires:  python%{_python_buildid}-scipy
 BuildRequires: python%{_python_buildid}-werkzeug
 BuildRequires: xmlsec1
 BuildRequires: xmlsec1-devel
diff --git a/make-dist b/make-dist
index aed6831..225a730 100755
--- a/make-dist
+++ b/make-dist
@@ -50,7 +50,7 @@ download_boost() {
             exit
         fi
         url=$url_base/$boost_fname
-        wget -c --no-verbose -O $boost_fname $url
+        wget --no-check-certificate -c --no-verbose -O $boost_fname $url
         if [ $? != 0 -o ! -e $boost_fname ]; then
             echo "Download of $url failed" 
         elif [ $(sha256sum $boost_fname | awk '{print $1}') != $boost_sha256 ]; then

Actions #8

Updated by Pietari Hyvärinen over 2 years ago

so basically this

git clone https://github.com/ceph/ceph
cd ceph
git checkout v14.2.22
git revert 82b49688f7a1b8a852732957e5351d7cc2ddca18

part is important. The rest is just skipping scipy to speedup building...

Actions #9

Updated by Susanta Gautam over 2 years ago

Pietari Hyvärinen wrote:

so basically this
[...]
part is important. The rest is just skipping scipy to speedup building...

Trying to build the rpm from the steps above gave me the error. I have attached the error in text file. Can you please help me look at this?

Actions #10

Updated by Casey Bodley over 2 years ago

  • Assignee changed from Or Friedmann to Marcus Watts
  • Tags set to swift keystone
Actions #11

Updated by Casey Bodley almost 2 years ago

  • Priority changed from Normal to High
Actions #12

Updated by Casey Bodley almost 2 years ago

  • Related to Bug #48001: Brocken SwiftAPI anonymous access added
Actions #13

Updated by Matt Benjamin almost 2 years ago

Marcus says that this is materially related to the downstream implicit tenants issue, and it will be fixed by the resolution

Matt

Actions #14

Updated by Casey Bodley over 1 year ago

  • Status changed from New to In Progress
Actions #15

Updated by Casey Bodley over 1 year ago

  • Status changed from In Progress to Duplicate
Actions #16

Updated by Pietari Hyvärinen 6 months ago

Susanta Gautam wrote:

Pietari Hyvärinen wrote:

so basically this
[...]
part is important. The rest is just skipping scipy to speedup building...

Trying to build the rpm from the steps above gave me the error. I have attached the error in text file. Can you please help me look at this?

https://github.com/ceph/ceph/pull/43491/commits/53040e4c0e9e86710b8800dbb7ea15b3fa196ebf

Actions #17

Updated by Bartosz Bezak 24 days ago

I still got this issue on 18.2.2 with Openstack Antelope. With rgw_swift_account_in_url = true and proper endpoints: "https://rgw.test/swift/v1/AUTH_%(project_id)s"

ticking public access in horizon properly sets ACL on the bucket according to swift client:

swift -v stat test-bucket
URL: https://rgw.test/swift/v1/AUTH_daksjhdkajdshda/testbucket
Auth Token:
Account: AUTH_daksjhdkajdshda
Container: testbucket
Objects: 1
Bytes: 1021036
Read ACL: .r:*,.rlistings
Write ACL:
Sync To:
Sync Key:
X-Timestamp: 1710947159.41219
X-Container-Bytes-Used-Actual: 1024000
X-Storage-Policy: default-placement
X-Storage-Class: STANDARD
Last-Modified: Thu, 21 Mar 2024 10:30:05 GMT
X-Trans-Id: tx00000092ac12312312312-1231231231-1701e5-default
X-Openstack-Request-Id: tx00000092ac12312312312-1231231231-1701e5-default
Accept-Ranges: bytes
Content-Type: text/plain; charset=utf-8

however still getting 404 NoSuchBucket error

Actions

Also available in: Atom PDF