Broken public Swift bucket access with Keystone integration
Public swift bucket access is broken. Prevents upgrading towards 14.2.12 or newer.
In reference to:
We are seeing similar behavior with public Swift bucket access being broken.
In this case RadosGW Nautilus integrated to OpenStack Queens Keystone.
Public Swift containers have worked fine from Luminous era up to Nautilus
14.2.11, and started to break when upgrading RadosGW to 14.2.12 or newer.
Unsure if this is related to the backport of "rgw: Swift API anonymous access
should 401 (pr#37438", or some other rgw change within 14.2.12.)
Additionally maybe related bug (https://tracker.ceph.com/issues/48001)
I believe the following ceph.conf we use is relevant:
rgw_swift_account_in_url = true
rgw_keystone_implicit_tenants = false
As well as the configured endpoint format:
Steps to reproduce:
1) Public container access
- Create a container with "Container Access" set to Public
- Click on the Horizon provided Link which is of the format
Expected result: Empty bucket listing
Actual result: "AccessDenied"
2) Public object access
- Upload an object to the public container
- Try to access the object via unauthenticated browser session
Expected result: Object downloaded or loaded into browser
Actual result: "NoSuchBucket"
Also getting similar behavior with Swift CLI tools (ACL '.r:*') from what I
Any suggestions how to troubleshoot further?
Happy to provide more debug log and configuration details if need be, as well
as pointers if something might be actually wrong in our configuration.