Bug #48382
closedBroken public Swift bucket access with Keystone integration
0%
Description
Public swift bucket access is broken. Prevents upgrading towards 14.2.12 or newer.
In reference to:
https://lists.ceph.io/hyperkitty/list/ceph-users@ceph.io/thread/Y2KTC7RXQYW…
We are seeing similar behavior with public Swift bucket access being broken.
In this case RadosGW Nautilus integrated to OpenStack Queens Keystone.
Public Swift containers have worked fine from Luminous era up to Nautilus
14.2.11, and started to break when upgrading RadosGW to 14.2.12 or newer.
Unsure if this is related to the backport of "rgw: Swift API anonymous access
should 401 (pr#37438", or some other rgw change within 14.2.12.)
Additionally maybe related bug (https://tracker.ceph.com/issues/48001)
I believe the following ceph.conf we use is relevant:
rgw_swift_account_in_url = true
rgw_keystone_implicit_tenants = false
As well as the configured endpoint format:
https://fqdn:443/swift/v1/AUTH_%(tenant_id)s
Steps to reproduce:
Horizon:
--------
1) Public container access
- Create a container with "Container Access" set to Public
- Click on the Horizon provided Link which is of the format
https://fqdn/swift/v1/AUTH_projectUUID/public-test-container/
Expected result: Empty bucket listing
Actual result: "AccessDenied"
2) Public object access
- Upload an object to the public container
- Try to access the object via unauthenticated browser session
Expected result: Object downloaded or loaded into browser
Actual result: "NoSuchBucket"
Also getting similar behavior with Swift CLI tools (ACL '.r:*') from what I
can see.
Any suggestions how to troubleshoot further?
Happy to provide more debug log and configuration details if need be, as well
as pointers if something might be actually wrong in our configuration.
Files
Updated by Rafal Wadolowski over 3 years ago
Updated by Pietari Hyvärinen over 3 years ago
Rafal Wadolowski wrote:
Hi Pietari,
Can you try this?
https://github.com/ceph/ceph/pull/38319
It helps us
https://github.com/ceph/ceph/blob/v14.2.16/src/rgw/rgw_rest_swift.cc differs from master
and build fails with error:
rpmbuild/BUILD/ceph-14.2.16/src/rgw/rgw_rest_swift.cc: In member function ‘virtual int RGWHandler_REST_SWIFT::postauth_init()’: rpmbuild/BUILD/ceph-14.2.16/src/rgw/rgw_rest_swift.cc:2796:33: error: ‘struct RGWUserInfo’ has no member named ‘get_tenant’; did you mean ‘get_key’? s->bucket_tenant = s->user->get_tenant(); ^~~~~~~~~~ get_key
for 14.2.16, there is a need for bit more backporting....
Updated by Pietari Hyvärinen about 3 years ago
this bug is still affected in 14.2.18
Updated by Pietari Hyvärinen almost 3 years ago
Rafal Wadolowski wrote:
Hi Pietari,
Can you try this?
https://github.com/ceph/ceph/pull/38319
It helps us
This pullreq is somehow stalled on the queue? would someone push this forward, please?
Pull Request Labeler / labeler (pull_request_target) Failing after 4s — labeler
Updated by Mohammed Naser over 2 years ago
this has just hit us and it seems like a huge regression, i'm trying this patch now.
Updated by Pietari Hyvärinen over 2 years ago
Mohammed Naser wrote:
this has just hit us and it seems like a huge regression, i'm trying this patch now.
a Hack to "fix" issue with centos7+nautilus
yum install -y screen wget https://copr.fedorainfracloud.org/coprs/jsynacek/systemd-backports-for-centos-7/repo/epel-7/jsynacek-systemd-backports-for-centos-7-epel-7.repo -O /etc/yum.repos.d/jsynacek-systemd-centos-7.repo yum -y update systemd # :-) yum install -y epel-release yum install -y git wget sudo which jq yum install -y rpm-build rpmdevtools rpm-build createrepo cmake3 yum install -y python-pip python-virtualenv yum install -y centos-release-scl yum -y install devtoolset-8 scl enable devtoolset-8 bash git clone https://github.com/ceph/ceph cd ceph git checkout v14.2.22 git revert 82b49688f7a1b8a852732957e5351d7cc2ddca18 git apply patch.diff $ # don't be root, it screws up npm $ ./make-srpm.sh $ ./install-deps.sh $ rpmbuild --rebuild ceph-14.2.22-1.g42142cf.el7.src.rpm ^^^^^^^^ build dependent --- $ cat patch.diff diff --git a/ceph.spec.in b/ceph.spec.in index 0c94ee8..e96d8dc 100644 --- a/ceph.spec.in +++ b/ceph.spec.in @@ -298,7 +298,6 @@ BuildRequires: libtool-ltdl-devel BuildRequires: python%{_python_buildid}-cherrypy BuildRequires: python%{_python_buildid}-jwt BuildRequires: python%{_python_buildid}-routes -BuildRequires: python%{_python_buildid}-scipy BuildRequires: python%{_python_buildid}-werkzeug BuildRequires: xmlsec1 BuildRequires: xmlsec1-devel diff --git a/make-dist b/make-dist index aed6831..225a730 100755 --- a/make-dist +++ b/make-dist @@ -50,7 +50,7 @@ download_boost() { exit fi url=$url_base/$boost_fname - wget -c --no-verbose -O $boost_fname $url + wget --no-check-certificate -c --no-verbose -O $boost_fname $url if [ $? != 0 -o ! -e $boost_fname ]; then echo "Download of $url failed" elif [ $(sha256sum $boost_fname | awk '{print $1}') != $boost_sha256 ]; then
Updated by Pietari Hyvärinen over 2 years ago
so basically this
git clone https://github.com/ceph/ceph cd ceph git checkout v14.2.22 git revert 82b49688f7a1b8a852732957e5351d7cc2ddca18
part is important. The rest is just skipping scipy to speedup building...
Updated by Susanta Gautam over 2 years ago
- File build-error.txt build-error.txt added
Pietari Hyvärinen wrote:
so basically this
[...]
part is important. The rest is just skipping scipy to speedup building...
Trying to build the rpm from the steps above gave me the error. I have attached the error in text file. Can you please help me look at this?
Updated by Casey Bodley over 2 years ago
- Assignee changed from Or Friedmann to Marcus Watts
- Tags set to swift keystone
Updated by Casey Bodley almost 2 years ago
- Priority changed from Normal to High
Updated by Casey Bodley almost 2 years ago
- Related to Bug #48001: Brocken SwiftAPI anonymous access added
Updated by Matt Benjamin almost 2 years ago
Marcus says that this is materially related to the downstream implicit tenants issue, and it will be fixed by the resolution
Matt
Updated by Casey Bodley almost 2 years ago
- Status changed from New to In Progress
Updated by Casey Bodley almost 2 years ago
- Status changed from In Progress to Duplicate
Updated by Pietari Hyvärinen 6 months ago
Susanta Gautam wrote:
Pietari Hyvärinen wrote:
so basically this
[...]
part is important. The rest is just skipping scipy to speedup building...Trying to build the rpm from the steps above gave me the error. I have attached the error in text file. Can you please help me look at this?
https://github.com/ceph/ceph/pull/43491/commits/53040e4c0e9e86710b8800dbb7ea15b3fa196ebf
Updated by Bartosz Bezak about 1 month ago
I still got this issue on 18.2.2 with Openstack Antelope. With rgw_swift_account_in_url = true and proper endpoints: "https://rgw.test/swift/v1/AUTH_%(project_id)s"
ticking public access in horizon properly sets ACL on the bucket according to swift client:
swift -v stat test-bucket
URL: https://rgw.test/swift/v1/AUTH_daksjhdkajdshda/testbucket
Auth Token:
Account: AUTH_daksjhdkajdshda
Container: testbucket
Objects: 1
Bytes: 1021036
Read ACL: .r:*,.rlistings
Write ACL:
Sync To:
Sync Key:
X-Timestamp: 1710947159.41219
X-Container-Bytes-Used-Actual: 1024000
X-Storage-Policy: default-placement
X-Storage-Class: STANDARD
Last-Modified: Thu, 21 Mar 2024 10:30:05 GMT
X-Trans-Id: tx00000092ac12312312312-1231231231-1701e5-default
X-Openstack-Request-Id: tx00000092ac12312312312-1231231231-1701e5-default
Accept-Ranges: bytes
Content-Type: text/plain; charset=utf-8
however still getting 404 NoSuchBucket error