Bug #48382
closedBroken public Swift bucket access with Keystone integration
0%
Description
Public swift bucket access is broken. Prevents upgrading towards 14.2.12 or newer.
In reference to:
https://lists.ceph.io/hyperkitty/list/ceph-users@ceph.io/thread/Y2KTC7RXQYW…
We are seeing similar behavior with public Swift bucket access being broken.
In this case RadosGW Nautilus integrated to OpenStack Queens Keystone.
Public Swift containers have worked fine from Luminous era up to Nautilus
14.2.11, and started to break when upgrading RadosGW to 14.2.12 or newer.
Unsure if this is related to the backport of "rgw: Swift API anonymous access
should 401 (pr#37438", or some other rgw change within 14.2.12.)
Additionally maybe related bug (https://tracker.ceph.com/issues/48001)
I believe the following ceph.conf we use is relevant:
rgw_swift_account_in_url = true
rgw_keystone_implicit_tenants = false
As well as the configured endpoint format:
https://fqdn:443/swift/v1/AUTH_%(tenant_id)s
Steps to reproduce:
Horizon:
--------
1) Public container access
- Create a container with "Container Access" set to Public
- Click on the Horizon provided Link which is of the format
https://fqdn/swift/v1/AUTH_projectUUID/public-test-container/
Expected result: Empty bucket listing
Actual result: "AccessDenied"
2) Public object access
- Upload an object to the public container
- Try to access the object via unauthenticated browser session
Expected result: Object downloaded or loaded into browser
Actual result: "NoSuchBucket"
Also getting similar behavior with Swift CLI tools (ACL '.r:*') from what I
can see.
Any suggestions how to troubleshoot further?
Happy to provide more debug log and configuration details if need be, as well
as pointers if something might be actually wrong in our configuration.
Files