Discussion:
[ceph-users] Multi tenanted radosgw with Keystone and public buckets
Mark Kirkwood
2018-12-05 22:08:15 UTC
Permalink
Hi, another question relating to multi tenanted RGW.

Let's do the working case 1st. For a user that still uses the global
namespace, if I set a bucket as world readable (header
"X-Container-Read: .r:*") then I can fetch objects from the bucket via a
url like (e.g bucket0, object0):

http://host/swift/v1/bucket0/object0

Now suppose I do the same for a bucket (bucket1) that is in a private
namespace (i.e set the header again). Now there appears to be no way to
access the bucket w/o authentication. i.e:

http://host/swift/v1/bucket1/object1

Gets a no-such-bucket (if tried w/o auth). Now I can see the actual path
via radosgw-admin:

$ sudo radosgw-admin bucket list
[
    "bucket0",
    "195b20a3f8264ac38e7d917f605476fa/bucket1"
]

However attempting the obvious guessed url of:

http://host/swift/v1/195b20a3f8264ac38e7d917f605476fa/bucket1/object1

gets a no-such-bucket as well. Is there are way to get public access of
objects in private namespaces - or is the private designation intended
to make this impossible?

Cheers

Mark
Florian Haas
2018-12-06 15:27:14 UTC
Permalink
Post by Mark Kirkwood
Hi, another question relating to multi tenanted RGW.
Let's do the working case 1st. For a user that still uses the global
namespace, if I set a bucket as world readable (header
"X-Container-Read: .r:*") then I can fetch objects from the bucket via a
http://host/swift/v1/bucket0/object0
Now suppose I do the same for a bucket (bucket1) that is in a private
namespace (i.e set the header again). Now there appears to be no way to
http://host/swift/v1/bucket1/object1
Gets a no-such-bucket (if tried w/o auth). Now I can see the actual path
$ sudo radosgw-admin bucket list
[
    "bucket0",
    "195b20a3f8264ac38e7d917f605476fa/bucket1"
]
http://host/swift/v1/195b20a3f8264ac38e7d917f605476fa/bucket1/object1
gets a no-such-bucket as well. Is there are way to get public access of
objects in private namespaces - or is the private designation intended
to make this impossible?
This is part of my pending doc PR that I really, really hope to get
merged some time soon:

http://docs.ceph.com/ceph-prs/25056/radosgw/swift/containerops/#update-a-container-s-acls

See the note about "rgw swift account in url = true" and Keystone
endpoints there.

Same applies to temp URLs, by the way:

http://docs.ceph.com/ceph-prs/25056/radosgw/swift/tempurl/#temp-url-operations

Cheers,
Florian
Mark Kirkwood
2018-12-06 21:17:46 UTC
Permalink
Post by Florian Haas
Post by Mark Kirkwood
Hi, another question relating to multi tenanted RGW.
Let's do the working case 1st. For a user that still uses the global
namespace, if I set a bucket as world readable (header
"X-Container-Read: .r:*") then I can fetch objects from the bucket via a
http://host/swift/v1/bucket0/object0
Now suppose I do the same for a bucket (bucket1) that is in a private
namespace (i.e set the header again). Now there appears to be no way to
http://host/swift/v1/bucket1/object1
Gets a no-such-bucket (if tried w/o auth). Now I can see the actual path
$ sudo radosgw-admin bucket list
[
    "bucket0",
    "195b20a3f8264ac38e7d917f605476fa/bucket1"
]
http://host/swift/v1/195b20a3f8264ac38e7d917f605476fa/bucket1/object1
gets a no-such-bucket as well. Is there are way to get public access of
objects in private namespaces - or is the private designation intended
to make this impossible?
This is part of my pending doc PR that I really, really hope to get
http://docs.ceph.com/ceph-prs/25056/radosgw/swift/containerops/#update-a-container-s-acls
See the note about "rgw swift account in url = true" and Keystone
endpoints there.
http://docs.ceph.com/ceph-prs/25056/radosgw/swift/tempurl/#temp-url-operations
Thanks Florian - immediately after sending that email, I wondered about
dicking with the Keystone endpoints....

Cheers

Mark

Loading...