Unable to access a public container in Swift integrated with Ceph RGW and Keystone

Solution Verified - Updated -

Issue

  • After integrating Ceph RGW with Keystone and Swift, creating a public container, either through Horizon or CLI, and trying to access the public container (e.g. using curl), a 404 Not Found error message is shown:

    [...]
< HTTP/1.1 404 Not Found
< Content-Length: 12
< X-Timestamp: 0.00000
< X-Container-Object-Count: 0
< X-Container-Bytes-Used: 0
< X-Container-Bytes-Used-Actual: 0
< X-Storage-Class: STANDARD
< Last-Modified: Thu, 01 Jan 1970 00:00:00 GMT
< X-Trans-Id: tx000000000000000019010-00606f3b6f-1f27d2-default
< X-Openstack-Request-Id: tx000000000000000019010-00606f3b6f-1f27d2-default
< Accept-Ranges: bytes
< Content-Type: text/plain; charset=utf-8
< Date: Thu, 08 Apr 2021 17:20:47 GMT
< 

Connection #0 to host swift.example.com left intact

  • If the Auth Token for the public container is passed, the access is allowed with no issues (200 OK):

    [...]
< HTTP/1.1 200 OK
< Content-Length: 39
< X-Timestamp: 1614864715.93403
< X-Container-Object-Count: 1
< X-Container-Bytes-Used: 172029
< X-Container-Bytes-Used-Actual: 172032
< X-Container-Read: .r:*,.rlistings
< X-Storage-Policy: default-placement
< X-Storage-Class: STANDARD
< Last-Modified: Thu, 04 Mar 2021 13:33:19 GMT
< X-Trans-Id: tx00000000000001e0d4465-006040e6b4-185647-default
< X-Openstack-Request-Id: tx00000000000001e0d4465-006040e6b4-185647-default
< Accept-Ranges: bytes
< Content-Type: text/plain; charset=utf-8
< Date: Thu, 04 Mar 2021 13:55:00 GMT
< 
* Connection #0 to host swift.example.com left intact

  • If the public container is created directly through RADOS Gateway (RGW) using an allowed user, bypassing Keystone, it is possible to access the public container, but not using Swift, either from Horizon or CLI.

  • In the debug logs enabled in RGW, it is possible to check error messages like the following:

    2021-04-08 14:20:47.525 7f6b8de92700  1 ====== starting new request req=0x7f6c95636670 =====
2021-04-08 14:20:47.525 7f6b8de92700  2 req 102416 0.000s initializing for trans_id = tx000000000000000019010-00606f3b6f-1f27d2-default
2021-04-08 14:20:47.525 7f6b8de92700 10 rgw api priority: s3=-1 s3website=-1
2021-04-08 14:20:47.525 7f6b8de92700 10 host=swift.example.com
2021-04-08 14:20:47.525 7f6b8de92700 20 subdomain= domain=swift.example.com in_hosted_domain=1 in_hosted_domain_s3website=0
2021-04-08 14:20:47.525 7f6b8de92700 20 final domain/bucket subdomain= domain=swift.example.com in_hosted_domain=1 in_hosted_domain_s3website=0 s- 
>info.domain=swift.example.com s->info.request_uri=/swift/v1/AUTH_a2e7b2ae4cef4c7e8d6397502132d575/CONTAINER-TEST/
2021-04-08 14:20:47.525 7f6b8de92700 10 ver=v1 first=CONTAINER-TEST req=
2021-04-08 14:20:47.525 7f6b8de92700 10 handler=28RGWHandler_REST_Bucket_SWIFT
2021-04-08 14:20:47.525 7f6b8de92700  2 req 102416 0.000s getting op 0
2021-04-08 14:20:47.525 7f6b8de92700 10 req 102416 0.000s swift:list_bucket scheduling with dmclock client=3 cost=1
2021-04-08 14:20:47.525 7f6b8de92700 10 op=28RGWListBucket_ObjStore_SWIFT
2021-04-08 14:20:47.525 7f6b8de92700  2 req 102416 0.000s swift:list_bucket verifying requester
2021-04-08 14:20:47.525 7f6b8de92700 20 req 102416 0.000s swift:list_bucket rgw::auth::swift::DefaultStrategy: trying rgw::auth::swift::TempURLEngine
2021-04-08 14:20:47.525 7f6b8de92700 20 req 102416 0.000s swift:list_bucket rgw::auth::swift::TempURLEngine denied with reason=-13
2021-04-08 14:20:47.525 7f6b8de92700 20 req 102416 0.000s swift:list_bucket rgw::auth::swift::DefaultStrategy: trying rgw::auth::swift::SignedTokenEngine
2021-04-08 14:20:47.525 7f6b8de92700 20 req 102416 0.000s swift:list_bucket rgw::auth::swift::SignedTokenEngine denied with reason=-1
2021-04-08 14:20:47.525 7f6b8de92700 20 req 102416 0.000s swift:list_bucket rgw::auth::swift::DefaultStrategy: trying rgw::auth::keystone::TokenEngine
2021-04-08 14:20:47.525 7f6b8de92700 20 req 102416 0.000s swift:list_bucket rgw::auth::keystone::TokenEngine denied with reason=-13
2021-04-08 14:20:47.525 7f6b8de92700 20 req 102416 0.000s swift:list_bucket rgw::auth::swift::DefaultStrategy: trying rgw::auth::swift::SwiftAnonymousEngine
2021-04-08 14:20:47.526 7f6b8de92700 20 req 102416 0.001s swift:list_bucket rgw::auth::swift::SwiftAnonymousEngine granted access
2021-04-08 14:20:47.526 7f6b8de92700  2 req 102416 0.001s swift:list_bucket normalizing buckets and tenants
2021-04-08 14:20:47.526 7f6b8de92700 10 s->object=<NULL> s->bucket=CONTAINER-TEST
2021-04-08 14:20:47.526 7f6b8de92700  2 req 102416 0.001s swift:list_bucket init permissions
2021-04-08 14:20:47.526 7f6b8de92700 20 get_system_obj_state: rctx=0x7f6c95635690 obj=default.rgw.meta:root:CONTAINER-TEST state=0x5577e3bb53c0 s->prefetch_data=0
2021-04-08 14:20:47.526 7f6b8de92700 10 cache get: name=default.rgw.meta+root+CONTAINER-TEST : miss
2021-04-08 14:20:47.526 7f6b8de92700 20 WARNING: blocking librados call
2021-04-08 14:20:47.526 7f6b8de92700  1 -- 10.16.32.31:0/2574131204 --> [v2:10.16.32.4:6828/2112,v1:10.16.32.4:6829/2112] -- osd_op(unknown.0.0:182857 3.6 3:67cde518:root::TEST-                
0804:head [call version.read,getxattrs,stat] snapc 0=[] ondisk+read+known_if_redirected e3199) v8 -- 0x5577eaf3a580 con 0x5577e2feec00
2021-04-08 14:20:47.527 7f6b8de92700 10 cache put: name=default.rgw.meta+root+CONTAINER-TEST info.flags=0x0
2021-04-08 14:20:47.527 7f6b8de92700 10 adding default.rgw.meta+root+CONTAINER-TEST to cache LRU end
2021-04-08 14:20:47.527 7f6b8de92700 20 rgw_get_user_attrs_by_uid(): anonymous user
2021-04-08 14:20:47.527 7f6b8de92700 20 rgw_get_user_attrs_by_uid(): anonymous user
2021-04-08 14:20:47.527 7f6b8de92700  2 req 102416 0.002s swift:list_bucket recalculating target
2021-04-08 14:20:47.527 7f6b8de92700 10 Starting retarget
2021-04-08 14:20:47.527 7f6b8de92700  2 req 102416 0.002s swift:list_bucket reading permissions
2021-04-08 14:20:47.527 7f6b8de92700  2 req 102416 0.002s swift:list_bucket init op
2021-04-08 14:20:47.527 7f6b8de92700  2 req 102416 0.002s swift:list_bucket verifying op mask
2021-04-08 14:20:47.527 7f6b8de92700 20 req 102416 0.002s swift:list_bucket required_mask= 1 user.op_mask=7
2021-04-08 14:20:47.527 7f6b8de92700  2 req 102416 0.002s swift:list_bucket verifying op permissions
2021-04-08 14:20:47.527 7f6b8de92700 20 req 102416 0.002s swift:list_bucket -- Getting permissions begin with perm_mask=49
2021-04-08 14:20:47.527 7f6b8de92700  5 req 102416 0.002s swift:list_bucket Searching permissions for identity=rgw::auth::ThirdPartyAccountApplier(anonymous) ->     
rgw::auth::SysReqApplier -> rgw::auth::LocalApplier(acct_user=anonymous, acct_name=, subuser=, perm_mask=15, is_admin=0) mask=49
2021-04-08 14:20:47.527 7f6b8de92700  5 Searching permissions for uid=anonymous
2021-04-08 14:20:47.527 7f6b8de92700  5 Found permission: 15
2021-04-08 14:20:47.527 7f6b8de92700  5 Searching permissions for group=1 mask=49
2021-04-08 14:20:47.527 7f6b8de92700  5 Permissions for group not found
2021-04-08 14:20:47.527 7f6b8de92700  5 req 102416 0.002s swift:list_bucket -- Getting permissions done for identity=rgw::auth::ThirdPartyAccountApplier(anonymous) ->     
rgw::auth::SysReqApplier -> rgw::auth::LocalApplier(acct_user=anonymous, acct_name=, subuser=, perm_mask=15, is_admin=0), owner=anonymous, perm=1
2021-04-08 14:20:47.527 7f6b8de92700 10 req 102416 0.002s swift:list_bucket  identity=rgw::auth::ThirdPartyAccountApplier(anonymous) -> rgw::auth::SysReqApplier ->     
rgw::auth::LocalApplier(acct_user=anonymous, acct_name=, subuser=, perm_mask=15, is_admin=0) requested perm (type)=1, policy perm=1, user_perm_mask=1, acl perm=1
2021-04-08 14:20:47.527 7f6b8de92700  2 req 102416 0.002s swift:list_bucket verifying op params
2021-04-08 14:20:47.527 7f6b8de92700  2 req 102416 0.002s swift:list_bucket pre-executing
2021-04-08 14:20:47.527 7f6b8de92700  2 req 102416 0.002s swift:list_bucket executing
2021-04-08 14:20:47.527 7f6b8de92700  2 req 102416 0.002s swift:list_bucket completing
2021-04-08 14:20:47.528 7f6b8de92700  2 req 102416 0.003s swift:list_bucket op status=-2002
2021-04-08 14:20:47.528 7f6b8de92700  2 req 102416 0.003s swift:list_bucket http status=404

Environment

  • Red Hat Ceph Storage (RHCS)
    • 4.0
    • 4.1
    • 4.2
  • Red Hat OpenStack Platform (RHOSP)
    • 13.x
    • 16.x

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content