Unable to access a public container in Swift integrated with Ceph RGW and Keystone
Issue
-
After integrating Ceph RGW with Keystone and Swift, creating a public container, either through Horizon or CLI, and trying to access the public container (e.g. using
curl
), a404 Not Found
error message is shown:[...] < HTTP/1.1 404 Not Found < Content-Length: 12 < X-Timestamp: 0.00000 < X-Container-Object-Count: 0 < X-Container-Bytes-Used: 0 < X-Container-Bytes-Used-Actual: 0 < X-Storage-Class: STANDARD < Last-Modified: Thu, 01 Jan 1970 00:00:00 GMT < X-Trans-Id: tx000000000000000019010-00606f3b6f-1f27d2-default < X-Openstack-Request-Id: tx000000000000000019010-00606f3b6f-1f27d2-default < Accept-Ranges: bytes < Content-Type: text/plain; charset=utf-8 < Date: Thu, 08 Apr 2021 17:20:47 GMT < Connection #0 to host swift.example.com left intact
-
If the Auth Token for the public container is passed, the access is allowed with no issues (
200 OK
):[...] < HTTP/1.1 200 OK < Content-Length: 39 < X-Timestamp: 1614864715.93403 < X-Container-Object-Count: 1 < X-Container-Bytes-Used: 172029 < X-Container-Bytes-Used-Actual: 172032 < X-Container-Read: .r:*,.rlistings < X-Storage-Policy: default-placement < X-Storage-Class: STANDARD < Last-Modified: Thu, 04 Mar 2021 13:33:19 GMT < X-Trans-Id: tx00000000000001e0d4465-006040e6b4-185647-default < X-Openstack-Request-Id: tx00000000000001e0d4465-006040e6b4-185647-default < Accept-Ranges: bytes < Content-Type: text/plain; charset=utf-8 < Date: Thu, 04 Mar 2021 13:55:00 GMT < * Connection #0 to host swift.example.com left intact
-
If the public container is created directly through RADOS Gateway (RGW) using an allowed user, bypassing Keystone, it is possible to access the public container, but not using Swift, either from Horizon or CLI.
-
In the debug logs enabled in RGW, it is possible to check error messages like the following:
2021-04-08 14:20:47.525 7f6b8de92700 1 ====== starting new request req=0x7f6c95636670 ===== 2021-04-08 14:20:47.525 7f6b8de92700 2 req 102416 0.000s initializing for trans_id = tx000000000000000019010-00606f3b6f-1f27d2-default 2021-04-08 14:20:47.525 7f6b8de92700 10 rgw api priority: s3=-1 s3website=-1 2021-04-08 14:20:47.525 7f6b8de92700 10 host=swift.example.com 2021-04-08 14:20:47.525 7f6b8de92700 20 subdomain= domain=swift.example.com in_hosted_domain=1 in_hosted_domain_s3website=0 2021-04-08 14:20:47.525 7f6b8de92700 20 final domain/bucket subdomain= domain=swift.example.com in_hosted_domain=1 in_hosted_domain_s3website=0 s- >info.domain=swift.example.com s->info.request_uri=/swift/v1/AUTH_a2e7b2ae4cef4c7e8d6397502132d575/CONTAINER-TEST/ 2021-04-08 14:20:47.525 7f6b8de92700 10 ver=v1 first=CONTAINER-TEST req= 2021-04-08 14:20:47.525 7f6b8de92700 10 handler=28RGWHandler_REST_Bucket_SWIFT 2021-04-08 14:20:47.525 7f6b8de92700 2 req 102416 0.000s getting op 0 2021-04-08 14:20:47.525 7f6b8de92700 10 req 102416 0.000s swift:list_bucket scheduling with dmclock client=3 cost=1 2021-04-08 14:20:47.525 7f6b8de92700 10 op=28RGWListBucket_ObjStore_SWIFT 2021-04-08 14:20:47.525 7f6b8de92700 2 req 102416 0.000s swift:list_bucket verifying requester 2021-04-08 14:20:47.525 7f6b8de92700 20 req 102416 0.000s swift:list_bucket rgw::auth::swift::DefaultStrategy: trying rgw::auth::swift::TempURLEngine 2021-04-08 14:20:47.525 7f6b8de92700 20 req 102416 0.000s swift:list_bucket rgw::auth::swift::TempURLEngine denied with reason=-13 2021-04-08 14:20:47.525 7f6b8de92700 20 req 102416 0.000s swift:list_bucket rgw::auth::swift::DefaultStrategy: trying rgw::auth::swift::SignedTokenEngine 2021-04-08 14:20:47.525 7f6b8de92700 20 req 102416 0.000s swift:list_bucket rgw::auth::swift::SignedTokenEngine denied with reason=-1 2021-04-08 14:20:47.525 7f6b8de92700 20 req 102416 0.000s swift:list_bucket rgw::auth::swift::DefaultStrategy: trying rgw::auth::keystone::TokenEngine 2021-04-08 14:20:47.525 7f6b8de92700 20 req 102416 0.000s swift:list_bucket rgw::auth::keystone::TokenEngine denied with reason=-13 2021-04-08 14:20:47.525 7f6b8de92700 20 req 102416 0.000s swift:list_bucket rgw::auth::swift::DefaultStrategy: trying rgw::auth::swift::SwiftAnonymousEngine 2021-04-08 14:20:47.526 7f6b8de92700 20 req 102416 0.001s swift:list_bucket rgw::auth::swift::SwiftAnonymousEngine granted access 2021-04-08 14:20:47.526 7f6b8de92700 2 req 102416 0.001s swift:list_bucket normalizing buckets and tenants 2021-04-08 14:20:47.526 7f6b8de92700 10 s->object=<NULL> s->bucket=CONTAINER-TEST 2021-04-08 14:20:47.526 7f6b8de92700 2 req 102416 0.001s swift:list_bucket init permissions 2021-04-08 14:20:47.526 7f6b8de92700 20 get_system_obj_state: rctx=0x7f6c95635690 obj=default.rgw.meta:root:CONTAINER-TEST state=0x5577e3bb53c0 s->prefetch_data=0 2021-04-08 14:20:47.526 7f6b8de92700 10 cache get: name=default.rgw.meta+root+CONTAINER-TEST : miss 2021-04-08 14:20:47.526 7f6b8de92700 20 WARNING: blocking librados call 2021-04-08 14:20:47.526 7f6b8de92700 1 -- 10.16.32.31:0/2574131204 --> [v2:10.16.32.4:6828/2112,v1:10.16.32.4:6829/2112] -- osd_op(unknown.0.0:182857 3.6 3:67cde518:root::TEST- 0804:head [call version.read,getxattrs,stat] snapc 0=[] ondisk+read+known_if_redirected e3199) v8 -- 0x5577eaf3a580 con 0x5577e2feec00 2021-04-08 14:20:47.527 7f6b8de92700 10 cache put: name=default.rgw.meta+root+CONTAINER-TEST info.flags=0x0 2021-04-08 14:20:47.527 7f6b8de92700 10 adding default.rgw.meta+root+CONTAINER-TEST to cache LRU end 2021-04-08 14:20:47.527 7f6b8de92700 20 rgw_get_user_attrs_by_uid(): anonymous user 2021-04-08 14:20:47.527 7f6b8de92700 20 rgw_get_user_attrs_by_uid(): anonymous user 2021-04-08 14:20:47.527 7f6b8de92700 2 req 102416 0.002s swift:list_bucket recalculating target 2021-04-08 14:20:47.527 7f6b8de92700 10 Starting retarget 2021-04-08 14:20:47.527 7f6b8de92700 2 req 102416 0.002s swift:list_bucket reading permissions 2021-04-08 14:20:47.527 7f6b8de92700 2 req 102416 0.002s swift:list_bucket init op 2021-04-08 14:20:47.527 7f6b8de92700 2 req 102416 0.002s swift:list_bucket verifying op mask 2021-04-08 14:20:47.527 7f6b8de92700 20 req 102416 0.002s swift:list_bucket required_mask= 1 user.op_mask=7 2021-04-08 14:20:47.527 7f6b8de92700 2 req 102416 0.002s swift:list_bucket verifying op permissions 2021-04-08 14:20:47.527 7f6b8de92700 20 req 102416 0.002s swift:list_bucket -- Getting permissions begin with perm_mask=49 2021-04-08 14:20:47.527 7f6b8de92700 5 req 102416 0.002s swift:list_bucket Searching permissions for identity=rgw::auth::ThirdPartyAccountApplier(anonymous) -> rgw::auth::SysReqApplier -> rgw::auth::LocalApplier(acct_user=anonymous, acct_name=, subuser=, perm_mask=15, is_admin=0) mask=49 2021-04-08 14:20:47.527 7f6b8de92700 5 Searching permissions for uid=anonymous 2021-04-08 14:20:47.527 7f6b8de92700 5 Found permission: 15 2021-04-08 14:20:47.527 7f6b8de92700 5 Searching permissions for group=1 mask=49 2021-04-08 14:20:47.527 7f6b8de92700 5 Permissions for group not found 2021-04-08 14:20:47.527 7f6b8de92700 5 req 102416 0.002s swift:list_bucket -- Getting permissions done for identity=rgw::auth::ThirdPartyAccountApplier(anonymous) -> rgw::auth::SysReqApplier -> rgw::auth::LocalApplier(acct_user=anonymous, acct_name=, subuser=, perm_mask=15, is_admin=0), owner=anonymous, perm=1 2021-04-08 14:20:47.527 7f6b8de92700 10 req 102416 0.002s swift:list_bucket identity=rgw::auth::ThirdPartyAccountApplier(anonymous) -> rgw::auth::SysReqApplier -> rgw::auth::LocalApplier(acct_user=anonymous, acct_name=, subuser=, perm_mask=15, is_admin=0) requested perm (type)=1, policy perm=1, user_perm_mask=1, acl perm=1 2021-04-08 14:20:47.527 7f6b8de92700 2 req 102416 0.002s swift:list_bucket verifying op params 2021-04-08 14:20:47.527 7f6b8de92700 2 req 102416 0.002s swift:list_bucket pre-executing 2021-04-08 14:20:47.527 7f6b8de92700 2 req 102416 0.002s swift:list_bucket executing 2021-04-08 14:20:47.527 7f6b8de92700 2 req 102416 0.002s swift:list_bucket completing 2021-04-08 14:20:47.528 7f6b8de92700 2 req 102416 0.003s swift:list_bucket op status=-2002 2021-04-08 14:20:47.528 7f6b8de92700 2 req 102416 0.003s swift:list_bucket http status=404
Environment
- Red Hat Ceph Storage (RHCS)
- 4.0
- 4.1
- 4.2
- Red Hat OpenStack Platform (RHOSP)
- 13.x
- 16.x
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.