On Mon, Jun 25, 2012 at 4:57 AM, Florian Haas <florian@xxxxxxxxxxx> wrote:
> Hi everyone,
>
> I wonder if this is intentional: when I create a new Swift key for an
> existing subuser, which has previously been assigned "full control"
> permissions, those permissions appear to get lost upon key creation.
>
> # radosgw-admin subuser create --uid=johndoe --subuser=johndoe:swift
> --access=full
> { "user_id": "johndoe",
> "rados_uid": 0,
> "display_name": "John Doe",
> "email": "john@xxxxxxxxxxx",
> "suspended": 0,
> "subusers": [
> { "id": "johndoe:swift",
> "permissions": "full-control"}],
> "keys": [
> { "user": "johndoe",
> "access_key": "QFAMEDSJP5DEKJO0DDXY",
> "secret_key": "iaSFLDVvDdQt6lkNzHyW4fPLZugBAI1g17LO0+87"}],
> "swift_keys": []}
>
> Note "permissions": "full-control"
>
> # radosgw-admin key create --subuser=johndoe:swift --key-type=swift
> { "user_id": "johndoe",
> "rados_uid": 0,
> "display_name": "John Doe",
> "email": "john@xxxxxxxxxxx",
> "suspended": 0,
> "subusers": [
> { "id": "johndoe:swift",
> "permissions": "<none>"}],
> "keys": [
> { "user": "johndoe",
> "access_key": "QFAMEDSJP5DEKJO0DDXY",
> "secret_key": "iaSFLDVvDdQt6lkNzHyW4fPLZugBAI1g17LO0+87"}],
> "swift_keys": [
> { "user": "johndoe:swift",
> "secret_key": "E9T2rUZNu2gxUjcwUBO8n\/Ev4KX6\/GprEuH4qhu1"}]}
>
> Note that while there is now a key, the permissions are gone. Is this
> meant to be a security feature of sorts, or is this a bug? "subuser
> modify" can obviously restore the permissions, but it seems to be less
> than desirable to have to do that.
>
I'm having trouble assigning a security reasoning behind this one, so
let's just call it a bug. I opened issue #2650, and pushed branch
wip-2650 with a possible fix. You can cherry pick the top commit there
and test it.
Thanks,
Yehuda
--
To unsubscribe from this list: send the line "unsubscribe ceph-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
