radosgw subusers permission problem

Mihály Árva-Tóth <mihaly.arva-toth@xxxxxxxxxxxxxxxxxxxxxx> · Fri, 23 Aug 2013 14:31:13 +0200

Hello,

I have an user with 3 subuser:

{ "user_id": "johndoe",
  "display_name": "John Doe",
  "email": "",

  "suspended": 0,
  "max_buckets": 1000,
  "auid": 0,
  "subusers": [
        { "id": "johndoe:readonly",
          "permissions": "read"},

        { "id": "johndoe:swift",
          "permissions": "full-control"},
        { "id": "johndoe:wo",
          "permissions": "write"}],

  "keys": [
        { "user": "johndoe",
          "access_key": "xxx",
          "secret_key": "xxx}],
  "swift_keys": [
        { "user": "johndoe:readonly",

          "secret_key": "abcde"},
        { "user": "johndoe:swift",
          "secret_key": "fghij"},
        { "user": "johndoe:wo",

          "secret_key": "klmno"}],
  "caps": []}

If I understand correct johndoe:readonly subuser has no privileges to create container or upload object. But I can do:

swift -V 1.0 -A http://localhost/auth -U johndoe:readonly -K abcde post testcontainer
swift -V 1.0 -A http://localhost/auth -U johndoe:readonly -K abcde upload testcontainer testfile.100

swift -V 1.0 -A http://localhost/auth -U johndoe:readonly -K abcde stat testcontainer sparse.100
       Account: v1
     Container: testcontainer
        Object: sparse.100

  Content Type: binary/octet-stream
Content Length: 5242880
 Last Modified: Fri, 23 Aug 2013 12:25:57 GMT
          ETag: 5f363e0e58a95f06cbe9bbc662c5dfb6
    Meta Mtime: 1372251959.01
.......

Another side, johndoe:wo user (who has write permission only) should not be able to list containers and objects. But I can do it:

swift -V 1.0 -A http://localhost/auth -U johndoe:wo -K klmno list testcontainer

sparse.100

Is there anything that I misunderstood?

Thank you,
Mihaly

_______________________________________________
ceph-users mailing list
ceph-users@xxxxxxxxxxxxxx
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com