Re: radosgw setting puplic ACLs fails.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Micha,

Did you ever figure out a work around for this issue?

I also had plans of using s3cmd to put, and recursively set acl's on a nightly basis...however we are getting the 403 errors as well during our testing.

I was just wondering if you were able to find another solution.

Thanks in advance,

Shain 

Shain Miley | Manager of Systems and Infrastructure, Digital Media | smiley@xxxxxxx | 202.513.3649

________________________________________
From: ceph-users-bounces@xxxxxxxxxxxxxx [ceph-users-bounces@xxxxxxxxxxxxxx] on behalf of Yehuda Sadeh [yehuda@xxxxxxxxxxx]
Sent: Friday, November 08, 2013 1:24 PM
To: Micha Krause
Cc: ceph-users
Subject: Re:  radosgw setting puplic ACLs fails.

On Fri, Nov 8, 2013 at 5:09 AM, Micha Krause <micha@xxxxxxxxxx> wrote:
> Hi,
>
> I'm trying to set public ACLs to an object, so that I can access the object
> via Web-browser.
> unfortunately without success:
>
> s3cmd setacl --acl-public s3://test/hosts
> ERROR: S3 error: 403 (AccessDenied):
>
> The radosgw log says:
>
> x-amz-date:Fri, 08 Nov 2013 12:56:55 +0000
> /test/hosts?acl
> 2013-11-08 13:56:55.090604 7fe3314c6700 15 calculated
> digest=K6fFJdBvy1YXZw0kqZ7qt6sRkzk=
> 2013-11-08 13:56:55.090606 7fe3314c6700 15
> auth_sign=K6fFJdBvy1YXZw0kqZ7qt6sRkzk=
> 2013-11-08 13:56:55.090607 7fe3314c6700 15 compare=0
> 2013-11-08 13:56:55.090610 7fe3314c6700  2 req 60:0.000290:s3:PUT
> /hosts:put_acls:reading permissions
> 2013-11-08 13:56:55.090621 7fe3314c6700 20 get_obj_state: rctx=0xf32a50
> obj=.rgw:test state=0xf21888 s->prefetch_data=0
> 2013-11-08 13:56:55.090630 7fe3314c6700 10 moving .rgw+test to cache LRU end
> 2013-11-08 13:56:55.090632 7fe3314c6700 10 cache get: name=.rgw+test : hit
> 2013-11-08 13:56:55.090635 7fe3314c6700 20 get_obj_state: s->obj_tag was set
> empty
> 2013-11-08 13:56:55.090637 7fe3314c6700 20 Read xattr: user.rgw.idtag
> 2013-11-08 13:56:55.090639 7fe3314c6700 20 Read xattr: user.rgw.manifest
> 2013-11-08 13:56:55.090641 7fe3314c6700 10 moving .rgw+test to cache LRU end
> 2013-11-08 13:56:55.090642 7fe3314c6700 10 cache get: name=.rgw+test : hit
> 2013-11-08 13:56:55.090650 7fe3314c6700 20 rgw_get_bucket_info: bucket
> instance: test(@{i=.rgw.buckets.index}.rgw.buckets[default.4212.2])
> 2013-11-08 13:56:55.090654 7fe3314c6700 20 reading from
> .rgw:.bucket.meta.test:default.4212.2
> 2013-11-08 13:56:55.090659 7fe3314c6700 20 get_obj_state: rctx=0xf32a50
> obj=.rgw:.bucket.meta.test:default.4212.2 state=0xf39678 s->prefetch_data=0
> 2013-11-08 13:56:55.090663 7fe3314c6700 10 moving
> .rgw+.bucket.meta.test:default.4212.2 to cache LRU end
> 2013-11-08 13:56:55.090665 7fe3314c6700 10 cache get:
> name=.rgw+.bucket.meta.test:default.4212.2 : hit
> 2013-11-08 13:56:55.090668 7fe3314c6700 20 get_obj_state: s->obj_tag was set
> empty
> 2013-11-08 13:56:55.090670 7fe3314c6700 20 Read xattr: user.rgw.acl
> 2013-11-08 13:56:55.090671 7fe3314c6700 20 Read xattr: user.rgw.idtag
> 2013-11-08 13:56:55.090672 7fe3314c6700 20 Read xattr: user.rgw.manifest
> 2013-11-08 13:56:55.090674 7fe3314c6700 10 moving
> .rgw+.bucket.meta.test:default.4212.2 to cache LRU end
> 2013-11-08 13:56:55.090676 7fe3314c6700 10 cache get:
> name=.rgw+.bucket.meta.test:default.4212.2 : hit
> 2013-11-08 13:56:55.090690 7fe3314c6700 15 Read
> AccessControlPolicy<AccessControlPolicy
> xmlns="http://s3.amazonaws.com/doc/2006-03-01/";><Owner><ID>test</ID><DisplayName>Test</DisplayName></Owner><AccessControlList><Grant><Grantee
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
> xsi:type="CanonicalUser"><ID>test</ID><DisplayName>Test</DisplayName></Grantee><Permission>FULL_CONTROL</Permission></Grant></AccessControlList></AccessControlPolicy>
> 2013-11-08 13:56:55.090702 7fe3314c6700 20 get_obj_state: rctx=0xf32a50
> obj=test:hosts state=0xf633e8 s->prefetch_data=0
> 2013-11-08 13:56:55.093871 7fe3314c6700 10 manifest: total_size = 156
> 2013-11-08 13:56:55.093875 7fe3314c6700 10 manifest: ofs=0 loc=test:hosts
> 2013-11-08 13:56:55.093876 7fe3314c6700 20 get_obj_state: setting s->obj_tag
> to default.4212.50
> 2013-11-08 13:56:55.093882 7fe3314c6700 15 Read
> AccessControlPolicy<AccessControlPolicy
> xmlns="http://s3.amazonaws.com/doc/2006-03-01/";><Owner><ID>test</ID><DisplayName>Test</DisplayName></Owner><AccessControlList><Grant><Grantee
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
> xsi:type="CanonicalUser"><ID>test</ID><DisplayName>Test</DisplayName></Grantee><Permission>FULL_CONTROL</Permission></Grant></AccessControlList></AccessControlPolicy>
> 2013-11-08 13:56:55.093889 7fe3314c6700  2 req 60:0.003568:s3:PUT
> /hosts:put_acls:verifying op mask
> 2013-11-08 13:56:55.093894 7fe3314c6700 20 required_mask= 2 user.op_mask=7
> 2013-11-08 13:56:55.093896 7fe3314c6700  2 req 60:0.003576:s3:PUT
> /hosts:put_acls:verifying op permissions
> 2013-11-08 13:56:55.093900 7fe3314c6700  5 Searching permissions for
> uid=test mask=56
> 2013-11-08 13:56:55.093903 7fe3314c6700  5 Found permission: 15
> 2013-11-08 13:56:55.093905 7fe3314c6700  5 Searching permissions for group=1
> mask=56
> 2013-11-08 13:56:55.093907 7fe3314c6700  5 Permissions for group not found
> 2013-11-08 13:56:55.093909 7fe3314c6700  5 Getting permissions id=test
> owner=test perm=8
> 2013-11-08 13:56:55.093912 7fe3314c6700 10  uid=test requested perm
> (type)=8, policy perm=8, user_perm_mask=15, acl perm=8
> 2013-11-08 13:56:55.093914 7fe3314c6700  2 req 60:0.003593:s3:PUT
> /hosts:put_acls:verifying op params
> 2013-11-08 13:56:55.093916 7fe3314c6700  2 req 60:0.003596:s3:PUT
> /hosts:put_acls:executing
> 2013-11-08 13:56:55.093938 7fe3314c6700 15 read len=343
> data=<AccessControlPolicy
> xmlns="http://s3.amazonaws.com/doc/2006-03-01/";><Owner><ID
> /></Owner><AccessControlList><Grant><Grantee
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
> xsi:type="Group"><URI>http://acs.amazonaws.com/groups/global/AllUsers</URI></Grantee><Permission>READ</Permission></Grant></AccessControlList></AccessControlPolicy>

The new acl policy tries to set a new owner (with an empty id). The
gateway will reject any request to set owner (if owner doesn't match
original owner). Sounds like s3cmd compatibility issue.

Yehuda
_______________________________________________
ceph-users mailing list
ceph-users@xxxxxxxxxxxxxx
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com

_______________________________________________
ceph-users mailing list
ceph-users@xxxxxxxxxxxxxx
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
[Index of Archives]     [Information on CEPH]     [Linux Filesystem Development]     [Ceph Development]     [Ceph Large]     [Ceph Dev]     [Linux USB Development]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [xfs]

  Powered by Linux