Re: Custom ACL's are not being honoured.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, Jan 8, 2014 at 9:40 AM, Jaseer Tk <jaseer.tk@xxxxxxxxxx> wrote:
>
> Thanks Yehuda,
>
> But I am seeing only this much in the logs with the log options we set. I'll
> try once again and update you.

There should be much more.

>
> Do you think any global parameter (like region/zone settings or user's
> privileges ) could be causing these buckets to be writable all users ?
>

At the moment it looks like all users are actually mapping to the same
user, or something along that line. It is not highly unlikely that
misconfiguration caused it.

Yehuda


> Thank you,
> Jaseer TK
>
>
>
>
>
> On Wed, Jan 8, 2014 at 10:27 PM, Yehuda Sadeh <yehuda@xxxxxxxxxxx> wrote:
>>
>> On Tue, Jan 7, 2014 at 11:16 PM, Jaseer Tk <jaseer.tk@xxxxxxxxxx> wrote:
>> >
>> > Hi Yehuda,
>> >
>> > Thanks for response.
>> >
>> > my setup is on ubuntu 12.04 servers, ceph pkg's:
>> >
>> > ========
>> > ii  ceph                             0.72.2-1precise
>> > distributed storage and file system
>> > ii  ceph-common                      0.72.2-1precise
>> > common utilities to mount and interact with a ceph storage cluster
>> > ii  ceph-fs-common                   0.72.2-1precise
>> > common utilities to mount and interact with a ceph file system
>> > ii  ceph-mds                         0.72.2-1precise
>> > metadata server for the ceph distributed file system
>> > ==========
>> >
>> > rados version:
>> > =====
>> > ii  librados2                        0.72.2-1precise
>> > RADOS distributed object store client library
>> > ii  radosgw                          0.72.2-1precise
>> > REST gateway for RADOS distributed object store
>> > ii  radosgw-agent                    1.1-1precise
>> > =======
>> >
>> >
>> > rados conf:
>> >
>> > [client.radosgw.us-east-1]
>> >     rgw region = us
>> >     rgw region root pool = .us.rgw.root
>> >     rgw zone = east-1
>> >     rgw zone root pool = .us-east-1.rgw.root
>> >     keyring = /etc/ceph/ceph.client.radosgw.keyring
>> >     debug rgw = 20
>> >     debug ms = 1
>> >     rgw_dns_name = my_domain
>> >     rgw socket path = /var/run/ceph/client.radosgw.us-east-1.sock
>> >     log file = /var/log/ceph/radosgw.log
>> >     host = my_rados_hostname
>> >
>> >
>> > Logs while doing putacl,
>> > =========
>> > 2014-01-08 07:01:00.364967 7f0180f5d700 10 RGWWatcher::notify() opcode=1
>> > ver=1 bl.length()=462
>> > 2014-01-08 07:01:00.365006 7f0180f5d700 10 cache put:
>> > name=.us-east-1.rgw+.bucket.meta.App-Ops:east-1.5350.1
>> > 2014-01-08 07:01:00.365013 7f0180f5d700 10 moving
>> > .us-east-1.rgw+.bucket.meta.App-Ops:east-1.5350.1 to cache LRU end
>> > 2014-01-08 07:01:00.365017 7f0180f5d700 10 appending xattr:
>> > name=user.rgw.acl bl.length()=150
>> > 2014-01-08 07:01:01.501663 7f016bfff700  2
>> > RGWDataChangesLog::ChangesRenewThread: start
>> > ==========
>>
>> These aren't very thorough logs, looks like a very small snippet. Is
>> that all you're getting?
>>
>>
>> >
>> > No rgw logs when doing s3cmd del.
>> >
>> > I am using http://undesigned.org.za/2007/10/22/amazon-s3-php-class/ with
>> > minor modifications to use with rados s3 interface.
>> > getacl  shows my acl is applied. But user is still able to delete.
>> > Please
>> > let me know if you want me to share my php code for getacl and putacl.
>> >
>> >
>> >
>> >
>> > --
>> > Thank you,
>> > Jaseer TK
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> > On Tue, Jan 7, 2014 at 9:30 PM, Yehuda Sadeh <yehuda@xxxxxxxxxxx> wrote:
>> >>
>> >> On Tue, Jan 7, 2014 at 2:40 AM, Jaseer Tk <jaseer.tk@xxxxxxxxxx> wrote:
>> >> >
>> >> > Hi all,
>> >> >
>> >> > I tried to apply custom ACL(only Read) on an s3 bucket created. The
>> >> > rules
>> >> > seems to have got applied. But it looks the ACL's not getting
>> >> > honored.
>> >> >
>> >> > when I use getacl, I get the result.
>> >> > =======
>> >> >
>> >> > Array
>> >> > (
>> >> >     [0] => Array
>> >> >         (
>> >> >             [Grantee] => Array
>> >> >                 (
>> >> >                     [ID] => test-user
>> >> >                     [DisplayName] => Test User
>> >> >                 )
>> >> >
>> >> >             [Permission] => READ
>> >> >         )
>> >> >
>> >> > )
>> >> >
>> >> >
>> >> > But Still this user is able to delete files from the bucket :(
>> >> >
>> >> > Am I missing something here ?
>> >> >
>> >> >
>> >> What version are you running? Just tried it with dumpling and it
>> >> worked ok. Can you provide rgw logs for it? (acl setting + removal;
>> >> set 'debug rgw = 20' and 'debug ms = 1').
>> >>
>> >> Thanks,
>> >> Yehuda
>> >
>> >
>> >
>> > _____________________________________________________________
>> > The information contained in this communication is intended solely for
>> > the
>> > use of the individual or entity to whom it is addressed and others
>> > authorized to receive it. It may contain confidential or legally
>> > privileged
>> > information. If you are not the intended recipient you are hereby
>> > notified
>> > that any disclosure, copying, distribution or taking any action in
>> > reliance
>> > on the contents of this information is strictly prohibited and may be
>> > unlawful. If you have received this communication in error, please
>> > notify us
>> > immediately by responding to this email and then delete it from your
>> > system.
>> > The firm is neither liable for the proper and complete transmission of
>> > the
>> > information contained in this communication nor for any delay in its
>> > receipt.
>
>
>
> _____________________________________________________________
> The information contained in this communication is intended solely for the
> use of the individual or entity to whom it is addressed and others
> authorized to receive it. It may contain confidential or legally privileged
> information. If you are not the intended recipient you are hereby notified
> that any disclosure, copying, distribution or taking any action in reliance
> on the contents of this information is strictly prohibited and may be
> unlawful. If you have received this communication in error, please notify us
> immediately by responding to this email and then delete it from your system.
> The firm is neither liable for the proper and complete transmission of the
> information contained in this communication nor for any delay in its
> receipt.
_______________________________________________
ceph-users mailing list
ceph-users@xxxxxxxxxxxxxx
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com




[Index of Archives]     [Information on CEPH]     [Linux Filesystem Development]     [Ceph Development]     [Ceph Large]     [Ceph Dev]     [Linux USB Development]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [xfs]


  Powered by Linux