juju-core

ACLs not sticking when creating swift container

Bug #1246517 reported by Ian Booth
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Go OpenStack Exchange
Fix Released
High
sodre
juju-core
Fix Released
Low
Ian Booth
juju-core 1.17.0

Bug Description

It appears some openstack implementations (eg RadosGW) do not like to set the ACLs in the same request used to create a container. So the operation needs to be split in two.

See http://paste.ubuntu.com/6332775/

See original description
Tags: bootstrap

Related branches

lp:~psodre/goose/radosgw-acl
Ian Booth: Approve
Diff: 54 lines (+17/-3)
2 files modified
swift/swift.go (+13/-3)
testservices/swiftservice/service_http.go (+4/-0)
lp:~wallyworld/juju-core/goose-rev110
Ian Booth: Approve
Diff: 12 lines (+1/-1)
1 file modified
dependencies.tsv (+1/-1)
Revision history for this message
sodre (psodre) wrote :

I have also tested with a long password and the bug persists.

My setup is OpenStack Havana setup with Ceph and RadosGW instead of Swift.

I have the impression RadosGW could be an issue here.

Revision history for this message
sodre (psodre) wrote :

I have tracked down the issue:

The runcmd script writes the *unauthenticated* link to the provider-state-url
    echo 'http://m1basic-04.vm.maas:80/swift/v1/pet.sodre.juju-control-01/provider-state' > /tmp/provider-state-url
and then calls
   /var/lib/juju/tools/1.16.0-precise-amd64/jujud bootstrap-state --data-dir '/var/lib/juju' --env-config <<... truncated ...>>

Once I sshed to my swift/radosgw server and looked at /var/log/apache2/access.log I noticed the following line.
   10.11.168.4 - - [31/Oct/2013:05:19:15 +0000] "GET /swift/v1/pet.sodre.juju-control-01/provider-state HTTP/1.1" 401 301 "-" "Go 1.1 package http"
In other words, the 401 error saying that GET was not authorized.

I checked that this was truly the reason for the panic by temporarily granting full read access to the bucket and rerunning the runcmd script. This was done after killing the var/lib/juju/db folder and killing mongod.

Once that went through, the machine is stuck on pending state.

sodre@ubuntu:~/gocode/src/launchpad.net$ juju status
environment: sodre-pet
machines:
  "0":
    agent-state: pending
    dns-name: 10.11.168.4
    instance-id: ca111c7c-425b-4cba-b725-c0d329d2439b
    instance-state: ACTIVE
    series: precise
    hardware: arch=amd64 cpu-cores=1 mem=2048M root-disk=20480M
services: {}

Revision history for this message
sodre (psodre) wrote :

After more research and talking to wallyworld_ we pointed out that the reason is in integration with Juju and RadosGW.

In particular, Juju is not able to set .r:* and .rlistings permissions when creating the control bucket.

At the moment, the workaround is to have the user create the control bucket through the swift api, with .r:* permissions set, e.g.

swift post juju-control --read-acl .r:*

After that is done, issue

juju bootstrap

Remarks:
There is a patch for enabling rlistings in RadosGW
http://permalink.gmane.org/gmane.comp.file-systems.ceph.devel/14116

For some reason it has not made it into the ubuntu packages or upstream yet.

Ian Booth (wallyworld)
summary: - user edited admin-secret causes panic in cloud-init
+ ACLs not sticking when creating swift container
description: updated
Changed in goose:
assignee: nobody → Patrick Carlos (sodre)
importance: Undecided → High
Changed in juju-core:
milestone: none → 1.17.0
assignee: nobody → Ian Booth (wallyworld)
Changed in goose:
assignee: Patrick Carlos (sodre) → sodre (psodre)
Ian Booth (wallyworld)
Changed in goose:
status: New → Fix Committed
Changed in juju-core:
status: Triaged → In Progress
Ian Booth (wallyworld)
Changed in juju-core:
status: In Progress → Fix Committed
Curtis Hovey (sinzui)
Changed in goose:
status: Fix Committed → Fix Released
Curtis Hovey (sinzui)
Changed in juju-core:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.