OpenStack Object Storage (swift)

swift-auth-create-account lets you create multiple users with same params but only single token exists causing problems on reset

Bug #607912 reported by Beau Croteau
16
This bug affects 3 people
Affects Status Importance Assigned to Milestone
OpenStack Object Storage (swift)
Fix Released
Undecided
Adam Jacob

Bug Description

Steps to reproduce:

bc@ubuntu:~/swift/trunk$ sqlite3 /etc/swift/auth.db 'select * from account; select * from token;'

bc@ubuntu:~/swift/trunk$ swift-auth-create-account test tester testing
http://127.0.0.1:8080/v1/b1d452ee-49f3-43d6-b8dd-d863742fe8ad

bc@ubuntu:~/swift/trunk$ st -A http://127.0.0.1:11000/v1.0 -U test:tester -K testing stat
   Account: b1d452ee-49f3-43d6-b8dd-d863742fe8ad
Containers: 0
   Objects: 0
     Bytes: 0

bc@ubuntu:~/swift/trunk$ sqlite3 /etc/swift/auth.db 'select * from account; select * from token;'
test|http://127.0.0.1:8080/v1/b1d452ee-49f3-43d6-b8dd-d863742fe8ad|b1d452ee-49f3-43d6-b8dd-d863742fe8ad|tester|testing
b1d452ee-49f3-43d6-b8dd-d863742fe8ad|tke67f7efa-869f-4baf-a00b-f820626d5e44|1279650877.95029

bc@ubuntu:~/swift/trunk$ swift-auth-create-account test tester testing
http://127.0.0.1:8080/v1/69c24e23-430e-47f1-a4f5-bde968e88601

bc@ubuntu:~/swift/trunk$ sqlite3 /etc/swift/auth.db 'select * from account; select * from token;'
test|http://127.0.0.1:8080/v1/b1d452ee-49f3-43d6-b8dd-d863742fe8ad|b1d452ee-49f3-43d6-b8dd-d863742fe8ad|tester|testing
test|http://127.0.0.1:8080/v1/69c24e23-430e-47f1-a4f5-bde968e88601|69c24e23-430e-47f1-a4f5-bde968e88601|tester|testing
b1d452ee-49f3-43d6-b8dd-d863742fe8ad|tke67f7efa-869f-4baf-a00b-f820626d5e44|1279650877.95029

bc@ubuntu:~/swift/trunk$ resetswift
No account-auditor running
Stopping account-server pid: 2312 signal: 15
Stopping account-server pid: 2311 signal: 15
Stopping account-server pid: 2310 signal: 15
Stopping account-server pid: 2309 signal: 15
No container-auditor running
No container-replicator running
Stopping container-server pid: 2323 signal: 15
Stopping container-server pid: 2322 signal: 15
Stopping container-server pid: 2321 signal: 15
Stopping container-server pid: 2320 signal: 15
No container-updater running
No object-auditor running
Stopping object-server pid: 2342 signal: 15
Stopping object-server pid: 2341 signal: 15
Stopping object-server pid: 2340 signal: 15
Stopping object-server pid: 2335 signal: 15
No object-replicator running
No object-updater running
Stopping proxy-server pid: 2305 signal: 15
No account-replicator running
Stopping auth-server pid: 2303 signal: 15
No account-reaper running
[sudo] password for bc:
meta-data=/dev/sdb1 isize=1024 agcount=4, agsize=1310238 blks
         = sectsz=512 attr=2
data = bsize=4096 blocks=5240950, imaxpct=25
         = sunit=0 swidth=0 blks
naming =version 2 bsize=4096 ascii-ci=0
log =internal log bsize=4096 blocks=2560, version=2
         = sectsz=512 sunit=0 blks, lazy-count=1
realtime =none extsz=4096 blocks=0, rtextents=0
rsyslog start/running, process 2886
Restarting memcached: memcached.

bc@ubuntu:~/swift/trunk$ startmain
Unable to increase file descriptor limit. Running as non-root?
Starting auth-server
Unable to increase file descriptor limit. Running as non-root?
Starting proxy-server
Unable to increase file descriptor limit. Running as non-root?
Starting account-server
Starting account-server
Starting account-server
Starting account-server
Unable to increase file descriptor limit. Running as non-root?
Starting container-server
Starting container-server
Starting container-server
Starting container-server
Unable to increase file descriptor limit. Running as non-root?
Starting object-server
Starting object-server
Starting object-server
Starting object-server
bc@ubuntu:~/swift/trunk$ st -A http://127.0.0.1:11000/v1.0 -U test:tester -K testing stat
Account not found

Related branches

lp:~adamhjk/swift/lp607912
Swift Core security contacts: Pending requested
Diff: 76 lines (+36/-8)
2 files modified
swift/auth/server.py (+28/-7)
test/unit/auth/test_server.py (+8/-1)
lp:~gholt/swift/acls2
Chuck Thier (community): Approve
Diff: 6866 lines (+2927/-890)
40 files modified
bin/st (+344/-134)
bin/swift-auth-add-user (+27/-15)
bin/swift-stats-populate (+2/-1)
bin/swift-stats-report (+22/-19)
doc/source/auth.rst (+1/-1)
doc/source/development_auth.rst (+484/-0)
doc/source/development_saio.rst (+8/-16)
doc/source/howto_cyberduck.rst (+2/-2)
doc/source/index.rst (+1/-0)
doc/source/misc.rst (+9/-0)
doc/source/overview_auth.rst (+16/-11)
etc/proxy-server.conf-sample (+6/-0)
setup.py (+1/-1)
swift/account/reaper.py (+1/-1)
swift/auth/server.py (+145/-85)
swift/common/client.py (+148/-75)
swift/common/direct_client.py (+40/-31)
swift/common/middleware/acl.py (+160/-0)
swift/common/middleware/auth.py (+80/-75)
swift/container/server.py (+7/-2)
swift/proxy/server.py (+140/-21)
test/functional/sample.conf (+15/-5)
test/functional/tests.py (+10/-6)
test/functionalnosetests/swift_testing.py (+51/-16)
test/functionalnosetests/test_account.py (+4/-3)
test/functionalnosetests/test_container.py (+229/-8)
test/functionalnosetests/test_object.py (+91/-0)
test/probe/test_account_failures.py (+30/-16)
test/probe/test_container_failures.py (+52/-52)
test/probe/test_object_async_update.py (+2/-2)
test/probe/test_object_handoff.py (+14/-15)
test/probe/test_running_with_each_type_down.py (+18/-9)
test/unit/auth/test_server.py (+128/-93)
test/unit/common/middleware/test_acl.py (+126/-0)
test/unit/common/middleware/test_auth.py (+149/-32)
test/unit/common/test_client.py (+6/-3)
test/unit/common/test_direct_client.py (+0/-1)
test/unit/container/test_server.py (+43/-0)
test/unit/obj/test_server.py (+22/-21)
test/unit/proxy/test_server.py (+293/-118)
Beau Croteau (crobe03)
affects: nova → swift
Adam Jacob (adamhjk)
Changed in swift:
assignee: nobody → Adam Jacob (adamhjk)
Adam Jacob (adamhjk)
Changed in swift:
status: New → Fix Committed
Revision history for this message
Adam Jacob (adamhjk) wrote :

The fix here is to look for a pre-existing user. If we find it, we re-use the UUID generated for that user, and update the password as needed.

Chuck Thier (cthier)
Changed in swift:
status: Fix Committed → In Progress
Revision history for this message
Chuck Thier (cthier) wrote :

Hey Adam,

I was taking a look at your branch, and it looks like it is working. I would suggest adding the following to the end of the test_create_account_already_exists:

        with self.controller.get_conn() as conn:
            rows = conn.execute('''
                SELECT password FROM account
                WHERE account = ? AND user = ?''',
                ('test','tester')).fetchall()
            self.assertEquals(len(rows), 1)
            self.assertEquals(rows[0][0], 'testily')

If you add that, then it should be good enough for a merge request.

Revision history for this message
Adam Jacob (adamhjk) wrote : Re: [Bug 607912] Re: swift-auth-create-account lets you create multiple users with same params but only single token exists causing problems on reset

Awesome - I'll add that, and adding that in to the test suite was the
one thing I didn't know how to do. :)

Adam

On Tue, Jul 27, 2010 at 11:35 AM, Chuck Thier <email address hidden> wrote:
> Hey Adam,
>
> I was taking a look at your branch, and it looks like it is working.  I
> would suggest adding the following to the end of the
> test_create_account_already_exists:
>
>        with self.controller.get_conn() as conn:
>            rows = conn.execute('''
>                SELECT password FROM account
>                WHERE account = ? AND user = ?''',
>                ('test','tester')).fetchall()
>            self.assertEquals(len(rows), 1)
>            self.assertEquals(rows[0][0], 'testily')
>
> If you add that, then it should be good enough for a merge request.
>
> --
> swift-auth-create-account lets you create multiple users with same params but only single token exists causing problems on reset
> https://bugs.launchpad.net/bugs/607912
> You received this bug notification because you are a bug assignee.
>

--
Opscode, Inc.
Adam Jacob, CTO
T: (206) 508-7449 E: <email address hidden>

Revision history for this message
gholt (gholt) wrote :

Heya Adam, since I was all over that code with my ACLs branch, I had to go ahead and fix that there. See the lp:~gholt/swift/acls branch; assuming that merge gets approved I'll mark this bug as fixed.

Revision history for this message
gholt (gholt) wrote :

Okay, now the lp:~gholt/swift/acls is lp:~gholt/swift/acls2 with the fix in it. We'll see if that branch gets approved.

Revision history for this message
gholt (gholt) wrote :

acls2 branch is now in, so this bug is fixed with that.

Changed in swift:
status: In Progress → Fix Committed
Chuck Thier (cthier)
Changed in swift:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.