From patchwork Thu Apr 18 13:20:44 2013 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Li Wang X-Patchwork-Id: 2460721 Return-Path: X-Original-To: patchwork-ceph-devel@patchwork.kernel.org Delivered-To: patchwork-process-083081@patchwork1.kernel.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by patchwork1.kernel.org (Postfix) with ESMTP id 0CA333FCA5 for ; Thu, 18 Apr 2013 13:23:04 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755277Ab3DRNXD (ORCPT ); Thu, 18 Apr 2013 09:23:03 -0400 Received: from m53-178.qiye.163.com ([123.58.178.53]:32854 "EHLO m53-178.qiye.163.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1755479Ab3DRNXB (ORCPT ); Thu, 18 Apr 2013 09:23:01 -0400 Received: from localhost.localdomain (unknown [118.249.43.0]) by m53-178.qiye.163.com (HMail) with ESMTPA id 6461A122838C; Thu, 18 Apr 2013 21:22:57 +0800 (CST) From: Li Wang To: Cc: Yehuda Sadeh , Li Wang , Yunchuan Wen Subject: [PATCH V2] radosgw: receiving unexpected error code while accessing an non-existing object by authorized not-owner user Date: Thu, 18 Apr 2013 21:20:44 +0800 Message-Id: <1366291244-5869-1-git-send-email-liwang@ubuntukylin.com> X-Mailer: git-send-email 1.7.9.5 X-HM-Spam-Status: e1koWUFPN1dZCBgUCR5ZQUpOVUNJQkJCQkJJSExLTUtOTldZCQ4XHghZQVkoKz0kKzooKCQyNSQz Pjo*PilBS1VLQDYjJCI#KCQyNSQzPjo*PilBS1VLQCsvKSQiPigkMjUkMz46Pz4pQUtVS0A4NC41 LykiJDg1QUtVS0ApPjwyNDUkOigyOkFLVUtAKyk0LTI1OD4kMy41OjVBS1VLQD8iNTo2MjgkMisk NTQkMjUkMz46Pz4pQUtVS0ApPjo3JDIrJDI1JCk5NyQyNSQzPjo*PilBSklVS0A2LjcvMiQpOCsv JD8yPT0#KT41LyQyNSQzPjo*PilBSVVLQDIrJEokNjI1Li8#JDg1LyRLJEpLQUtVS0AyKyROJDYy NS4vPiQ4NS8kSyRKS0FLVUtAMiskSEskNjI1Li8#JDg1LyRLJE5LQUtVS0AyKyRKJDM0LikkODUv JEskSktLQUtVS0AyKyQvND86IiQ4NS8kSyRKS0tBS1VLQCguOSQ#QUpVTk5APTUkKC45JD41LDQp PygkMzcxJEpLS0lLSkFLVUlDWQY+ X-HM-Sender-Digest: e1kSHx4VD1lBWUc6MQg6Cjo4LDo4EDorKjhIOj4qOkMwCjFVSlVKSE1NSUJKSExMTUNDVTMWGhIX VRcSDBoVHDsOGQ4VDw4QAhcSFVUYFBZFWVdZDB4ZWUEdGhcIHgY+ Sender: ceph-devel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: ceph-devel@vger.kernel.org This patch fixes a bug in radosgw swift compatibility code, that is, if a not-owner but authorized user access a non-existing object in a container, he wiil receive unexpected error code, to repeat this bug, do the following steps, 1 User1 creates a container, and grants the read/write permission to user2 curl -X PUT -i -k -H "X-Auth-Token: $user1_token" $url/$container curl -X POST -i -k -H "X-Auth-Token: $user1_token" -H "X-Container-Read: $user2" -H "X-Container-Write: $user2" $url/$container 2 User2 queries the object 'obj' in the newly created container by using HEAD instruction, note the container currently is empty curl -X HEAD -i -k -H "X-Auth-Token: $user2_token" $url/$container/obj 3 The response received by user2 is '401 Authorization Required', rather than the expected '404 Not Found', the details are as follows, HTTP/1.1 401 Authorization Required Date: Tue, 16 Apr 2013 01:52:49 GMT Server: Apache/2.2.22 (Ubuntu) Accept-Ranges: bytes Content-Length: 12 Vary: Accept-Encoding Content-Type: text/plain; charset=utf-8 Signed-off-by: Yunchuan Wen Signed-off-by: Li Wang --- src/rgw/rgw_op.cc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/rgw/rgw_op.cc b/src/rgw/rgw_op.cc index d2fbeeb..ef6448c 100644 --- a/src/rgw/rgw_op.cc +++ b/src/rgw/rgw_op.cc @@ -268,7 +268,7 @@ static int read_policy(RGWRados *store, struct req_state *s, RGWBucketInfo& buck return ret; string& owner = bucket_policy.get_owner().get_id(); if (owner.compare(s->user.user_id) != 0 && - !bucket_policy.verify_permission(s->user.user_id, s->perm_mask, RGW_PERM_READ)) + !bucket_policy.verify_permission(s->user.user_id, s->perm_mask, RGW_PERM_READ) && !bucket_policy.verify_permission(s->user.user_id, RGW_PERM_READ_OBJS, RGW_PERM_READ_OBJS)) ret = -EACCES; else ret = -ENOENT;