Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

allow bucket location responses with empty Message (fixes #629) #630

Merged
merged 5 commits into from
Mar 31, 2017
Merged

allow bucket location responses with empty Message (fixes #629) #630

merged 5 commits into from
Mar 31, 2017

Conversation

jrandall
Copy link
Contributor

When Ceph radosgw responds to a bucket location request for a bucket which is not owned by the user, it issues an "AccessDenied" XML response that does not contain any <Message> element. Because of this, the code that handles "anonymous" buckets in processBucketLocationResponse is not triggered, as it is looking for both an errResp.Code of "AccessDenied" and also an errResp.Message containing the substring "Access Denied".

This PR changes the behaviour of processBucketLocationResponse to allow an empty errResp.Message to be treated the same as one that contains the substring "Access Denied".

Fixes #629

harshavardhana
harshavardhana requested changes Mar 22, 2017
View reviewed changes
bucket-cache.go Outdated
@@ -125,7 +125,7 @@ func processBucketLocationResponse(resp *http.Response, bucketName string) (buck
// For access denied error, it could be an anonymous
// request. Move forward and let the top level callers
// succeed if possible based on their policy.
if errResp.Code == "AccessDenied" && strings.Contains(errResp.Message, "Access Denied") {
if errResp.Code == "AccessDenied" && (errResp.Message == "" || strings.Contains(errResp.Message, "Access Denied")) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This logic looks pretty ugly, we can just look for errResp.Code == "AccessDenied" only.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@harshavardhana I would have no problem with removing the check on errResp.message entirely, I just was not aware of why that check existed and did not want to risk a regression against another system.

The conditions date back to when this code was first introduced in api-error-response.go in commit a856d43 but there does not appear to be any note there as to why the Message was a part of the condition. As you were the committer, if you have reason to think that errResp.code == "AccessDenied" is sufficient, I'll change to that.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This change was introduced because some users with S3 have IAM policy where they disable certain operations i.e returning AccessDenied only.

jrandall added 2 commits March 23, 2017 13:37
@jrandall
simplifies access denied conditional
17583f5 
Removes checks for "Access Denied" substring in the error response - if `errResp.Code == "AccessDenied"` for the bucket location request, that should be sufficient to trigger the fallback to default location.
@jrandall
Merge branch 'master' into 629-fix-ceph-radosgw-anonymous-bucket-loca…
16f42cb 
…tion
@harshavardhana
Copy link
Member

Can you fix the build @jrandall ?

@harshavardhana
Copy link
Member

Can you fix the build error @jrandall ?

@harshavardhana harshavardhana merged commit cb0b183 into minio:master Mar 31, 2017
@jrandall jrandall deleted the 629-fix-ceph-radosgw-anonymous-bucket-location branch March 31, 2017 22:51
This was referenced Jul 4, 2017
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@harshavardhana harshavardhana harshavardhana approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@jrandall @harshavardhana