search

gholt / swauth

This is the historical location of Swauth; active development is now at https://github.com/openstack/swauth
45 stars 30 forks source link

swauth-add-user problem #34

Closed viralpatadiya closed 12 years ago

viralpatadiya commented 12 years ago

Hi All,

We are running swift 1.4.8 on ubuntu 12.04 with swuath as authentication middleware.

When we try to add a non admin user to the account, using the account admin credentials it throws error "Account creation failed: 403 Forbidden" but, it creates the user in backend.

looks like a bug in the swauth with swift 1.4.8.

Regards,

Viral Patadiya

gholt commented 12 years ago

It's probably having trouble creating the actual Swift account for the user. Do you have 'allow_account_management = true' in your proxy-server.conf?

You can check the logs to see if you can discover the precise subrequest that is getting the 403.

viralpatadiya commented 12 years ago

there are no 403 in logs.

There are 201 for the user added.

allow_account_management is already set to true

viralpatadiya commented 12 years ago

entire sequence of logs is given below :

Jun 15 06:41:31 Swift-Proxy2 proxy-server - - 15/Jun/2012/01/11/31 GET /v1/AUTH.auth/account-1/account-1 HTTP/1.0 200 - %25%28orig%29s%20Swauth - - - - tx75c03cb51b764e6885f4214f0e6c2a5b - 0.0023 - Jun 15 06:41:31 Swift-Proxy2 proxy-server 180.179.132.34 172.25.30.10 15/Jun/2012/01/11/31 PUT /auth/v2/account-1 HTTP/1.0 403 - - account-1%3Aaccount-1 - - - - - 0.0035 Jun 15 06:41:31 Swift-Proxy2 proxy-server - - 15/Jun/2012/01/11/31 GET /v1/AUTH.auth/account-1/account-1 HTTP/1.0 200 - %25%28orig%29s%20Swauth - - - - tx30a2ae40d9e04a3f830692d1b5939099 - 0.0025 - Jun 15 06:41:31 Swift-Proxy2 proxy-server - - 15/Jun/2012/01/11/31 HEAD /v1/AUTH.auth/account-1 HTTP/1.0 204 - %25%28orig%29s%20Swauth - - - - tx30a2ae40d9e04a3f830692d1b5939099 - 0.0077 - Jun 15 06:41:31 Swift-Proxy2 proxy-server - - 15/Jun/2012/01/11/31 PUT /v1/AUTH.auth/account-1/user3 HTTP/1.0 201 - %25%28orig%29s%20Swauth - 134 - - tx30a2ae40d9e04a3f830692d1b5939099 - 0.0274 - Jun 15 06:41:31 Swift-Proxy2 proxy-server 180.179.132.34 172.25.30.10 15/Jun/2012/01/11/31 PUT /auth/v2/account-1/user3 HTTP/1.0 201 - - account-1%3Aaccount-1 - - - - - 0.0396

what does this indicate ?

viralpatadiya commented 12 years ago

and the account is pre-created. I am just trying to add another non-admin user to the account using account admin credentials

viralpatadiya commented 12 years ago

I tried creating the same nonadmin user using the super_admin user, and it got created successfully without 403. This concludes that the nonadmin user creation using the account admin credentials gives 403, but creates the user in the backend

gholt commented 12 years ago

Ah interesting. Yes, it sounds like something is "not quite right" with the permissions. I'll have to double check things. I can't remember if the intent was "only reseller admin can create users and accounts" or if "admin users can create users for their own account." The second seems reasonable and seems to almost be working.

Thanks for the report and the logs!

gholt commented 12 years ago

Okay, it was a bug in the bin/swauth-add-user and not in the swauth middleware at least. The bin was always trying to create the account, even if it already existed.

gholt commented 12 years ago

Oh, I failed to mention: Luckily (in this case) it just kept on trying to add the user even if creating the account had failed. So, until next Swauth release, you can just ignore that error message happily.