Swift CORS access on private object storage

[drzraf]

Note: The feature proposal has been proposed via OVH support... and closed. It apparently led to my account at community.ovh.com being held and posts being flagged/hidden. I'm sorry I can't reference here the original topic where the rationales and issues at pace were thoughtfully explained.

• As a user of a private object storage
• I want to make use of it browse/download/upload from a browser / browser-based file-explorer
• In order to avoid its use from a particular software, and provide my users with particular file-viewing features (visualization, decryption, signature, ...)

Problem: When the object storage is used from a browser, CORS restrictions apply... during the authentication (token gathering) phase : We can't fetch X-Subject-Token when calling /auth/tokens.

The reason this header is not available is that following header must be exposed:

Access-Control-Expose-Headers: X-Subject-Token

But the preflight does not return some Access-Control-Allow-Headers that would allow the browser to fetch this header's value and continue.

The good thing is that this is plainly configurable by OVH administrators in the OpenStack configuration: https://docs.openstack.org/keystone/pike/configuration/samples/keystone-conf.html The value of "expose_headers" in the [cors] section is here for this.

In case of Ansible deployment (https://docs.openstack.org/openstack-ansible-os_keystone/queens/), it's possible to use keystone_extra_headers.

Workarounds explored:

• We tried by using the S3 wrapper for a similar usage of our container and could get through the autentification. But could not got further because custom CORS/meta needed, while we configured them on the Swift object storage are not passed on by the s3 middleware.
• This is a limitation we reported (https://bugs.launchpad.net/swift/+bug/1905104)

I hope this great feature (private use of containers from the browser) could be unlocked, the stack of the problem analyzed (and the fact that I got locked from community.ovh.com for suggesting it... be reconsidered [moderators can't be contacted]).

Thank you

[SDAChess]

I'm having the exact same issue with this. Hoping for a fix to work in the browser...

[tex0l]

I'm having this issue as well

[GTorreil]

We are having the same issue using the S3 API. Hoping for a fix to work in the browser as well.. This is a real deal breaker :(

[rverchere]

Hi,

I see this issue moved to "Released (Changelog). So is it implemented?

Does it also work on your "Standard Object Storage – S3 API" ?

[CorentinStauder]

I also need CORS compatibility for S3 object storage, any news? Has anyone managed to do this?

[Izaia64]

It is working. We are working in a documentation to help users, it will be published soon.

[acouette]

hello @Izaia64 ,

Any update ?

Do you mean it is working for the "S3 API" as well or only the "Standard Object Storage" ?

[CorentinStauder]

Working for me with standard object storage, you need to set it up with the AWS CLI, something like : aws s3api put-bucket-cors --bucket my-bucket --cors-configuration cors.json and cors.json :

{
  "CORSRules": [
    {
    "AllowedHeaders": ["header1", "header2", ...etc],
    "AllowedMethods": ["GET", "HEAD", ...etc],
    "AllowedOrigins": ["https://<origin-domain>", ...etc],
    "ExposeHeaders": ["Access-Control-Allow-Origin"]
    }
  ]
}

I also had an error message saying cors not enabled but the "real" error was AWS sdk not signing with v4 signature by default.

Hope it will help 👍

[acouette]

Thank you @CorentinStauder, indeed it works smoothly with the aws s3 client for the s3 object storage.

[lason-ovh]

Hi, you can find the documentation here

[drzraf]

@lason-ovh : This is issue mustn't be closed because it does affect OpenStack Swift and that's the main purpose of this issue.