Cyberduck Mountain Duck CLI

#8959 closed defect (duplicate)

Rackspace cloudfiles ACL only access

Reported by: matiu Owned by: dkocher
Priority: normal Milestone: 4.7.2
Component: cloudfiles Version: 4.7.1
Severity: normal Keywords:
Cc: Architecture: Intel
Platform: Mac OS X 10.8

Description (last modified by dkocher)

To Re-create:

  1. Using Rackspace cloud files create a user with zero access to anything (eg. my_user)
  2. Using cloud files ACL lists, grant access to a certain container (eg. /my_container) (http://docs.rackspace.com/files/api/v1/cf-devguide/content/Container_ACLs-d1e2222.html)
  3. Try to access that container (making sure to use 'More Options' and make sure that the path says /my_container

State

  • In version 4.3.1 (11010) - This works, you can list the folder contents and modify files
  • Using plain old curl it works.
  • In cyberduck versions later than 4.3.1 it doesn't work

More detailed instructions

Creating the restricted user

  1. Log in to https://mycloud.rackspace.com (sign up if you don't have a log in, it won't cost anything to create a single cloud files container and add a 1k file).
  2. Click 'Account' in the top right
  3. Click 'User Management'
  4. Click the 'Create User' button
  5. Make up a user name and password and security answer
  6. Under 'Product Access' choose 'No Access'
  7. Make up a name and email for them
  8. Click 'Create User' at the bottom of the form
  9. Take a note of the username and apikey for later

Creating the container

  1. Still in https://mycloud.rackspace.com - click Storage, Files
  2. Click 'Create Container' and give it a name
  3. Take a note of which DC it's in. (Example uses DFW).

Granting ACL to 'my_user'

Instead of using curl, I'm using httpie and jq as it's heaps easier:

Using the username and the API key of the Rackspace cloud ACCOUNT OWNER...

You can run this in bash, to grant 'my_user', access to 'my_container' in the DFW cloud files:

USER=admin
KEY=some_long_api_key
json=$(echo "{ \"auth\":{ \"RAX-KSKEY:apiKeyCredentials\":{ \"username\":\"${USER}\", \"apiKey\":\"${KEY}\" } } }" | http POST https://auth.api.rackspacecloud.com/v2.0/tokens)
token=$(echo $json | jq -r '.access | .token | .id')
auth="X-Auth-Token:$token"
url=$(echo $json | jq -r '.access | .serviceCatalog | .[] | select(.name == "cloudFiles") | .endpoints | .[] | select(.region == "DFW") | .publicURL')
http POST $url/my_container X-Container-Read:my_user X-Container-Write:my_user $auth

Now in Cyberduck 4.3.1 as 'my_user' you can list 'my_container', and upload to it, but in later versions you can't.

Change History (12)

comment:1 Changed on Jul 30, 2015 at 2:42:36 PM by dkocher

  • Component changed from core to cloudfiles
  • Owner set to dkocher
  • Status changed from new to assigned

comment:2 Changed on Jul 30, 2015 at 2:42:56 PM by dkocher

  • Description modified (diff)

comment:3 Changed on Jul 31, 2015 at 7:49:01 AM by dkocher

Can you please additionally open a ticket with Rackspace Support to get their input on this use case. We switched from legacy 1.0 devauth) to Keystone (2.0) authentication in version 4.4. As a workaround, please install the Openstack Swift (v1) profile.

Last edited on Jul 31, 2015 at 8:21:29 AM by dkocher (previous) (diff)

comment:4 Changed on Jul 31, 2015 at 7:50:13 AM by dkocher

Additionally, please post the transcript from the log drawer (⌘-L).

comment:5 Changed on Jul 31, 2015 at 7:54:26 AM by dkocher

  • Description modified (diff)

comment:6 Changed on Jul 31, 2015 at 7:55:57 AM by dkocher

  • Description modified (diff)

comment:7 Changed on Jul 31, 2015 at 8:00:18 AM by dkocher

  • Description modified (diff)

comment:8 in reply to: ↑ description Changed on Jul 31, 2015 at 8:02:03 AM by dkocher

Replying to matiu:

Instead of using curl, I'm using httpie and jq as it's heaps easier:

brew install httpie jq
Last edited on Jul 31, 2015 at 8:02:22 AM by dkocher (previous) (diff)

comment:9 follow-up: Changed on Jul 31, 2015 at 8:10:14 AM by dkocher

This could be the same issue as in #8517.

comment:10 in reply to: ↑ 9 Changed on Jul 31, 2015 at 8:14:08 AM by dkocher

Replying to dkocher:

This could be the same issue as in #8517.

I can reproduce the issue.

comment:11 in reply to: ↑ description Changed on Jul 31, 2015 at 8:15:24 AM by dkocher

Replying to matiu:

http POST $url/my_container X-Container-Read:my_user X-Container-Write:my_user $auth

You can easily set these headers in Metadata of the Info window in Cyberduck.

comment:12 Changed on Jul 31, 2015 at 8:41:38 AM by dkocher

  • Resolution set to duplicate
  • Status changed from assigned to closed

Duplicate for #8517.

Note: See TracTickets for help on using tickets.