1

Closed

[CDMI proxy] Public access permission does not work as expected

description

I have created the 'applicationcontainer/' container (for application zips and descriptions) with 'read' permission for the special user "Anonymous" (everybody must be able to read):

curl -v -u Admin:secret --digest -X PUT \
--header 'Accept: application/cdmi-container' \
--header 'Content-Type: application/cdmi-container' \
--header 'X-CDMI-Specification-Version: 1.0.1' \
--data '{"metadata" : { "cdmi_acl" : { "Anonymous" : "r", "Admin" : "rwd" }}}' \
http://mycdmiproxy.cloudapp.net:2365/applicationcontainer/


Then, I can't list the contents using another user (distinct from 'Admin'):
Entering this URL in the explorer:
http://mycdmiproxy.cloudapp.net:2365/applicationcontainer/
  • Using 'Admin' credentials, the server says:
    {"children": [], "metadata": {"cdmi_acl": {"Admin": "rwd", "Anonymous": "r"}}}
  • Using 'user' credentials, the server returns nothing.

Pointer to documentation:
http://resources.venus-c.eu/cdmiproxy/docs/configuration.html#authorization
Closed Jul 10, 2012 at 9:59 AM by ilja
Outdated, closing.

comments

ilja wrote Mar 26, 2012 at 9:51 AM

Yes, it's a bug, thank you for reporting! The authZ is done after authN, which means that if a user fails authN (e.g. if she doesn't provide credentials like in the case of public access), it never even gets to authz.

ilja wrote Apr 2, 2012 at 6:25 PM

Hi,

a small update on the bugfixing progress - basically, the problem is twofold - I've implemented support for Anonymous user (not yet released), but I'm afraid curl has a problem with simultaneous PUT and --digest authn (e.g. http://curl.haxx.se/mail/archive-2010-04/0028.html). A symptom is that content-length:0 is sent by curl with that request. Anyway, I'll be pushing a change after some more testing, but in general curl is not very good for setting values.

archi3 wrote Apr 2, 2012 at 8:07 PM

Thanks for the information. I use Curl only for testing some CDMI operations and for showing the concrete operation I did. Actually I am implementing all of this in C#.

ilja wrote Apr 2, 2012 at 10:33 PM

Ok, using --anyauth instead of --digest does the trick for curl.

ilja wrote Apr 8, 2012 at 1:15 PM

Ok, I've implemented a custom handler for failed authZ, so now it should work. Both --digest and --anyauth are ok.

Please note, that if you do provide (explicitly) credentials for a user, who doesn't have permissions to read a certain container, then even if the anonymous access is there, you still cannot get in. It's a common behavior and a reason for tools like curl to first try anonymous access (if you do 'curl -v --anyauth -u user:cdmipass resource' you'll see 4 requests).

Please, update your installation and tell me if it works for you.