[horizon,swift] When accessing any file (public/private) without authenticating first you get a 500 error
Closed, InvalidPublicBUG REPORT
Actions

Assigned To

None

Authored By

	dcaro
	Mon, May 13, 7:39 AM

Description

Steps to replicate the issue (include links if applicable):

Create a new container (flag it private and or public) and upload a file on your project in horizon
Logout/start a different session/browser and try to navigate to that file
- private file example: https://horizon.wikimedia.org/api/swift/containers/dcarotest1/object/test.yaml
- public file example: https://horizon.wikimedia.org/api/swift/containers/dcarotest2/object/test.yaml

What happens?:
You get a 500 error:

What should have happened instead?:

You should get a 401 error and get redirected to the login page (and once logged in, redirected back to the file).

Software version (on Special:Version page; skip for WMF-hosted wikis like Wikipedia):

Other information (browser name/version, screenshots, etc.):

FIX

Use the url directly to the object storage, like:
https://object.eqiad1.wikimediacloud.org/swift/v1/AUTH_toolsbeta/dcarotest2/test.yaml

And (this will need you to pass the authentication with the request, ex using X-Auth-Token: <app-credential>):
https://object.eqiad1.wikimediacloud.org/swift/v1/AUTH_toolsbeta/dcarotest1/test.yaml

Related Objects
Search...

Status	Subtype	Assigned	Task
Open		None	T225190 [toolforge,storage,swift,s3] Object store?
Open		None	T358496 [toolforge,storage] Provide per-tool access to cloud-vps object storage
Invalid	BUG REPORT	None	T364706 [horizon,swift] When accessing any file (public/private) without authenticating first you get a 500 error

Event Timeline

dcaro created this task.Mon, May 13, 7:39 AM

dcaro renamed this task from [horizon,swift] When accessing a private file without authenticating first you get a 500 error to [horizon,swift] When accessing any file (public/private) without authenticating first you get a 500 error.Mon, May 13, 7:49 AM

dcaro updated the task description. (Show Details)

[Mon May 13 07:48:46.507418 2024] [wsgi:error] [pid 10:tid 139706677188352] [remote 208.80.154.150:34242] Internal Server Error: /api/swift/containers/dcarotest2/object/test.yaml
[Mon May 13 07:48:46.507439 2024] [wsgi:error] [pid 10:tid 139706677188352] [remote 208.80.154.150:34242] Traceback (most recent call last):
[Mon May 13 07:48:46.507441 2024] [wsgi:error] [pid 10:tid 139706677188352] [remote 208.80.154.150:34242]   File "/opt/lib/python/site-packages/django/core/handlers/exception.py", line 55, in inner
[Mon May 13 07:48:46.507443 2024] [wsgi:error] [pid 10:tid 139706677188352] [remote 208.80.154.150:34242]     response = get_response(request)
[Mon May 13 07:48:46.507445 2024] [wsgi:error] [pid 10:tid 139706677188352] [remote 208.80.154.150:34242]   File "/opt/lib/python/site-packages/django/core/handlers/base.py", line 197, in _get_response
[Mon May 13 07:48:46.507446 2024] [wsgi:error] [pid 10:tid 139706677188352] [remote 208.80.154.150:34242]     response = wrapped_callback(request, *callback_args, **callback_kwargs)
[Mon May 13 07:48:46.507448 2024] [wsgi:error] [pid 10:tid 139706677188352] [remote 208.80.154.150:34242]   File "/opt/lib/python/site-packages/django/views/generic/base.py", line 104, in view
[Mon May 13 07:48:46.507449 2024] [wsgi:error] [pid 10:tid 139706677188352] [remote 208.80.154.150:34242]     return self.dispatch(request, *args, **kwargs)
[Mon May 13 07:48:46.507451 2024] [wsgi:error] [pid 10:tid 139706677188352] [remote 208.80.154.150:34242]   File "/opt/lib/python/site-packages/django/views/generic/base.py", line 143, in dispatch
[Mon May 13 07:48:46.507452 2024] [wsgi:error] [pid 10:tid 139706677188352] [remote 208.80.154.150:34242]     return handler(request, *args, **kwargs)
[Mon May 13 07:48:46.507453 2024] [wsgi:error] [pid 10:tid 139706677188352] [remote 208.80.154.150:34242]   File "/opt/lib/python/site-packages/openstack_dashboard/api/rest/swift.py", line 239, in get
[Mon May 13 07:48:46.507454 2024] [wsgi:error] [pid 10:tid 139706677188352] [remote 208.80.154.150:34242]     obj = api.swift.swift_get_object(
[Mon May 13 07:48:46.507455 2024] [wsgi:error] [pid 10:tid 139706677188352] [remote 208.80.154.150:34242]   File "/opt/lib/python/site-packages/openstack_dashboard/api/swift.py", line 45, in wrapper
[Mon May 13 07:48:46.507457 2024] [wsgi:error] [pid 10:tid 139706677188352] [remote 208.80.154.150:34242]     return function(*args, **kwargs)
[Mon May 13 07:48:46.507458 2024] [wsgi:error] [pid 10:tid 139706677188352] [remote 208.80.154.150:34242]   File "/opt/lib/python/site-packages/openstack_dashboard/api/swift.py", line 404, in swift_get_object
[Mon May 13 07:48:46.507459 2024] [wsgi:error] [pid 10:tid 139706677188352] [remote 208.80.154.150:34242]     headers, data = swift_api(request).get_object(
[Mon May 13 07:48:46.507460 2024] [wsgi:error] [pid 10:tid 139706677188352] [remote 208.80.154.150:34242]   File "/opt/lib/python/site-packages/openstack_dashboard/api/swift.py", line 132, in swift_api
[Mon May 13 07:48:46.507461 2024] [wsgi:error] [pid 10:tid 139706677188352] [remote 208.80.154.150:34242]     endpoint = base.url_for(request, 'object-store')
[Mon May 13 07:48:46.507463 2024] [wsgi:error] [pid 10:tid 139706677188352] [remote 208.80.154.150:34242]   File "/opt/lib/python/site-packages/openstack_dashboard/api/base.py", line 335, in url_for
[Mon May 13 07:48:46.507464 2024] [wsgi:error] [pid 10:tid 139706677188352] [remote 208.80.154.150:34242]     catalog = request.user.service_catalog
[Mon May 13 07:48:46.507465 2024] [wsgi:error] [pid 10:tid 139706677188352] [remote 208.80.154.150:34242]   File "/opt/lib/python/site-packages/django/utils/functional.py", line 268, in inner
[Mon May 13 07:48:46.507466 2024] [wsgi:error] [pid 10:tid 139706677188352] [remote 208.80.154.150:34242]     return func(_wrapped, *args)
[Mon May 13 07:48:46.507467 2024] [wsgi:error] [pid 10:tid 139706677188352] [remote 208.80.154.150:34242] AttributeError: 'AnonymousUser' object has no attribute 'service_catalog'

Don-vip unsubscribed.Mon, May 13, 7:58 AM

I had a quick look at the code, it seems that the anonymous user is not extended and it's falling back to the django default one, that does not have those fields.

There's a custom user being declared here: https://opendev.org/openstack/horizon/src/branch/master/openstack_auth/user.py#L126

That I think should be the one being created by default here: https://opendev.org/openstack/horizon/src/branch/master/openstack_auth/utils.py#L55

Though I'm not very familiar with the code, I will open a bug and try to play with it, though feel free to tackle it before if anyone is interested xd

How does Horizon expose these /api/swift URLs? I would assume they'd only be embedded in pages that do have correct logged-out handling and this only happens if you try somehow use the URLs standalone?

In T364706#9790121, @taavi wrote:

How does Horizon expose these /api/swift URLs?

Just found that the url you get from the download button (the ones I used before) are the ones failing, if you use the link on the left side (ex. https://object.eqiad1.wikimediacloud.org/swift/v1/AUTH_toolsbeta/dcarotest2/test.yaml) things work as expected, and the url is not even on horizon anymore.

Weird

The private bucket has no such link though :/

Public bucket:

The private one works also, but only if you use the url https://object.eqiad1.wikimediacloud.org/swift/v1/AUTH_toolsbeta/dcarotest1/test.yaml and application credentials (for example), that is not exposed anywhere in the horizon UI

dcaro@urcuchillay$ curl -v -H "X-Auth-Token: sometoken" https://object.eqiad1.wikimediacloud.org/swift/v1/AUTH_toolsbeta/dcarotest1/test.yaml
* Host object.eqiad1.wikimediacloud.org:443 was resolved.
* IPv6: (none)
* IPv4: 185.15.56.161
*   Trying 185.15.56.161:443...
* Connected to object.eqiad1.wikimediacloud.org (185.15.56.161) port 443
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/pki/tls/certs/ca-bundle.crt
*  CApath: none
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 / x25519 / id-ecPublicKey
* ALPN: server did not agree on a protocol. Uses default.
* Server certificate:
*  subject: CN=openstack.eqiad1.wikimediacloud.org
*  start date: Apr  3 05:27:06 2024 GMT
*  expire date: Jul  2 05:27:05 2024 GMT
*  subjectAltName: host "object.eqiad1.wikimediacloud.org" matched cert's "object.eqiad1.wikimediacloud.org"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
*   Certificate level 0: Public key type EC/prime256v1 (256/128 Bits/secBits), signed using sha256WithRSAEncryption
*   Certificate level 1: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
*   Certificate level 2: Public key type RSA (4096/152 Bits/secBits), signed using sha256WithRSAEncryption
* using HTTP/1.x
> GET /swift/v1/AUTH_toolsbeta/dcarotest1/test.yaml HTTP/1.1
> Host: object.eqiad1.wikimediacloud.org
> User-Agent: curl/8.6.0
> Accept: */*
> X-Auth-Token: sometoken
> 
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
< HTTP/1.1 200 OK
< content-length: 169
< accept-ranges: bytes
< last-modified: Mon, 13 May 2024 07:36:05 GMT
< x-timestamp: 1715585765.83174
< etag: 219017ad6e3c924e5e99327513e289dc
< x-object-meta-orig-filename: test.yaml
< x-trans-id: tx00000e3d23f5cf136a3b4-00664215e3-3414118b-default
< x-openstack-request-id: tx00000e3d23f5cf136a3b4-00664215e3-3414118b-default
< content-type: binary/octet-stream
< date: Mon, 13 May 2024 13:30:12 GMT
< content-security-policy: default-src; font-src 'self'; img-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'
< connection: close
< 
---

definitions:
  steps:
    - step: &build-test <
        Build and test

pipelines:
  branches:
    develop:
      - *build-test
    main:
      - step: *build-test
* Closing connection
* TLSv1.3 (IN), TLS alert, close notify (256):
* TLSv1.3 (OUT), TLS alert, close notify (256):

So this is probably a non-bug, I'll close, though it's nice to have it documented (for myself at least xd).

dcaro closed this task as Invalid.Mon, May 13, 1:34 PM

dcaro updated the task description. (Show Details)

	F52905703: image.png
	Mon, May 13, 1:22 PM

	F52905661: image.png
	Mon, May 13, 1:22 PM

[horizon,swift] When accessing any file (public/private) without authenticating first you get a 500 errorClosed, InvalidPublicBUG REPORTActions

Description

FIX

Related ObjectsSearch...

Event Timeline

[horizon,swift] When accessing any file (public/private) without authenticating first you get a 500 error
Closed, InvalidPublicBUG REPORT
Actions

Related Objects
Search...