ECS: Setting SWIFT read ACL to ".r:*" allows unwanted dir listing

           

   Article Number:     535575                                   Article Version: 4     Article Type:    Break Fix 
   

 


Product:

 

ECS Appliance Software without Encryption

 

Issue:

 

 

The customers intention is to anonymously access objects if the full path is known. But setting Swift Read ACL to ".r:*" allows unwanted dirlisting.   
   
    Setup:   
    We would like to use a Swift ACL-Read Policy to allow anonymous access to objects as described here:   
    https://docs.openstack.org/swift/latest/overview_acl.html#acl-common-elements   
   
   
    python-swiftclient is used as client in this case.   
   
   
    setting the Policy:   

swift post --read-acl ".r:*" private-swift    
   
    checking the policy:   
swift stat private-swift               Account: ops-thomas             Container: private-swift               Objects: 0                 Bytes: 0              Read ACL: .r:*             Write ACL:               Sync To:              Sync Key:X-Emc-Retention-Period: 0X-Emc-Is-Tso-Read-Only: false         Accept-Ranges: bytes            X-Trans-Id: tx0a10c20b1685c1199fc75-39ae00000000           X-Timestamp: 1554368486418      X-Emc-Request-Id: 0a10c20b:1685c1199fc:7539a:eX-Emc-Is-Stale-Allowed: false          Content-Type: text/html    
   
    If the full path of an object is now provided to anonymous (without using a token), all the files can be listed within the folder. This is not expected   
   
                                                                

 

 

Cause:

 

 

A bug in the ECS Software has been discovered                                                           

 

 

Resolution:

 

 

If you see this issue, a customer specific patch is required on top of the latest ECS Release (right now it is 3.3HF1).   
    Please open a Service Request with Dell EMC Support and mention this KB for requesting a custom patch if needed.   
   
    A future version of ECS will contain a final fix.