[Cyberduck-trac] [Cyberduck] #8959: Rackspace cloudfiles ACL only access

Thu Jul 30 14:42:58 UTC 2015

#8959: Rackspace cloudfiles ACL only access
---------------------------+-------------------------
 Reporter:  matiu          |         Owner:  dkocher
     Type:  defect         |        Status:  assigned
 Priority:  normal         |     Milestone:  4.7.2
Component:  cloudfiles     |       Version:  4.7.1
 Severity:  normal         |    Resolution:
 Keywords:                 |  Architecture:  Intel
 Platform:  Mac OS X 10.8  |
---------------------------+-------------------------
Description changed by dkocher:

Old description:

> I have had to replace xxxx with xxxx everywhre because trac thinks this
> is spam.
>
> To Re-create:
>
>  1. Using Rackspace cloud files create a user with zero access to
> anything (eg. my_user)
>  2. Using cloud files ACL lists, grant access to a certain container (eg.
> /my_container) (xxxx --docs.rackspace.com/files/api/v1/cf-
> devguide/content/Container_ACLs-d1e2222.html)
>  3. Try to access that container (making sure to use 'More Options' and
> make sure that the path says /my_container
>
> --------
>
> # State
>
>  * In version 4.3.1 (11010) - This works, you can list the folder
> contents and modify files
>  * Using plain old curl it works.
>  * In cyberduck versions later than 4.3.1 it doesn't work
>
> --------
>
> # More detailed instructions
>
> ## Creating the restricted user
>
>  1. Log in to xxxxs://mycloud.rackspace.com (sign up if you don't have a
> log in, it won't cost anything to create a single cloud files container
> and add a 1k file).
>  2. Click 'Account' in the top right
>  3. Click 'User Management'
>  4. Click the 'Create User' button
>  5. Make up a user name and password and security answer
>  6. Under 'Product Access' choose 'No Access'
>  7. Make up a name and email for them
>  8. Click 'Create User' at the bottom of the form
>  9. Take a note of the username and apikey for later
>
> ## Creating the container
>
>  1. Still in xxxxs://mycloud.rackspace.com - click Storage, Files
>  2. Click 'Create Container' and give it a name
>  3. Take a note of which DC it's in. (Example uses DFW).
>
> ## Granting ACL to 'my_user'
>
> Instead of using curl, I'm using xxxxie and jq as it's heaps easier:
>
>  * xxxxs://github.com/jkbr/xxxxie
>  * xxxx://stedolan.github.io/jq/
>
> Using the username and the API key of the Rackspace cloud ACCOUNT
> OWNER...
>
> You can run this in bash, to grant 'my_user', access to 'my_container' in
> the DFW cloud files:
>
> ----- 8< ----
> USER=admin
> KEY=some_long_api_key
> json=$(echo "{ \"auth\":{ \"RAX-KSKEY:apiKeyCredentials\":{
> \"username\":\"${USER}\", \"apiKey\":\"${KEY}\" } } }" | http POST
> xxxxs://auth.api.rackspacecloud.com/v2.0/tokens)
> token=$(echo $json | jq -r '.access | .token | .id')
> auth="X-Auth-Token:$token"
> url=$(echo $json | jq -r '.access | .serviceCatalog | .[] | select(.name
> == "cloudFiles") | .endpoints | .[] | select(.region == "DFW") |
> .publicURL')
> http POST $url/my_container X-Container-Read:my_user X-Container-
> Write:my_user $auth
> ----- >8 ----
>
> Now in Cyberduck 4.3.1 as 'my_user' you can list 'my_container', and
> upload to it, but in later versions you can't.

New description:

 I have had to replace xxxx with xxxx everywhre because trac thinks this is
 spam.

 To Re-create:

  1. Using Rackspace cloud files create a user with zero access to anything
 (eg. my_user)
  2. Using cloud files ACL lists, grant access to a certain container (eg.
 /my_container) (xxxx --docs.rackspace.com/files/api/v1/cf-devguide/content
 /Container_ACLs-d1e2222.html)
  3. Try to access that container (making sure to use 'More Options' and
 make sure that the path says /my_container

 --------

 # State

  * In version 4.3.1 (11010) - This works, you can list the folder contents
 and modify files
  * Using plain old curl it works.
  * In cyberduck versions later than 4.3.1 it doesn't work

 --------

 # More detailed instructions

 ## Creating the restricted user

  1. Log in to xxxxs://mycloud.rackspace.com (sign up if you don't have a
 log in, it won't cost anything to create a single cloud files container
 and add a 1k file).
  2. Click 'Account' in the top right
  3. Click 'User Management'
  4. Click the 'Create User' button
  5. Make up a user name and password and security answer
  6. Under 'Product Access' choose 'No Access'
  7. Make up a name and email for them
  8. Click 'Create User' at the bottom of the form
  9. Take a note of the username and apikey for later

 ## Creating the container

  1. Still in xxxxs://mycloud.rackspace.com - click Storage, Files
  2. Click 'Create Container' and give it a name
  3. Take a note of which DC it's in. (Example uses DFW).

 ## Granting ACL to 'my_user'

 Instead of using curl, I'm using xxxxie and jq as it's heaps easier:

  * xxxxs://github.com/jkbr/xxxxie
  * xxxx://stedolan.github.io/jq/

 Using the username and the API key of the Rackspace cloud ACCOUNT OWNER...

 You can run this in bash, to grant 'my_user', access to 'my_container' in
 the DFW cloud files:

 {{{
 USER=admin
 KEY=some_long_api_key
 json=$(echo "{ \"auth\":{ \"RAX-KSKEY:apiKeyCredentials\":{
 \"username\":\"${USER}\", \"apiKey\":\"${KEY}\" } } }" | http POST
 xxxxs://auth.api.rackspacecloud.com/v2.0/tokens)
 token=$(echo $json | jq -r '.access | .token | .id')
 auth="X-Auth-Token:$token"
 url=$(echo $json | jq -r '.access | .serviceCatalog | .[] | select(.name
 == "cloudFiles") | .endpoints | .[] | select(.region == "DFW") |
 .publicURL')
 http POST $url/my_container X-Container-Read:my_user X-Container-
 Write:my_user $auth
 }}}

 Now in Cyberduck 4.3.1 as 'my_user' you can list 'my_container', and
 upload to it, but in later versions you can't.

--

-- 
Ticket URL: <https://trac.cyberduck.io/ticket/8959#comment:2>
Cyberduck <https://cyberduck.io>
Libre FTP, SFTP, WebDAV, S3 & OpenStack Swift browser for Mac and Windows