← Back to team overview

openstack team mailing list archive

Re: [Keystone] [Swift] Keystone Tenant vs Swift Account

 

On Mon, 2011-07-18 at 16:02 -0500, John Dickinson wrote:
> The security implications are tied to what credentials as user gets from the auth server you are using. The possibility is that a user could delete their own account (or even another user's account) or create new accounts. Disabling allow_account_management eliminates these issues by disabling the functionality.
> 
> There are no formal docs of this part of the API. It's quite simple though: PUT/POST/GET/HEAD/DELETE to /v1/"your account string"

That's up to your auth middleware. ie. we have a super admin user,
account admins and per container user with ro/rw permissions; and only
the super admin can get authenticated to run a PUT/DELETE request on an
account.

If you're going to deploy swift you probably will need to plug it in
your infrastructure: accounting, billing, monitoring, ... and of course
authentication/authorization.

Swift architecture it's perfect for that thanks to paste because you can
easily add any middleware you want to provide that "coupling".

It's a good feature that we can disable account creation though :)

Regards,

Juan

-- 
Juan J. Martinez
Development, MEMSET

mail: juan@xxxxxxxxxx
 web: http://www.memset.com/

Memset Ltd., registration number 4504980. 25 Frederick Sanger Road, Guildford, Surrey, GU2 7YD, UK.



References