openstack team mailing list archive
-
openstack team
-
Mailing list archive
-
Message #11736
Re: Swift Object Storage ACLs with KeyStone
Hi,
In swift+keystone you are not allowed to have ACL between different
account/tenant/project, you can only allow ACL between different
users in a tenant.
This is probably something not too difficult to implement but it may
needs some tinkering to get it right. Please feel free to log a bug in
keystone and we'll try to address that.
Chmouel.
On Sat, May 12, 2012 at 4:02 AM, 张家龙 <zhangjl@xxxxxxxxxxx> wrote:
> Vish ,
> Thank you for answering.
> While ,sorry,I don`t understand your said.
> Do you mean I have to do like follows when I setting up acls:
>
> curl -X PUT -i \
> -H "X-Auth-Token: <token of demo:demo>" \
> -H "X-Container-Read: <tenant_id:user_id>" \
> http://127.0.0.1:8080/v1/AUTH_f1723800c821453d9f22d42d1fbb334b/demodirc
>
> Or,other operations and settings?
> ------------------
> Best Regards
>
> ZhangJialong
>
>
>
> ------------------ Original ------------------
> From: "Vishvananda Ishaya"<vishvananda@xxxxxxxxx>;
> Date: Sat, May 12, 2012 03:03 AM
> To: "张家龙"<zhangjl@xxxxxxxxxxx>;
> Cc: "openstack"<openstack@xxxxxxxxxxxxxxxxxxx>;
> Subject: Re: [Openstack] Swift Object Storage ACLs with KeyStone
>
> I'm not totally sure about this, but you might have to use the project_id
> from keystone instead of the project_name when setting up acls. The same
> may be true of user_id.
>
> Vish
>
> On Fri, May 11, 2012 at 12:51 AM, 张家龙 <zhangjl@xxxxxxxxxxx> wrote:
>>
>>
>> Hello, everyone.
>>
>> I encountered some problems when i set permissions (ACLs) on Openstack
>> Swift containers.
>> I installed swift-1.4.8(essex) and use keystone-2012.1 as
>> authentication system on CentOS 6.2 .
>>
>> My swift proxy-server.conf and keystone.conf are here:
>> http://pastebin.com/dUnHjKSj
>>
>> Then,I use the script named opensatck_essex_data.sh(
>> http://pastebin.com/LWGVZrK0 ) to
>> initialize keystone.
>>
>> After these operations,I got the token of demo:demo and
>> newuser:newuser
>>
>> curl -s -H 'Content-type: application/json' \
>> -d '{"auth": {"tenantName": "demo", "passwordCredentials":
>> {"username": "demo", "password": "admin"}}}' \
>> http://127.0.0.1:5000/v2.0/tokens | python -mjson.tool
>>
>> curl -s -H 'Content-type: application/json' \
>> -d '{"auth": {"tenantName": "newuser", "passwordCredentials":
>> {"username": "newuser", "password": "admin"}}}' \
>> http://127.0.0.1:5000/v2.0/tokens | python -mjson.tool
>>
>> Then,enable read access to newuser:newuser
>>
>> curl -X PUT -i \
>> -H "X-Auth-Token: <token of demo:demo>" \
>> -H "X-Container-Read: newuser:newuser" \
>>
>> http://127.0.0.1:8080/v1/AUTH_f1723800c821453d9f22d42d1fbb334b/demodirc
>>
>> Check the permission of the container:
>>
>> curl -k -v -H 'X-Auth-Token:<token of demo:demo>' \
>>
>> http://127.0.0.1:8080/v1/AUTH_f1723800c821453d9f22d42d1fbb334b/demodirc
>>
>> This is the reply of the operation:
>>
>> HTTP/1.1 200 OK
>> X-Container-Object-Count: 1
>> X-Container-Read: newuser:newuser
>> X-Container-Bytes-Used: 2735
>> Accept-Ranges: bytes
>> Content-Length: 24
>> Content-Type: text/plain; charset=utf-8
>> Date: Fri, 11 May 2012 07:30:23 GMT
>>
>> opensatck_essex_data.sh
>>
>> Now,the user newuser:newuser visit the container of demo:demo
>>
>> curl -k -v -H 'X-Auth-Token:<token of newuser:newuser>' \
>>
>> http://127.0.0.1:8080/v1/AUTH_f1723800c821453d9f22d42d1fbb334b/demodirc
>>
>> While,I got 403 error.Can someone help me?
>>
>> ------------------
>> Best Regards
>>
>> ZhangJialong
>>
>>
>> _______________________________________________
>> Mailing list: https://launchpad.net/~openstack
>> Post to : openstack@xxxxxxxxxxxxxxxxxxx
>> Unsubscribe : https://launchpad.net/~openstack
>> More help : https://help.launchpad.net/ListHelp
>>
>
>
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to : openstack@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~openstack
> More help : https://help.launchpad.net/ListHelp
>
Follow ups
References