openstack team mailing list archive

Thread
Date

Re: Swift Object Storage ACLs with KeyStone

To: Chmouel Boudjnah <chmouel@xxxxxxxxxxx>, 张家龙 <zhangjl@xxxxxxxxxxx>
From: "Nguyen, Liem Manh" <liem_m_nguyen@xxxxxx>
Date: Tue, 15 May 2012 16:37:14 +0000
Accept-language: en-US
Cc: openstack <openstack@xxxxxxxxxxxxxxxxxxx>
In-reply-to: <CAPeWyqzqFUzPPCmF69YFzfo2VZ1CiKxpg-R8oimeUPoSQ8SJ-g@mail.gmail.com>
Thread-index: AQHNL+NO8dm3w7GNbEy0Vcd3u060AJbKocuAgABuHxA=
Thread-topic: [Openstack] Swift Object Storage ACLs with KeyStone

Yeah, that is because the swift/keystone middleware checks for the tenantId to match the accountId in the URL path...  Perhaps, we should rely strictly on Swift ACL for granting access to a given Swift container, and rely on Keystone RBAC for what you can do with a given Swift account.

BTW, we also ran into this issue before...  Has a bug/feature request been filed for this yet?  If not, I can file one.

Thanks,
Liem

-----Original Message-----
From: openstack-bounces+liem_m_nguyen=hp.com@xxxxxxxxxxxxxxxxxxx [mailto:openstack-bounces+liem_m_nguyen=hp.com@xxxxxxxxxxxxxxxxxxx] On Behalf Of Chmouel Boudjnah
Sent: Tuesday, May 15, 2012 2:55 AM
To: 张家龙
Cc: openstack
Subject: Re: [Openstack] Swift Object Storage ACLs with KeyStone

Hi,

In swift+keystone you are not allowed to have ACL between different
account/tenant/project, you can only allow ACL between  different
users in a tenant.
This is probably something not too difficult to implement but it may
needs some tinkering to get it right. Please feel free to log a bug in
keystone and we'll try to address that.

Chmouel.

On Sat, May 12, 2012 at 4:02 AM, 张家龙 <zhangjl@xxxxxxxxxxx> wrote:
> Vish ,
>      Thank you for answering.
>      While ,sorry,I don`t understand your said.
>      Do you mean I have to do like follows when I setting up acls:
>
>     curl -X PUT -i \
>     -H "X-Auth-Token: <token of demo:demo>" \
>     -H "X-Container-Read: <tenant_id:user_id>" \
>     http://127.0.0.1:8080/v1/AUTH_f1723800c821453d9f22d42d1fbb334b/demodirc
>
>     Or,other operations and settings?
> ------------------
> Best Regards
>
> ZhangJialong
>
>
>
> ------------------ Original ------------------
> From:  "Vishvananda Ishaya"<vishvananda@xxxxxxxxx>;
> Date:  Sat, May 12, 2012 03:03 AM
> To:  "张家龙"<zhangjl@xxxxxxxxxxx>;
> Cc:  "openstack"<openstack@xxxxxxxxxxxxxxxxxxx>;
> Subject:  Re: [Openstack] Swift Object Storage ACLs with KeyStone
>
> I'm not totally sure about this, but you might have to use the project_id
> from keystone instead of the project_name when setting up acls.   The same
> may be true of user_id.
>
> Vish
>
> On Fri, May 11, 2012 at 12:51 AM, 张家龙 <zhangjl@xxxxxxxxxxx> wrote:
>>
>>
>> Hello, everyone.
>>
>>     I encountered some problems when i set permissions (ACLs) on Openstack
>> Swift containers.
>>     I installed swift-1.4.8(essex) and use keystone-2012.1 as
>> authentication system on CentOS 6.2 .
>>
>>     My swift proxy-server.conf and keystone.conf are here:
>>     http://pastebin.com/dUnHjKSj
>>
>>     Then,I use the script named opensatck_essex_data.sh(
>> http://pastebin.com/LWGVZrK0 ) to
>>     initialize keystone.
>>
>>     After these operations,I got the token of demo:demo and
>> newuser:newuser
>>
>>     curl -s -H 'Content-type: application/json' \
>>     -d '{"auth": {"tenantName": "demo", "passwordCredentials":
>> {"username": "demo", "password": "admin"}}}' \
>>     http://127.0.0.1:5000/v2.0/tokens | python -mjson.tool
>>
>>     curl -s -H 'Content-type: application/json' \
>>     -d '{"auth": {"tenantName": "newuser", "passwordCredentials":
>> {"username": "newuser", "password": "admin"}}}' \
>>     http://127.0.0.1:5000/v2.0/tokens | python -mjson.tool
>>
>>     Then,enable read access to newuser:newuser
>>
>>     curl -X PUT -i \
>>     -H "X-Auth-Token: <token of demo:demo>" \
>>     -H "X-Container-Read: newuser:newuser" \
>>
>> http://127.0.0.1:8080/v1/AUTH_f1723800c821453d9f22d42d1fbb334b/demodirc
>>
>>     Check the permission of the container:
>>
>>     curl -k -v -H 'X-Auth-Token:<token of demo:demo>' \
>>
>> http://127.0.0.1:8080/v1/AUTH_f1723800c821453d9f22d42d1fbb334b/demodirc
>>
>>     This is the reply of the operation:
>>
>>     HTTP/1.1 200 OK
>>     X-Container-Object-Count: 1
>>     X-Container-Read: newuser:newuser
>>     X-Container-Bytes-Used: 2735
>>     Accept-Ranges: bytes
>>     Content-Length: 24
>>     Content-Type: text/plain; charset=utf-8
>>     Date: Fri, 11 May 2012 07:30:23 GMT
>>
>>     opensatck_essex_data.sh
>>
>>     Now,the user newuser:newuser visit the container of demo:demo
>>
>>     curl -k -v -H 'X-Auth-Token:<token of newuser:newuser>' \
>>
>> http://127.0.0.1:8080/v1/AUTH_f1723800c821453d9f22d42d1fbb334b/demodirc
>>
>>     While,I got 403 error.Can someone help me?
>>
>> ------------------
>> Best Regards
>>
>> ZhangJialong
>>
>>
>> _______________________________________________
>> Mailing list: https://launchpad.net/~openstack
>> Post to     : openstack@xxxxxxxxxxxxxxxxxxx
>> Unsubscribe : https://launchpad.net/~openstack
>> More help   : https://help.launchpad.net/ListHelp
>>
>
>
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to     : openstack@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~openstack
> More help   : https://help.launchpad.net/ListHelp
>

_______________________________________________
Mailing list: https://launchpad.net/~openstack
Post to     : openstack@xxxxxxxxxxxxxxxxxxx
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

Follow ups

Re: Swift Object Storage ACLs with KeyStone
From: Chmouel Boudjnah, 2012-05-15

References

Re: Swift Object Storage ACLs with KeyStone
From: ??????, 2012-05-12
Re: Swift Object Storage ACLs with KeyStone
From: Chmouel Boudjnah, 2012-05-15