openstack team mailing list archive

Thread
Date

Re: [Swift] S3 like ACL for Swift

To: Victor Rodionov <Victor.Rodionov@xxxxxxxxxxx>
From: John Dickinson <me@xxxxxx>
Date: Wed, 20 Jun 2012 11:08:55 -0500
Cc: "<openstack@xxxxxxxxxxxxxxxxxxx>" <openstack@xxxxxxxxxxxxxxxxxxx>
In-reply-to: <D4A48DC3-6E94-40A4-8BC4-5D2A7D16CD54@nexenta.com>

On Jun 20, 2012, at 11:02 AM, Victor Rodionov wrote:
> 
> Also, I want ask do you think it's good idea to store object ACL in object metadata?

I'd suggest looking at container-level ACLs rather than object-level. But either way, the data does need to be stored in the metadata in swift itself. Storing the ACL information for tens of millions of containers or a hundred billion objects can't really be done well in the auth system. This is why the information needs to be stored in swift itself. The auth middleware then queries the auth system with the auth token and URL and gets back the allowed groups. The middleware then compares the groups returned from the auth system to the groups stored in the metadata. This is essentially the design of ACLs in tempauth and swauth.

--John

Attachment: smime.p7s
Description: S/MIME cryptographic signature

References

[Swift] S3 like ACL for Swift
From: Victor Rodionov, 2012-06-20
Re: [Swift] S3 like ACL for Swift
From: John Dickinson, 2012-06-20
Re: [Swift] S3 like ACL for Swift
From: Victor Rodionov, 2012-06-20