openstack team mailing list archive
-
openstack team
-
Mailing list archive
-
Message #21132
Re: [SWIFT] Account or User or Account_User?
Got it. Thanks Adrian
On Thu, Feb 21, 2013 at 4:48 PM, Adrian Smith <adrian@xxxxxxxx> wrote:
> Hi Kun,
>
> Yes, ACLs are the answer.
>
> Based on our earlier conversation I assume you want to give the 'tester3'
> user access to a container. To do this you'll need to authenticate as the
> 'test' user (admin user) and use his token to issue a command line this,
>
> $ curl -X POST -H 'X-Auth-Token: [token]' -H ''X-Container-Read: tester3'
> http://127.0.0.1:8080/v1/AUTH_test/[container name]
>
> Following this the tester3 user will have read access to the container
> given in [container name].
>
> Note: It's not possible to grant users read/write access at the account
> level, only the container level.
>
> Adrian
>
>
>
> On 20 February 2013 19:55, Kun Huang <Academicgareth@xxxxxxxxx> wrote:
>
>> Hi, Adrian
>>
>> I think ACL is that answer...
>> I just have read
>> http://programmerthoughts.com/openstack/swift-permissions/
>>
>>
>>
>> On Thu, Feb 21, 2013 at 1:54 AM, Kun Huang <Academicgareth@xxxxxxxxx>wrote:
>>
>>> Hi, Adrian
>>> It seems not correct.
>>>
>>> 1st,
>>> [image: Inline image 1]
>>>
>>> 2nd,
>>>
>>>
>>>
>>>
>>> def authorize(self, req):
>>>
>>>
>>>
>>> """
>>>
>>>
>>> Returns None if the request is authorized to continue or a standard
>>>
>>>
>>> WSGI response callable if not.
>>>
>>>
>>> """
>>>
>>>
>>>
>>>
>>> try:
>>>
>>>
>>>
>>> version, account, container, obj = req.split_path(1, 4, True)
>>>
>>>
>>>
>>> except ValueError:
>>>
>>>
>>>
>>> self.logger.increment('errors')
>>>
>>>
>>>
>>> return HTTPNotFound(request=req)
>>>
>>>
>>>
>>> if not account or not account.startswith(self.reseller_prefix):
>>>
>>>
>>>
>>> return self.denied_response(req)
>>>
>>>
>>>
>>> user_groups = (req.remote_user or '').split(',')
>>>
>>>
>>>
>>> if '.reseller_admin' in user_groups and \
>>>
>>>
>>>
>>> account != self.reseller_prefix and \
>>>
>>>
>>>
>>> account[len(self.reseller_prefix)] != '.':
>>>
>>>
>>>
>>> req.environ['swift_owner'] = True
>>>
>>>
>>>
>>> return None
>>>
>>>
>>>
>>> if account in user_groups and \
>>>
>>>
>>>
>>> (req.method not in ('DELETE', 'PUT') or container):
>>>
>>>
>>>
>>> # If the user is admin for the account and is not trying to do an
>>>
>>>
>>>
>>> # account DELETE or PUT...
>>>
>>>
>>>
>>> req.environ['swift_owner'] = True
>>>
>>>
>>>
>>> return None
>>>
>>>
>>>
>>> if (req.environ.get('swift_sync_key')
>>>
>>>
>>>
>>> and (req.environ['swift_sync_key'] ==
>>>
>>>
>>>
>>> req.headers.get('x-container-sync-key', None))
>>>
>>>
>>>
>>> and 'x-timestamp' in req.headers):
>>>
>>>
>>>
>>> return None
>>>
>>>
>>>
>>> if req.method == 'OPTIONS':
>>>
>>>
>>>
>>> #allow OPTIONS requests to proceed as normal
>>>
>>>
>>>
>>> return None
>>>
>>>
>>>
>>> referrers, groups = parse_acl(getattr(req, 'acl', None))
>>>
>>>
>>>
>>> if referrer_allowed(req.referer, referrers):
>>>
>>>
>>>
>>> if obj or '.rlistings' in groups:
>>>
>>>
>>>
>>> return None
>>>
>>>
>>>
>>> return self.denied_response(req)
>>>
>>>
>>>
>>> if not req.remote_user:
>>>
>>>
>>>
>>> return self.denied_response(req)
>>>
>>>
>>>
>>> for user_group in user_groups:
>>>
>>>
>>>
>>> if user_group in groups:
>>>
>>>
>>>
>>> return None
>>>
>>>
>>>
>>> return self.denied_response(req)
>>>
>>>
>>>
>>> Target codes is here. No "X-Container-Read" header has ever been checked.
>>>
>>>
>>>
>>>
>>>
>>> 3rd, in http://docs.openstack.org/folsom/openstack-object-storage/admin/content/authentication-and-access-permissions.html,
>>>
>>>
>>>
>>> """Generally speaking, each user has their own storage account and has full access to that account. Users must authenticate with their credentials as described above, but once authenticated they can create/delete containers and objects within that account. The only way a user can access the content from another account is if they share an API access key or a session token provided by your authentication system."""
>>>
>>>
>>>
>>> Does this paragraph tell us tester3(user) has access control for test(account), but not other accounts?
>>>
>>>
>>>
>>>
>>> On Wed, Feb 20, 2013 at 8:16 PM, Adrian Smith <adrian@xxxxxxxx> wrote:
>>>
>>>> Unless tester3 is given explicit permissions he can't do anything.
>>>>
>>>> To be of any use the 'test' user (who is an admin) would need to grant
>>>> 'test3' read/write access to a container. Permissions are granted
>>>> using the X-Container-Read and X-Container-Write headers on
>>>> containers,
>>>> http://docs.openstack.org/folsom/openstack-object-storage/admin/content/authentication-and-access-permissions.html
>>>> .
>>>>
>>>> Adrian
>>>>
>>>> On 20 February 2013 05:34, Kun Huang <Academicgareth@xxxxxxxxx> wrote:
>>>> > In tempauth of SAIO, what's the meaning of
>>>> >
>>>> > user_test_tester3 = testing3
>>>> >
>>>> > not account is test
>>>> > tester3 is a user of that account, but tester3 is not admin or
>>>> reseller
>>>> > admin.
>>>> > Could testers get(GET,HEAD) information from account:test?
>>>> >
>>>> > In the current code, the answer is no.
>>>> >
>>>> > I'm not sure what can tester3 do in this case?
>>>> >
>>>> > _______________________________________________
>>>> > Mailing list: https://launchpad.net/~openstack
>>>> > Post to : openstack@xxxxxxxxxxxxxxxxxxx
>>>> > Unsubscribe : https://launchpad.net/~openstack
>>>> > More help : https://help.launchpad.net/ListHelp
>>>> >
>>>>
>>>
>>>
>>
>
References