[openstack-dev] [keystone/swift] role-based access cotrol in swift

Nassim Babaci nassim.babaci at cloudwatt.com
Mon Jul 21 13:18:36 UTC 2014 

Hi, 

My answer is may be a little bite late but here's a swift middleware we have just published: https://github.com/cloudwatt/swiftpolicy 
it allows managing swift authorization using a policy.json file. 
It is based on the keystoneauth middleware, and uses oslo.policy file format.

Feel free to comment and/or to ask if any questions.

--
Nassim

----- Mail original -----
De: "John Dickinson" <me at not.mn>
À: "OpenStack Development Mailing List (not for usage questions)" <openstack-dev at lists.openstack.org>
Envoyé: Vendredi 11 Juillet 2014 05:33:13
Objet: Re: [openstack-dev] [keystone/swift] role-based access cotrol in	swift

There are a couple of places to look to see the current dev effort in Swift around ACLs.

In no particular order:

* Supporting a service token in Swift https://review.openstack.org/#/c/105228/
* Adding policy engine support to Swift https://review.openstack.org/#/c/89568/
* Fixing ACLs to work with Keystone v3+ https://review.openstack.org/#/c/86430/

Some of the above may be in line with what you're looking for.

--John

On Jul 10, 2014, at 8:17 PM, Osanai, Hisashi <osanai.hisashi at jp.fujitsu.com> wrote:

> 
> Hi, 
> 
> I looked for info about role-based access control in swift because 
> I would like to prohibit PUT operations to containers like create 
> containers and set ACLs.
> 
> Other services like Nova, Cinder have "policy.json" file but Swift doesn't.
> And I found out the following info.
> - Swift ACL's migration
> - Centralized policy management
> 
> Do you have detail info for above?
> 
> http://dolphm.com/openstack-juno-design-summit-outcomes-for-keystone/
> ---
> Migrate Swift ACL's from a highly flexible Tenant ID/Name basis, which worked reasonably well against Identity API v2, to strictly be based on v3 Project IDs. The driving requirement here is that Project Names are no longer globally unique in v3, as they're only unique within a top-level domain.
> ---
> Centralized policy management
> Keystone currently provides an unused /v3/policies API that can be used to centralize policy blob management across OpenStack.
> 
> 
> Best Regards,
> Hisashi Osanai
> 
> 
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev


_______________________________________________
OpenStack-dev mailing list
OpenStack-dev at lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

More information about the OpenStack-dev mailing list