
Hi Gholt,<br><br>I tried to set the container based read and write acl to share the container with non admin user , but it is giving error as access denied <br><br>[shashi@shashi samples]$  curl -v -H 'X-Storage-User: test:tester' -H 'X-Storage-Pass: testing' <a href="http://192.168.62.63:8080/auth/v1.0*">http://192.168.62.63:8080/auth/v1.0*</a> About to connect() to 192.168.62.63 port 8080<br>

*   Trying 192.168.62.63... connected<br>* Connected to 192.168.62.63 (192.168.62.63) port 8080<br>> GET /auth/v1.0 HTTP/1.1<br>> User-Agent: curl/7.15.5 (i686-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.7a zlib/1.2.3 libidn/0.6.14<br>

> Host: <a href="http://192.168.62.63:8080">192.168.62.63:8080</a><br>> Accept: */*<br>> X-Storage-User: test:tester<br>> X-Storage-Pass: testing<br>> <br>< HTTP/1.1 200 OK<br>< X-Storage-Url: <a href="http://127.0.0.1:8080/v1/AUTH_74ac0809-6c3f-4a0b-a6c8-6a664477b32a">http://127.0.0.1:8080/v1/AUTH_74ac0809-6c3f-4a0b-a6c8-6a664477b32a</a><br>

< X-Storage-Token: AUTH_tk64b46c28eda84a839b7ba10cc54f3525<br>< X-Auth-Token: AUTH_tk64b46c28eda84a839b7ba10cc54f3525<br>< Content-Length: 112<br>< Date: Tue, 05 Apr 2011 10:18:31 GMT<br>Connection #0 to host 192.168.62.63 left intact<br>

* Closing connection #0<br>{"storage": {"default": "local", "local": "<a href="http://127.0.0.1:8080/v1/AUTH_74ac0809-6c3f-4a0b-a6c8-6a664477b32a">http://127.0.0.1:8080/v1/AUTH_74ac0809-6c3f-4a0b-a6c8-6a664477b32a</a>"}}[shashi@shashi samples]$ <br>

<br><br>[shashi@shashi samples]$  curl -X HEAD -D - -H 'X-Auth-Token: AUTH_tk64b46c28eda84a839b7ba10cc54f3525' <a href="http://192.168.62.63:8080/v1/AUTH_74ac0809-6c3f-4a0b-a6c8-6a664477b32a">http://192.168.62.63:8080/v1/AUTH_74ac0809-6c3f-4a0b-a6c8-6a664477b32a</a><br>

HTTP/1.1 204 No Content<br>X-Account-Object-Count: 0<br>X-Account-Bytes-Used: 0<br>X-Account-Container-Count: 1<br>Content-Length: 0<br>Date: Tue, 05 Apr 2011 10:20:19 GMT<br><br>[shashi@shashi samples]$ <br>[shashi@shashi samples]$  curl -X HEAD -D - -H 'X-Auth-Token: AUTH_tk64b46c28eda84a839b7ba10cc54f3525' <a href="http://192.168.62.63:8080/v1/AUTH_74ac0809-6c3f-4a0b-a6c8-6a664477b32a/container1">http://192.168.62.63:8080/v1/AUTH_74ac0809-6c3f-4a0b-a6c8-6a664477b32a/container1</a><br>

HTTP/1.1 204 No Content<br>X-Container-Object-Count: 1<br>X-Container-Bytes-Used: 29<br>Content-Length: 0<br>Date: Tue, 05 Apr 2011 10:20:40 GMT<br><br>[shashi@shashi samples]$ <br><br><br><br>Initially I have created a container named as "container1" using the admin user "test:tester" and then trying to set read and write acl for the container1 to share it with non-admin user ..........<br>

<br><br><br>[shashi@shashi samples]$  curl -v -H 'X-Auth-Token: AUTH_tk64b46c28eda84a839b7ba10cc54f3525' -H 'X-Container-Read: test:tester3' -H 'X-Container-Write: test:tester3' <a href="http://192.168.62.63:8080/v1/AUTH_74ac0809-6c3f-4a0b-a6c8-6a664477b32a/container1">http://192.168.62.63:8080/v1/AUTH_74ac0809-6c3f-4a0b-a6c8-6a664477b32a/container1</a><br>

* About to connect() to 192.168.62.63 port 8080<br>*   Trying 192.168.62.63... connected<br>* Connected to 192.168.62.63 (192.168.62.63) port 8080<br>> GET /v1/AUTH_74ac0809-6c3f-4a0b-a6c8-6a664477b32a/container1 HTTP/1.1<br>

> User-Agent: curl/7.15.5 (i686-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.7a zlib/1.2.3 libidn/0.6.14<br>> Host: <a href="http://192.168.62.63:8080">192.168.62.63:8080</a><br>> Accept: */*<br>> X-Auth-Token: AUTH_tk64b46c28eda84a839b7ba10cc54f3525<br>

> X-Container-Read: test:tester3<br>> X-Container-Write: test:tester3<br>> <br>< HTTP/1.1 200 OK<br>< X-Container-Object-Count: 1<br>< X-Container-Bytes-Used: 29<br>< Content-Length: 10<br>< Content-Type: text/plain; charset=utf8<br>

< Date: Tue, 05 Apr 2011 10:11:01 GMT<br>testfile1<br>* Connection #0 to host 192.168.62.63 left intact<br>* Closing connection #0<br>[shashi@shashi samples]$ <br><br>[shashi@shashi samples]$  curl -v -H 'X-Storage-User: test:tester3' -H 'X-Storage-Pass: testing3' <a href="http://192.168.62.63:8080/auth/v1.0*">http://192.168.62.63:8080/auth/v1.0*</a> About to connect() to 192.168.62.63 port 8080<br>

*   Trying 192.168.62.63... connected<br>* Connected to 192.168.62.63 (192.168.62.63) port 8080<br>> GET /auth/v1.0 HTTP/1.1<br>> User-Agent: curl/7.15.5 (i686-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.7a zlib/1.2.3 libidn/0.6.14<br>

> Host: <a href="http://192.168.62.63:8080">192.168.62.63:8080</a><br>> Accept: */*<br>> X-Storage-User: test:tester3<br>> X-Storage-Pass: testing3<br>> <br>< HTTP/1.1 200 OK<br>< X-Storage-Url: <a href="http://127.0.0.1:8080/v1/AUTH_74ac0809-6c3f-4a0b-a6c8-6a664477b32a">http://127.0.0.1:8080/v1/AUTH_74ac0809-6c3f-4a0b-a6c8-6a664477b32a</a><br>

< X-Storage-Token: AUTH_tk124a8a19ad7e49c5a04710716fd4f126<br>< X-Auth-Token: AUTH_tk124a8a19ad7e49c5a04710716fd4f126<br>< Content-Length: 112<br>< Date: Tue, 05 Apr 2011 10:11:16 GMT<br>Connection #0 to host 192.168.62.63 left intact<br>

* Closing connection #0<br>{"storage": {"default": "local", "local": "<a href="http://127.0.0.1:8080/v1/AUTH_74ac0809-6c3f-4a0b-a6c8-6a664477b32a">http://127.0.0.1:8080/v1/AUTH_74ac0809-6c3f-4a0b-a6c8-6a664477b32a</a>"}}[shashi@shashi samples]$ <br>

<br>[shashi@shashi samples]$  curl  -s -D - -H 'X-Auth-Token: AUTH_tk124a8a19ad7e49c5a04710716fd4f126' <a href="http://192.168.62.63:8080/v1/AUTH_74ac0809-6c3f-4a0b-a6c8-6a664477b32a/container1/testfile1">http://192.168.62.63:8080/v1/AUTH_74ac0809-6c3f-4a0b-a6c8-6a664477b32a/container1/testfile1</a><br>

HTTP/1.1 403 Forbidden<br>Content-Length: 157<br>Content-Type: text/html; charset=UTF-8<br>Date: Tue, 05 Apr 2011 10:11:42 GMT<br><br><html><br> <head><br>  <title>403 Forbidden</title><br> </head><br>

 <body><br>  <h1>403 Forbidden</h1><br>  Access was denied to this resource.<br /><br /><br><br><br><br> </body><br></html>[shashi@shashi samples]$ <br>[shashi@shashi samples]$ <br>

<br>Thanks & Regards,<br>shashi<br><br><br><br><br><br><div class="gmail_quote">On Fri, Apr 1, 2011 at 6:32 PM, Greg Holt <span dir="ltr"><<a href="mailto:gholt@rackspace.com">gholt@rackspace.com</a>></span> wrote:<br>

<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;"><div class="im">On Apr 1, 2011, at 1:35 AM, shashidhar v wrote:<br>

<br>

> In the above script,  the third user is tester3 (non admin) which is not allowed to create containers ? Then what's the role of non-admin users created under swift , what operations they can perform ?<br>

><br>

> Swift supports ACL or not and  the containers/objects created by a admin user can be shared with non-admin user for atleast downloading the objects ?<br>

<br>

</div>Non-admin users can only perform operations per container based on the container’s X-Container-Read and X-Container-Write ACLs. With an admin account you could create a container for that non-admin user and set X-Container-Read: test:tester3 and X-Container-Write: test:tester3.<br>


<br>

These may explain more:<br>

<br>

<a href="http://swift.openstack.org/overview_auth.html" target="_blank">http://swift.openstack.org/overview_auth.html</a><br>

<a href="http://swift.openstack.org/misc.html#module-swift.common.middleware.acl" target="_blank">http://swift.openstack.org/misc.html#module-swift.common.middleware.acl</a><br>

<br>

</blockquote></div><br>