<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
p.MsoPlainText, li.MsoPlainText, div.MsoPlainText
{mso-style-priority:99;
mso-style-link:"Plain Text Char";
margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
span.PlainTextChar
{mso-style-name:"Plain Text Char";
mso-style-priority:99;
mso-style-link:"Plain Text";
font-family:"Calibri",sans-serif;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:2022777176;
mso-list-type:hybrid;
mso-list-template-ids:1538703238 68354063 68354073 68354075 68354063 68354073 68354075 68354063 68354073 68354075;}
@list l0:level1
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level2
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level3
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l0:level4
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level5
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level6
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l0:level7
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level8
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level9
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
ol
{margin-bottom:0cm;}
ul
{margin-bottom:0cm;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="NL" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoPlainText">Hi Saverio,<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText"><span lang="EN-US">Yes, in the end I was able to get it working! The issue was related to my proxy server pipeline config (filter:authtoken). I did not find pointers to updated documentation though.<o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US">When I had updated the [filter:authtoken] configuration in /etc/swift/proxy-server.conf, everything worked. In my case the values auth_uri and auth_url were not configured correctly:<o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US">[filter:authtoken]<o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US">paste.filter_factory = keystonemiddleware.auth_token:filter_factory<o:p></o:p></span></p>
<p class="MsoPlainText"><b><span lang="EN-US">auth_uri = https://<keystone_public_IP>:5443<o:p></o:p></span></b></p>
<p class="MsoPlainText"><b><span lang="EN-US">auth_url = http://<keystone_internal_IP>:35357<o:p></o:p></span></b></p>
<p class="MsoPlainText"><span lang="EN-US">auth_plugin = password<o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US">project_name = service<o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US">project_domain_id = default<o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US">user_domain_id = default<o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US">username = swift<o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US">password = XXXXXXXXXXXXXXXXXXXXX<o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US">I don’t know why that meant that regular token validation worked, but cross-tenant did not<o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US">(unfortunately it’s a test cluster so I don’t have history on what it was before I changed it :( )<o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US">What works for me now (using python-swiftclient) is the following. I hope that the text formatting survives in the email:<o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoPlainText" style="margin-left:36.0pt;text-indent:-18.0pt;mso-list:l0 level1 lfo1">
<![if !supportLists]><span lang="EN-US"><span style="mso-list:Ignore">1.<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span lang="EN-US">A user with complete ownership over the account (say account X) executes<o:p></o:p></span></p>
<p class="MsoPlainText" style="margin-left:72.0pt;text-indent:-18.0pt;mso-list:l0 level2 lfo1">
<![if !supportLists]><span lang="EN-US" style="font-family:"Courier New""><span style="mso-list:Ignore">a.<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span lang="EN-US" style="font-family:"Courier New"">swift post <container> --read-acl ‘<project-name>:<username>’<o:p></o:p></span></p>
<p class="MsoPlainText" style="margin-left:72.0pt;text-indent:-18.0pt;mso-list:l0 level2 lfo1">
<![if !supportLists]><span lang="EN-US"><span style="mso-list:Ignore">b.<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span lang="EN-US">or<o:p></o:p></span></p>
<p class="MsoPlainText" style="margin-left:72.0pt;text-indent:-18.0pt;mso-list:l0 level2 lfo1">
<![if !supportLists]><span lang="EN-US" style="font-family:"Courier New""><span style="mso-list:Ignore">c.<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span lang="EN-US" style="font-family:"Courier New"">swift post <container> --read-acl ‘<project-name>:*>’<o:p></o:p></span></p>
<p class="MsoPlainText" style="margin-left:36.0pt;text-indent:-18.0pt;mso-list:l0 level1 lfo1">
<![if !supportLists]><span lang="EN-US"><span style="mso-list:Ignore">2.<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span lang="EN-US">A user in the <project-name> account can now list the container and get objects in the container by doing:<o:p></o:p></span></p>
<p class="MsoPlainText" style="margin-left:72.0pt;text-indent:-18.0pt;mso-list:l0 level2 lfo1">
<![if !supportLists]><span lang="EN-US" style="font-family:"Courier New""><span style="mso-list:Ignore">a.<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span lang="EN-US" style="font-family:"Courier New"">swift list <container> --os-storage-url <storage URL for account X> --os-auth-token <normal token><o:p></o:p></span></p>
<p class="MsoPlainText" style="margin-left:72.0pt;text-indent:-18.0pt;mso-list:l0 level2 lfo1">
<![if !supportLists]><span lang="EN-US"><span style="mso-list:Ignore">b.<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span lang="EN-US">or<o:p></o:p></span></p>
<p class="MsoPlainText" style="margin-left:72.0pt;text-indent:-18.0pt;mso-list:l0 level2 lfo1">
<![if !supportLists]><span lang="EN-US" style="font-family:"Courier New""><span style="mso-list:Ignore">c.<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span lang="EN-US" style="font-family:"Courier New"">swift download <container> <object> --os-storage-url <same as above> --os-auth-token <same as above><o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US">Note that you can review the full storage URL for an account by doing
</span><span lang="EN-US" style="font-family:"Courier New"">swift stat -v.<o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US" style="font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US">In this case, the user in step 2 is not able to do anything else in account X besides do object listing in the container and get its objects, which is what I was aiming for. What does not work for me is if I set the
read-acl to ‘<project-name>’ only, even though that should work according to the documentation. If you want to allow all users in another project read access to a container, use ‘<project-name>:*’ as the read-ACL.<o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US">I hope this helps!<o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US" style="mso-fareast-language:NL">With kind regards,<o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US" style="mso-fareast-language:NL">Pieter van Wijngaarden<o:p></o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US" style="mso-fareast-language:NL"><o:p> </o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoPlainText"><span lang="EN-US" style="mso-fareast-language:NL">-----Original Message-----<br>
From: Saverio Proto [mailto:zioproto@gmail.com] <br>
Sent: dinsdag 3 mei 2016 12:44<br>
To: Wijngaarden, Pieter van <pieter.van.wijngaarden@philips.com><br>
Cc: openstack-operators@lists.openstack.org<br>
Subject: Re: [Openstack-operators] Swift ACL's together with Keystone (v3) integration</span></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">Hello Pieter,<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">I did run into the same problem today. Did you find pointers to more updated documentation ? Were you able to configure the cross tenant read ACL ?<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">thank you<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">Saverio<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">2016-04-20 13:48 GMT+02:00 Wijngaarden, Pieter van<o:p></o:p></p>
<p class="MsoPlainText"><<a href="mailto:pieter.van.wijngaarden@philips.com"><span style="color:windowtext;text-decoration:none">pieter.van.wijngaarden@philips.com</span></a>>:<o:p></o:p></p>
<p class="MsoPlainText">> Hi all,<o:p></o:p></p>
<p class="MsoPlainText">><o:p> </o:p></p>
<p class="MsoPlainText">> I’m playing around with a Swift cluster (Liberty) and cannot get the
<o:p></o:p></p>
<p class="MsoPlainText">> Swift ACL’s to work. My objective is to give users from one project
<o:p></o:p></p>
<p class="MsoPlainText">> (and thus Swift account?) selective access to specific containers in another project.<o:p></o:p></p>
<p class="MsoPlainText">><o:p> </o:p></p>
<p class="MsoPlainText">> According to<o:p></o:p></p>
<p class="MsoPlainText">> <a href="http://docs.openstack.org/developer/swift/middleware.html#keystoneauth">
<span style="color:windowtext;text-decoration:none">http://docs.openstack.org/developer/swift/middleware.html#keystoneauth</span></a><o:p></o:p></p>
<p class="MsoPlainText">> , the swift/keystoneauth plugin should support cross-tenant (now
<o:p></o:p></p>
<p class="MsoPlainText">> cross-project) ACL’s by setting the read-acl of a container to something like:<o:p></o:p></p>
<p class="MsoPlainText">><o:p> </o:p></p>
<p class="MsoPlainText">> swift post <containername> --read-acl '<projectname>:<username>'<o:p></o:p></p>
<p class="MsoPlainText">><o:p> </o:p></p>
<p class="MsoPlainText">> Using a project name instead of a UUID should be supported if all
<o:p></o:p></p>
<p class="MsoPlainText">> projects are in the default domain.<o:p></o:p></p>
<p class="MsoPlainText">><o:p> </o:p></p>
<p class="MsoPlainText">> But if I set this for a user in a different project / different swift
<o:p></o:p></p>
<p class="MsoPlainText">> account, it doesn’t seem to work. The last reference to Swift
<o:p></o:p></p>
<p class="MsoPlainText">> container ACL’s from the archives is somewhere in 2011..<o:p></o:p></p>
<p class="MsoPlainText">><o:p> </o:p></p>
<p class="MsoPlainText">> I have found a few Swift ACL examples / tutorials online, but they are
<o:p></o:p></p>
<p class="MsoPlainText">> all outdated or appear to use special / proprietary middleware. Does
<o:p></o:p></p>
<p class="MsoPlainText">> anybody have (or can anybody create) an example that is up-to-date for
<o:p></o:p></p>
<p class="MsoPlainText">> OpenStack Liberty or later, and shows container ACL’s together with
<o:p></o:p></p>
<p class="MsoPlainText">> Keystone integration?<o:p></o:p></p>
<p class="MsoPlainText">><o:p> </o:p></p>
<p class="MsoPlainText">> What I would like to do:<o:p></o:p></p>
<p class="MsoPlainText">> - I have a bunch of users and projects in Keystone, and thus a bunch
<o:p></o:p></p>
<p class="MsoPlainText">> of (automatically created) Swift accounts<o:p></o:p></p>
<p class="MsoPlainText">> - I would like to allow one specific user in a project (say project X)
<o:p></o:p></p>
<p class="MsoPlainText">> to access a container from a different project (Y)<o:p></o:p></p>
<p class="MsoPlainText">> - And/or, I would like to allow all users in project X to access one
<o:p></o:p></p>
<p class="MsoPlainText">> specific container in project Y.<o:p></o:p></p>
<p class="MsoPlainText">> Both these options should include listing the objects in the
<o:p></o:p></p>
<p class="MsoPlainText">> container, but exclude listing all containers in the other account.<o:p></o:p></p>
<p class="MsoPlainText">><o:p> </o:p></p>
<p class="MsoPlainText">> I hope there is someone who can help, thanks a lot in advance!<o:p></o:p></p>
<p class="MsoPlainText">><o:p> </o:p></p>
<p class="MsoPlainText">> With kind regards,<o:p></o:p></p>
<p class="MsoPlainText">> Pieter van Wijngaarden<o:p></o:p></p>
<p class="MsoPlainText">> System Architect<o:p></o:p></p>
<p class="MsoPlainText">> Digital Pathology Solutions<o:p></o:p></p>
<p class="MsoPlainText">> Philips Healthcare<o:p></o:p></p>
<p class="MsoPlainText">><o:p> </o:p></p>
<p class="MsoPlainText">> Veenpluis 4-6, Building QY-2.006, 5684 PC Best<o:p></o:p></p>
<p class="MsoPlainText"><span lang="EN-US">> Tel: +31 6 2958 6736, Email: </span>
<a href="mailto:pieter.van.wijngaarden@philips.com"><span lang="EN-US" style="color:windowtext;text-decoration:none">pieter.van.wijngaarden@philips.com</span></a><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoPlainText">><o:p> </o:p></p>
<p class="MsoPlainText">><o:p> </o:p></p>
<p class="MsoPlainText">><o:p> </o:p></p>
<p class="MsoPlainText">><o:p> </o:p></p>
<p class="MsoPlainText">> ________________________________<o:p></o:p></p>
<p class="MsoPlainText">> The information contained in this message may be confidential and
<o:p></o:p></p>
<p class="MsoPlainText">> legally protected under applicable law. The message is intended solely
<o:p></o:p></p>
<p class="MsoPlainText">> for the addressee(s). If you are not the intended recipient, you are
<o:p></o:p></p>
<p class="MsoPlainText">> hereby notified that any use, forwarding, dissemination, or
<o:p></o:p></p>
<p class="MsoPlainText">> reproduction of this message is strictly prohibited and may be
<o:p></o:p></p>
<p class="MsoPlainText">> unlawful. If you are not the intended recipient, please contact the
<o:p></o:p></p>
<p class="MsoPlainText">> sender by return e-mail and destroy all copies of the original message.<o:p></o:p></p>
<p class="MsoPlainText">><o:p> </o:p></p>
<p class="MsoPlainText">> _______________________________________________<o:p></o:p></p>
<p class="MsoPlainText">> OpenStack-operators mailing list<o:p></o:p></p>
<p class="MsoPlainText">> <a href="mailto:OpenStack-operators@lists.openstack.org">
<span style="color:windowtext;text-decoration:none">OpenStack-operators@lists.openstack.org</span></a><o:p></o:p></p>
<p class="MsoPlainText">> <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operator">
<span style="color:windowtext;text-decoration:none">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operator</span></a><o:p></o:p></p>
<p class="MsoPlainText">> s<o:p></o:p></p>
<p class="MsoPlainText">><o:p> </o:p></p>
</div>
<br>
<hr>
<font face="Arial" color="Gray" size="1">The information contained in this message may be confidential and legally protected under applicable law. The message is intended solely for the addressee(s). If you are not the intended recipient, you are hereby notified
that any use, forwarding, dissemination, or reproduction of this message is strictly prohibited and may be unlawful. If you are not the intended recipient, please contact the sender by return e-mail and destroy all copies of the original message.<br>
</font>
</body>
</html>