<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312">
<meta name="Generator" content="Microsoft Word 12 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:SimSun;
panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:"\@SimSun";
panose-1:2 1 6 0 3 1 1 1 1 1;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:SimSun;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">There is a nice write-up of Keystone RBAC here:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><a href="https://blueprints.launchpad.net/keystone/+spec/rbac-keystone">https://blueprints.launchpad.net/keystone/+spec/rbac-keystone</a><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">AFAIK, Keystone will provide CRUD API around policy.json, but policy enforcement is done at the service level… Joe or Dolph may be able to provide more insights…<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Liem<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> Chmouel Boudjnah [mailto:chmouel@chmouel.com]
<br>
<b>Sent:</b> Tuesday, May 15, 2012 9:41 AM<br>
<b>To:</b> Nguyen, Liem Manh<br>
<b>Cc:</b> </span><span lang="ZH-CN" style="font-size:10.0pt">张家龙</span><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">; openstack<br>
<b>Subject:</b> Re: [Openstack] Swift Object Storage ACLs with KeyStone<o:p></o:p></span></p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">This has been filled already zhangjialong :<o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><a href="https://bugs.launchpad.net/keystone/+bug/999615">https://bugs.launchpad.net/keystone/+bug/999615</a><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">I am not very familiar with how Keystone RBAC u work, AFAIK the current way to do that with policy.json is going to go away in the future, right?<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt">Chmouel.<o:p></o:p></p>
<div>
<p class="MsoNormal">On Tue, May 15, 2012 at 6:37 PM, Nguyen, Liem Manh <<a href="mailto:liem_m_nguyen@hp.com" target="_blank">liem_m_nguyen@hp.com</a>> wrote:<o:p></o:p></p>
<p class="MsoNormal">Yeah, that is because the swift/keystone middleware checks for the tenantId to match the accountId in the URL path... Perhaps, we should rely strictly on Swift ACL for granting access to a given Swift container, and rely on Keystone RBAC
for what you can do with a given Swift account.<br>
<br>
BTW, we also ran into this issue before... Has a bug/feature request been filed for this yet? If not, I can file one.<br>
<br>
Thanks,<br>
Liem<br>
<br>
-----Original Message-----<br>
From: openstack-bounces+liem_m_nguyen=<a href="mailto:hp.com@lists.launchpad.net">hp.com@lists.launchpad.net</a> [mailto:<a href="mailto:openstack-bounces%2Bliem_m_nguyen">openstack-bounces+liem_m_nguyen</a>=<a href="mailto:hp.com@lists.launchpad.net">hp.com@lists.launchpad.net</a>]
On Behalf Of Chmouel Boudjnah<br>
Sent: Tuesday, May 15, 2012 2:55 AM<br>
To: <span lang="ZH-CN">张家龙</span><br>
Cc: openstack<br>
Subject: Re: [Openstack] Swift Object Storage ACLs with KeyStone<br>
<br>
Hi,<br>
<br>
In swift+keystone you are not allowed to have ACL between different<br>
account/tenant/project, you can only allow ACL between different<br>
users in a tenant.<br>
This is probably something not too difficult to implement but it may<br>
needs some tinkering to get it right. Please feel free to log a bug in<br>
keystone and we'll try to address that.<br>
<br>
Chmouel.<br>
<br>
On Sat, May 12, 2012 at 4:02 AM, <span lang="ZH-CN">张家龙</span> <<a href="mailto:zhangjl@awcloud.com">zhangjl@awcloud.com</a>> wrote:<br>
> Vish ,<br>
> Thank you for answering.<br>
> While ,sorry,I don`t understand your said.<br>
> Do you mean I have to do like follows when I setting up acls:<br>
><br>
> curl -X PUT -i \<br>
> -H "X-Auth-Token: <token of demo:demo>" \<br>
> -H "X-Container-Read: <tenant_id:user_id>" \<br>
> <a href="http://127.0.0.1:8080/v1/AUTH_f1723800c821453d9f22d42d1fbb334b/demodirc" target="_blank">
http://127.0.0.1:8080/v1/AUTH_f1723800c821453d9f22d42d1fbb334b/demodirc</a><br>
><br>
> Or,other operations and settings?<br>
> ------------------<br>
> Best Regards<br>
><br>
> ZhangJialong<br>
><br>
><br>
><br>
> ------------------ Original ------------------<br>
> From: "Vishvananda Ishaya"<<a href="mailto:vishvananda@gmail.com">vishvananda@gmail.com</a>>;<br>
> Date: Sat, May 12, 2012 03:03 AM<br>
> To: "<span lang="ZH-CN">张家龙</span>"<<a href="mailto:zhangjl@awcloud.com">zhangjl@awcloud.com</a>>;<br>
> Cc: "openstack"<<a href="mailto:openstack@lists.launchpad.net">openstack@lists.launchpad.net</a>>;<br>
> Subject: Re: [Openstack] Swift Object Storage ACLs with KeyStone<br>
><br>
> I'm not totally sure about this, but you might have to use the project_id<br>
> from keystone instead of the project_name when setting up acls. The same<br>
> may be true of user_id.<br>
><br>
> Vish<br>
><br>
> On Fri, May 11, 2012 at 12:51 AM, <span lang="ZH-CN">张家龙</span> <<a href="mailto:zhangjl@awcloud.com">zhangjl@awcloud.com</a>> wrote:<br>
>><br>
>><br>
>> Hello, everyone.<br>
>><br>
>> I encountered some problems when i set permissions (ACLs) on Openstack<br>
>> Swift containers.<br>
>> I installed swift-1.4.8(essex) and use keystone-2012.1 as<br>
>> authentication system on CentOS 6.2 .<br>
>><br>
>> My swift proxy-server.conf and keystone.conf are here:<br>
>> <a href="http://pastebin.com/dUnHjKSj" target="_blank">http://pastebin.com/dUnHjKSj</a><br>
>><br>
>> Then,I use the script named opensatck_essex_data.sh(<br>
>> <a href="http://pastebin.com/LWGVZrK0" target="_blank">http://pastebin.com/LWGVZrK0</a> ) to<br>
>> initialize keystone.<br>
>><br>
>> After these operations,I got the token of demo:demo and<br>
>> newuser:newuser<br>
>><br>
>> curl -s -H 'Content-type: application/json' \<br>
>> -d '{"auth": {"tenantName": "demo", "passwordCredentials":<br>
>> {"username": "demo", "password": "admin"}}}' \<br>
>> <a href="http://127.0.0.1:5000/v2.0/tokens" target="_blank">http://127.0.0.1:5000/v2.0/tokens</a> | python -mjson.tool<br>
>><br>
>> curl -s -H 'Content-type: application/json' \<br>
>> -d '{"auth": {"tenantName": "newuser", "passwordCredentials":<br>
>> {"username": "newuser", "password": "admin"}}}' \<br>
>> <a href="http://127.0.0.1:5000/v2.0/tokens" target="_blank">http://127.0.0.1:5000/v2.0/tokens</a> | python -mjson.tool<br>
>><br>
>> Then,enable read access to newuser:newuser<br>
>><br>
>> curl -X PUT -i \<br>
>> -H "X-Auth-Token: <token of demo:demo>" \<br>
>> -H "X-Container-Read: newuser:newuser" \<br>
>><br>
>> <a href="http://127.0.0.1:8080/v1/AUTH_f1723800c821453d9f22d42d1fbb334b/demodirc" target="_blank">
http://127.0.0.1:8080/v1/AUTH_f1723800c821453d9f22d42d1fbb334b/demodirc</a><br>
>><br>
>> Check the permission of the container:<br>
>><br>
>> curl -k -v -H 'X-Auth-Token:<token of demo:demo>' \<br>
>><br>
>> <a href="http://127.0.0.1:8080/v1/AUTH_f1723800c821453d9f22d42d1fbb334b/demodirc" target="_blank">
http://127.0.0.1:8080/v1/AUTH_f1723800c821453d9f22d42d1fbb334b/demodirc</a><br>
>><br>
>> This is the reply of the operation:<br>
>><br>
>> HTTP/1.1 200 OK<br>
>> X-Container-Object-Count: 1<br>
>> X-Container-Read: newuser:newuser<br>
>> X-Container-Bytes-Used: 2735<br>
>> Accept-Ranges: bytes<br>
>> Content-Length: 24<br>
>> Content-Type: text/plain; charset=utf-8<br>
>> Date: Fri, 11 May 2012 07:30:23 GMT<br>
>><br>
>> opensatck_essex_data.sh<br>
>><br>
>> Now,the user newuser:newuser visit the container of demo:demo<br>
>><br>
>> curl -k -v -H 'X-Auth-Token:<token of newuser:newuser>' \<br>
>><br>
>> <a href="http://127.0.0.1:8080/v1/AUTH_f1723800c821453d9f22d42d1fbb334b/demodirc" target="_blank">
http://127.0.0.1:8080/v1/AUTH_f1723800c821453d9f22d42d1fbb334b/demodirc</a><br>
>><br>
>> While,I got 403 error.Can someone help me?<br>
>><br>
>> ------------------<br>
>> Best Regards<br>
>><br>
>> ZhangJialong<br>
>><br>
>><br>
>> _______________________________________________<br>
>> Mailing list: <a href="https://launchpad.net/~openstack" target="_blank">https://launchpad.net/~openstack</a><br>
>> Post to : <a href="mailto:openstack@lists.launchpad.net">openstack@lists.launchpad.net</a><br>
>> Unsubscribe : <a href="https://launchpad.net/~openstack" target="_blank">https://launchpad.net/~openstack</a><br>
>> More help : <a href="https://help.launchpad.net/ListHelp" target="_blank">https://help.launchpad.net/ListHelp</a><br>
>><br>
><br>
><br>
> _______________________________________________<br>
> Mailing list: <a href="https://launchpad.net/~openstack" target="_blank">https://launchpad.net/~openstack</a><br>
> Post to : <a href="mailto:openstack@lists.launchpad.net">openstack@lists.launchpad.net</a><br>
> Unsubscribe : <a href="https://launchpad.net/~openstack" target="_blank">https://launchpad.net/~openstack</a><br>
> More help : <a href="https://help.launchpad.net/ListHelp" target="_blank">https://help.launchpad.net/ListHelp</a><br>
><br>
<br>
_______________________________________________<br>
Mailing list: <a href="https://launchpad.net/~openstack" target="_blank">https://launchpad.net/~openstack</a><br>
Post to : <a href="mailto:openstack@lists.launchpad.net">openstack@lists.launchpad.net</a><br>
Unsubscribe : <a href="https://launchpad.net/~openstack" target="_blank">https://launchpad.net/~openstack</a><br>
More help : <a href="https://help.launchpad.net/ListHelp" target="_blank">https://help.launchpad.net/ListHelp</a><o:p></o:p></p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
</body>
</html>