Re: Use Openstack SDK for Swift
I didn't see a response to this email so I am re-sending.
That's interesting because I responded. My Email client decided by default to respond to a single person dropping discuss, but response to you went out. Anyway, reposting my answer On Thursday, 22 February 2024 12:11:31 CET you wrote:
Hey
this is a tricky thing explained by a single auth concept: in OpenStack when you connect to the cloud as a regular user you request certain scope which normally grants you access to the single domain or the project. Moreover with this authorization you get list of endpoints you can communicate with and for Swift this is a project bound endpoint that look somehow like https:// swift.example.com/v1/AUTH_<project_id>. But the "AUTH_" part may be actually different since it is part of the swift config. If you are an admin the situation is a bit different
In summary that means that you want to do something in the way the API was not designed for.
Solutions:
generally first question you must address is the authorization: is your user able to access containers of different projects or not. If not you have no chance and you need to establish new connection with another credentials When the answer is "yes" you have some options:
- switch your authorization using https://opendev.org/openstack/openstacksdk/ src/branch/master/openstack/cloud/openstackcloud.py#L123. That gives you new session for a different project that you can use in scope of a certain project
- use you single session for pure API calls. This has a disadvantage that you have raw API communication and need to do lot of tricky things yourself ``` conn.get("../AUTH_<another_project_id>/") ```
Unfortunately there is nothing else what could help you, but even with alternative API wrappers you have the same issue.
Hope this helps, Artem
On Tuesday, 20 February 2024 21:59:19 CET Albert Braden wrote:
I'm writing a script that will use admin credentials to check user projects for containers. I'm already doing something similar for non-swift accounts, doing things like:
cloud.network.networks(project_id=projectid):
I read here about the Object SDK:
https://docs.openstack.org/openstacksdk/latest/user/guides/object_store.ht ml
And I tried this:
cloud.object_store.containers(project_id=projectid):
But I get an error:
Invalid query params: project_id
I read the Object SDK document here and it doesn't seem to say anything about how to specify a project:
https://docs.openstack.org/openstacksdk/latest/user/proxies/object_store.h tm l
But when I read the Swift API document, I see that I can use "/v1/{account}/{container}", so I'm guessing that there must be a way to do it via the SDK.
https://docs.openstack.org/api-ref/object-store/#show-container-details-an d-> list-objects
Is it possible to specify the project in an Object SDK call, or do I need to use the old python API for this?
Thank you Artem! I think I understand. When I do this via CLI I change the "OS_STORAGE_URL" to access a customer project. It looks like connect_as will do something similar. What does a call to connect_as look like? Is it something like connect_as(self, OS_STORAGE_PROJECT_ID=<customer_project_id>)? Do I also need to specify OS_STORAGE_URL? On Monday, February 26, 2024 at 11:50:38 AM EST, gtema <artem.goncharov@gmail.com> wrote:
I didn't see a response to this email so I am re-sending.
That's interesting because I responded. My Email client decided by default to respond to a single person dropping discuss, but response to you went out. Anyway, reposting my answer On Thursday, 22 February 2024 12:11:31 CET you wrote:
Hey
this is a tricky thing explained by a single auth concept: in OpenStack when you connect to the cloud as a regular user you request certain scope which normally grants you access to the single domain or the project. Moreover with this authorization you get list of endpoints you can communicate with and for Swift this is a project bound endpoint that look somehow like https:// swift.example.com/v1/AUTH_<project_id>. But the "AUTH_" part may be actually different since it is part of the swift config. If you are an admin the situation is a bit different
In summary that means that you want to do something in the way the API was not designed for.
Solutions:
generally first question you must address is the authorization: is your user able to access containers of different projects or not. If not you have no chance and you need to establish new connection with another credentials When the answer is "yes" you have some options:
- switch your authorization using https://opendev.org/openstack/openstacksdk/ src/branch/master/openstack/cloud/openstackcloud.py#L123. That gives you new session for a different project that you can use in scope of a certain project
- use you single session for pure API calls. This has a disadvantage that you have raw API communication and need to do lot of tricky things yourself ``` conn.get("../AUTH_<another_project_id>/") ```
Unfortunately there is nothing else what could help you, but even with alternative API wrappers you have the same issue.
Hope this helps, Artem
On Tuesday, 20 February 2024 21:59:19 CET Albert Braden wrote:
I'm writing a script that will use admin credentials to check user projects for containers. I'm already doing something similar for non-swift accounts, doing things like:
cloud.network.networks(project_id=projectid):
I read here about the Object SDK:
https://docs.openstack.org/openstacksdk/latest/user/guides/object_store.ht ml
And I tried this:
cloud.object_store.containers(project_id=projectid):
But I get an error:
Invalid query params: project_id
I read the Object SDK document here and it doesn't seem to say anything about how to specify a project:
https://docs.openstack.org/openstacksdk/latest/user/proxies/object_store.h tm l
But when I read the Swift API document, I see that I can use "/v1/{account}/{container}", so I'm guessing that there must be a way to do it via the SDK.
https://docs.openstack.org/api-ref/object-store/#show-container-details-an d-> list-objects
Is it possible to specify the project in an Object SDK call, or do I need to use the old python API for this?
participants (2)
-
Albert Braden
-
gtema