Open Stack

On 3/28/13 8:06 AM, Dolph Mathews wrote:
> That's basically up to the identity driver in use -- for example, with
> the SQL driver, if your database is case sensitive, then keystone will
> be as well.

That raises an interesting question about authorization with Keystone.

In Swift, we have container ACLs that are of one of three* forms:

(A) tenant_name:user_id
(B) tenant_id:user_id
(C) *:user_id

Form A is the interesting one here. Let's say I have a container on 
which I have set a read ACL of "CamelCorp:12345". Then, a request comes 
in, and when Swift's keystoneauth middleware** gets called, it sees that 
the tenant name retrieved from Keystone is "Camelcorp" (different 
case!), and the user id is 12345 (a match).

Should that request be allowed or not?


* okay, there's the .r: stuff for referrer-based ACLs, but that's not 
germane to this discussion

** swift.common.middleware.keystoneauth.KeystoneAuth, for those who wish 
to read the code