[Keystone][Swift] Using policy.json to prohibit specific API operations by policy?
Andrew Boring
andrew at andrewboring.com
Tue Oct 4 22:28:23 UTC 2022
Hi all,
I'm looking to support a situation where one class of Keystone users in a given domain can create Swift containers (either within a single, dedicated project or within their own projects) but *cannot* change ACLs on those containers, while a second class of users *can* alter ACLs on their own containers.
For example, User A is in the first class (defined by role) and can perform all CRUD operations, EXCEPT update pre-defined ACLmetadata on those containers. User B is in the second class and CAN update ACLs on their respecitive containers, like any other standard user.
Something like this AWS policy condition ("Granting permissions to multiple accounts with added conditions") is directionally what I'm trying to achieve:
https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-bucket-policies.html#example-bucket-policies-use-case-1
Keystone docs imply that I can create policy.json files for all services:
"You can define actions for OpenStack service roles in the /etc/PROJECT/policy.yaml files. For example, define actions for Compute service roles in the /etc/nova/policy.yaml file."
-https://docs.openstack.org/keystone/yoga/admin/cli-manage-projects-users-and-roles.html
But I can't find any indication that Swift actually supports this.
So, does Swift support the Oslo policy.json stuff, and if so, is it documented anywhere? Is it simply a "install oslo policy and add it to the pipeline in proxy-server.conf"?
If not, is there another/preferred way to achieve the desired restrictions on Swift API operations by policy for a given Keystone domain?
Thanks.
--
Andrew Boring
andrew at andrewboring.com
More information about the openstack-discuss
mailing list