[Openstack-operators] Swift ACL's together with Keystone (v3) integration

Wijngaarden, Pieter van pieter.van.wijngaarden at philips.com
Wed Apr 20 11:48:15 UTC 2016


Hi all,

I'm playing around with a Swift cluster (Liberty) and cannot get the Swift ACL's to work. My objective is to give users from one project (and thus Swift account?) selective access to specific containers in another project.

According to http://docs.openstack.org/developer/swift/middleware.html#keystoneauth, the swift/keystoneauth plugin should support cross-tenant (now cross-project) ACL's by setting the read-acl of a container to something like:

swift post <containername> --read-acl '<projectname>:<username>'

Using a project name instead of a UUID should be supported if all projects are in the default domain.

But if I set this for a user in a different project / different swift account, it doesn't seem to work. The last reference to Swift container ACL's from the archives is somewhere in 2011..

I have found a few Swift ACL examples / tutorials online, but they are all outdated or appear to use special / proprietary middleware. Does anybody have (or can anybody create) an example that is up-to-date for OpenStack Liberty or later, and shows container ACL's together with Keystone integration?

What I would like to do:
- I have a bunch of users and projects in Keystone, and thus a bunch of (automatically created) Swift accounts
- I would like to allow one specific user in a project (say project X) to access a container from a different project (Y)
- And/or, I would like to allow all users in project X to access one specific container in project Y.
Both these options should include listing the objects in the container, but exclude listing all containers in the other account.

I hope there is someone who can help, thanks a lot in advance!

With kind regards,
Pieter van Wijngaarden
System Architect
Digital Pathology Solutions
Philips Healthcare

Veenpluis 4-6, Building QY-2.006, 5684 PC Best
Tel: +31 6 2958 6736, Email: pieter.van.wijngaarden at philips.com





  ________________________________
The information contained in this message may be confidential and legally protected under applicable law. The message is intended solely for the addressee(s). If you are not the intended recipient, you are hereby notified that any use, forwarding, dissemination, or reproduction of this message is strictly prohibited and may be unlawful. If you are not the intended recipient, please contact the sender by return e-mail and destroy all copies of the original message.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-operators/attachments/20160420/3de7f501/attachment.html>


More information about the OpenStack-operators mailing list