[Openstack-operators] Swift ACL's together with Keystone (v3) integration

Saverio Proto zioproto at gmail.com
Tue May 3 10:44:11 UTC 2016

Hello Pieter,

I did run into the same problem today. Did you find pointers to more
updated documentation ? Were you able to configure the cross tenant
read ACL ?

thank you


2016-04-20 13:48 GMT+02:00 Wijngaarden, Pieter van
<pieter.van.wijngaarden at philips.com>:
> Hi all,
> I’m playing around with a Swift cluster (Liberty) and cannot get the Swift
> ACL’s to work. My objective is to give users from one project (and thus
> Swift account?) selective access to specific containers in another project.
> According to
> http://docs.openstack.org/developer/swift/middleware.html#keystoneauth, the
> swift/keystoneauth plugin should support cross-tenant (now cross-project)
> ACL’s by setting the read-acl of a container to something like:
> swift post <containername> --read-acl '<projectname>:<username>'
> Using a project name instead of a UUID should be supported if all projects
> are in the default domain.
> But if I set this for a user in a different project / different swift
> account, it doesn’t seem to work. The last reference to Swift container
> ACL’s from the archives is somewhere in 2011..
> I have found a few Swift ACL examples / tutorials online, but they are all
> outdated or appear to use special / proprietary middleware. Does anybody
> have (or can anybody create) an example that is up-to-date for OpenStack
> Liberty or later, and shows container ACL’s together with Keystone
> integration?
> What I would like to do:
> - I have a bunch of users and projects in Keystone, and thus a bunch of
> (automatically created) Swift accounts
> - I would like to allow one specific user in a project (say project X) to
> access a container from a different project (Y)
> - And/or, I would like to allow all users in project X to access one
> specific container in project Y.
> Both these options should include listing the objects in the container, but
> exclude listing all containers in the other account.
> I hope there is someone who can help, thanks a lot in advance!
> With kind regards,
> Pieter van Wijngaarden
> System Architect
> Digital Pathology Solutions
> Philips Healthcare
> Veenpluis 4-6, Building QY-2.006, 5684 PC Best
> Tel: +31 6 2958 6736, Email: pieter.van.wijngaarden at philips.com
>   ________________________________
> The information contained in this message may be confidential and legally
> protected under applicable law. The message is intended solely for the
> addressee(s). If you are not the intended recipient, you are hereby notified
> that any use, forwarding, dissemination, or reproduction of this message is
> strictly prohibited and may be unlawful. If you are not the intended
> recipient, please contact the sender by return e-mail and destroy all copies
> of the original message.
> _______________________________________________
> OpenStack-operators mailing list
> OpenStack-operators at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators

More information about the OpenStack-operators mailing list