[Openstack] [Keystone] [Swift] Keystone Tenant vs Swift Account
Juan J. MartÃnez
juan at memset.com
Tue Jul 19 07:25:27 UTC 2011
On Mon, 2011-07-18 at 16:02 -0500, John Dickinson wrote:
> The security implications are tied to what credentials as user gets from the auth server you are using. The possibility is that a user could delete their own account (or even another user's account) or create new accounts. Disabling allow_account_management eliminates these issues by disabling the functionality.
>
> There are no formal docs of this part of the API. It's quite simple though: PUT/POST/GET/HEAD/DELETE to /v1/"your account string"
That's up to your auth middleware. ie. we have a super admin user,
account admins and per container user with ro/rw permissions; and only
the super admin can get authenticated to run a PUT/DELETE request on an
account.
If you're going to deploy swift you probably will need to plug it in
your infrastructure: accounting, billing, monitoring, ... and of course
authentication/authorization.
Swift architecture it's perfect for that thanks to paste because you can
easily add any middleware you want to provide that "coupling".
It's a good feature that we can disable account creation though :)
Regards,
Juan
--
Juan J. Martinez
Development, MEMSET
mail: juan at memset.com
web: http://www.memset.com/
Memset Ltd., registration number 4504980. 25 Frederick Sanger Road, Guildford, Surrey, GU2 7YD, UK.
More information about the Openstack
mailing list