[Openstack] Swift Object Storage ACLs with KeyStone

Chmouel Boudjnah chmouel at chmouel.com
Tue May 15 16:40:56 UTC 2012 

This has been filled already zhangjialong :

https://bugs.launchpad.net/keystone/+bug/999615

I am not very familiar with how Keystone RBAC u work, AFAIK the current way
to do that with policy.json is going to go away in the future, right?

Chmouel.

On Tue, May 15, 2012 at 6:37 PM, Nguyen, Liem Manh <liem_m_nguyen at hp.com>wrote:

> Yeah, that is because the swift/keystone middleware checks for the
> tenantId to match the accountId in the URL path...  Perhaps, we should rely
> strictly on Swift ACL for granting access to a given Swift container, and
> rely on Keystone RBAC for what you can do with a given Swift account.
>
> BTW, we also ran into this issue before...  Has a bug/feature request been
> filed for this yet?  If not, I can file one.
>
> Thanks,
> Liem
>
> -----Original Message-----
> From: openstack-bounces+liem_m_nguyen=hp.com at lists.launchpad.net [mailto:
> openstack-bounces+liem_m_nguyen=hp.com at lists.launchpad.net] On Behalf Of
> Chmouel Boudjnah
> Sent: Tuesday, May 15, 2012 2:55 AM
> To: 张家龙
> Cc: openstack
> Subject: Re: [Openstack] Swift Object Storage ACLs with KeyStone
>
> Hi,
>
> In swift+keystone you are not allowed to have ACL between different
> account/tenant/project, you can only allow ACL between  different
> users in a tenant.
> This is probably something not too difficult to implement but it may
> needs some tinkering to get it right. Please feel free to log a bug in
> keystone and we'll try to address that.
>
> Chmouel.
>
> On Sat, May 12, 2012 at 4:02 AM, 张家龙 <zhangjl at awcloud.com> wrote:
> > Vish ,
> >      Thank you for answering.
> >      While ,sorry,I don`t understand your said.
> >      Do you mean I have to do like follows when I setting up acls:
> >
> >     curl -X PUT -i \
> >     -H "X-Auth-Token: <token of demo:demo>" \
> >     -H "X-Container-Read: <tenant_id:user_id>" \
> >
> http://127.0.0.1:8080/v1/AUTH_f1723800c821453d9f22d42d1fbb334b/demodirc
> >
> >     Or,other operations and settings?
> > ------------------
> > Best Regards
> >
> > ZhangJialong
> >
> >
> >
> > ------------------ Original ------------------
> > From:  "Vishvananda Ishaya"<vishvananda at gmail.com>;
> > Date:  Sat, May 12, 2012 03:03 AM
> > To:  "张家龙"<zhangjl at awcloud.com>;
> > Cc:  "openstack"<openstack at lists.launchpad.net>;
> > Subject:  Re: [Openstack] Swift Object Storage ACLs with KeyStone
> >
> > I'm not totally sure about this, but you might have to use the project_id
> > from keystone instead of the project_name when setting up acls.   The
> same
> > may be true of user_id.
> >
> > Vish
> >
> > On Fri, May 11, 2012 at 12:51 AM, 张家龙 <zhangjl at awcloud.com> wrote:
> >>
> >>
> >> Hello, everyone.
> >>
> >>     I encountered some problems when i set permissions (ACLs) on
> Openstack
> >> Swift containers.
> >>     I installed swift-1.4.8(essex) and use keystone-2012.1 as
> >> authentication system on CentOS 6.2 .
> >>
> >>     My swift proxy-server.conf and keystone.conf are here:
> >>     http://pastebin.com/dUnHjKSj
> >>
> >>     Then,I use the script named opensatck_essex_data.sh(
> >> http://pastebin.com/LWGVZrK0 ) to
> >>     initialize keystone.
> >>
> >>     After these operations,I got the token of demo:demo and
> >> newuser:newuser
> >>
> >>     curl -s -H 'Content-type: application/json' \
> >>     -d '{"auth": {"tenantName": "demo", "passwordCredentials":
> >> {"username": "demo", "password": "admin"}}}' \
> >>     http://127.0.0.1:5000/v2.0/tokens | python -mjson.tool
> >>
> >>     curl -s -H 'Content-type: application/json' \
> >>     -d '{"auth": {"tenantName": "newuser", "passwordCredentials":
> >> {"username": "newuser", "password": "admin"}}}' \
> >>     http://127.0.0.1:5000/v2.0/tokens | python -mjson.tool
> >>
> >>     Then,enable read access to newuser:newuser
> >>
> >>     curl -X PUT -i \
> >>     -H "X-Auth-Token: <token of demo:demo>" \
> >>     -H "X-Container-Read: newuser:newuser" \
> >>
> >> http://127.0.0.1:8080/v1/AUTH_f1723800c821453d9f22d42d1fbb334b/demodirc
> >>
> >>     Check the permission of the container:
> >>
> >>     curl -k -v -H 'X-Auth-Token:<token of demo:demo>' \
> >>
> >> http://127.0.0.1:8080/v1/AUTH_f1723800c821453d9f22d42d1fbb334b/demodirc
> >>
> >>     This is the reply of the operation:
> >>
> >>     HTTP/1.1 200 OK
> >>     X-Container-Object-Count: 1
> >>     X-Container-Read: newuser:newuser
> >>     X-Container-Bytes-Used: 2735
> >>     Accept-Ranges: bytes
> >>     Content-Length: 24
> >>     Content-Type: text/plain; charset=utf-8
> >>     Date: Fri, 11 May 2012 07:30:23 GMT
> >>
> >>     opensatck_essex_data.sh
> >>
> >>     Now,the user newuser:newuser visit the container of demo:demo
> >>
> >>     curl -k -v -H 'X-Auth-Token:<token of newuser:newuser>' \
> >>
> >> http://127.0.0.1:8080/v1/AUTH_f1723800c821453d9f22d42d1fbb334b/demodirc
> >>
> >>     While,I got 403 error.Can someone help me?
> >>
> >> ------------------
> >> Best Regards
> >>
> >> ZhangJialong
> >>
> >>
> >> _______________________________________________
> >> Mailing list: https://launchpad.net/~openstack
> >> Post to     : openstack at lists.launchpad.net
> >> Unsubscribe : https://launchpad.net/~openstack
> >> More help   : https://help.launchpad.net/ListHelp
> >>
> >
> >
> > _______________________________________________
> > Mailing list: https://launchpad.net/~openstack
> > Post to     : openstack at lists.launchpad.net
> > Unsubscribe : https://launchpad.net/~openstack
> > More help   : https://help.launchpad.net/ListHelp
> >
>
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to     : openstack at lists.launchpad.net
> Unsubscribe : https://launchpad.net/~openstack
> More help   : https://help.launchpad.net/ListHelp
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20120515/f600481d/attachment.html>

More information about the Openstack mailing list