[Openstack] [SWIFT] Account or User or Account_User?

Kun Huang Academicgareth at gmail.com
Wed Feb 20 17:54:24 UTC 2013


Hi, Adrian
It seems not correct.

1st,
[image: Inline image 1]

2nd,


    def authorize(self, req):
        """
        Returns None if the request is authorized to continue or a standard
        WSGI response callable if not.
        """

        try:
            version, account, container, obj = req.split_path(1, 4, True)
        except ValueError:
            self.logger.increment('errors')
            return HTTPNotFound(request=req)
        if not account or not account.startswith(self.reseller_prefix):
            return self.denied_response(req)
        user_groups = (req.remote_user or '').split(',')
        if '.reseller_admin' in user_groups and \
                account != self.reseller_prefix and \
                account[len(self.reseller_prefix)] != '.':
            req.environ['swift_owner'] = True
            return None
        if account in user_groups and \
                (req.method not in ('DELETE', 'PUT') or container):
            # If the user is admin for the account and is not trying to do an
            # account DELETE or PUT...
            req.environ['swift_owner'] = True
            return None
        if (req.environ.get('swift_sync_key')
                and (req.environ['swift_sync_key'] ==
                     req.headers.get('x-container-sync-key', None))
                and 'x-timestamp' in req.headers):
            return None
        if req.method == 'OPTIONS':
            #allow OPTIONS requests to proceed as normal
            return None
        referrers, groups = parse_acl(getattr(req, 'acl', None))
        if referrer_allowed(req.referer, referrers):
            if obj or '.rlistings' in groups:
                return None
            return self.denied_response(req)
        if not req.remote_user:
            return self.denied_response(req)
        for user_group in user_groups:
            if user_group in groups:
                return None
        return self.denied_response(req)

Target codes is here. No "X-Container-Read" header has ever been checked.

3rd, in http://docs.openstack.org/folsom/openstack-object-storage/admin/content/authentication-and-access-permissions.html,

"""Generally speaking, each user has their own storage account and has
full access to that account. Users must authenticate with their
credentials as described above, but once authenticated they can
create/delete containers and objects within that account. The only way
a user can access the content from another account is if they share an
API access key or a session token provided by your authentication
system."""

Does this paragraph tell us tester3(user) has access control for
test(account), but not other accounts?



On Wed, Feb 20, 2013 at 8:16 PM, Adrian Smith <adrian at 17od.com> wrote:

> Unless tester3 is given explicit permissions he can't do anything.
>
> To be of any use the 'test' user (who is an admin) would need to grant
> 'test3' read/write access to a container. Permissions are granted
> using the X-Container-Read and X-Container-Write headers on
> containers,
> http://docs.openstack.org/folsom/openstack-object-storage/admin/content/authentication-and-access-permissions.html
> .
>
> Adrian
>
> On 20 February 2013 05:34, Kun Huang <Academicgareth at gmail.com> wrote:
> > In tempauth of SAIO, what's the meaning of
> >
> > user_test_tester3 = testing3
> >
> > not account is test
> > tester3 is a user of that account, but tester3 is not admin or reseller
> > admin.
> > Could testers get(GET,HEAD) information from account:test?
> >
> > In the current code, the answer is no.
> >
> > I'm not sure what can tester3 do in this case?
> >
> > _______________________________________________
> > Mailing list: https://launchpad.net/~openstack
> > Post to     : openstack at lists.launchpad.net
> > Unsubscribe : https://launchpad.net/~openstack
> > More help   : https://help.launchpad.net/ListHelp
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20130221/af42a585/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 99580 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20130221/af42a585/attachment.png>


More information about the Openstack mailing list