[Openstack] Swift Object Storage ACLs with KeyStone

Kuo Hugo tonytkdk at gmail.com
Tue Nov 12 17:26:26 UTC 2013


Hi

>From my point of view. There may has two potential problems.

1. The read ACL is not allowing to list objects in a container by default.
And your request is for retrieving objects list of a container tho.

2. For Keystone, I think the value of ACL header should be the username
instead of username:tenant-name.

For reference : http://docs.openstack.org/developer/swift/misc.html#acls

Perhaps I can test it tomorrow morning.


+Hugo Kuo+
(+886) 935004793
SwiftStack Inc.


2013/11/13 <thorfinn at poivron.org>

> Hi all,
>
> I use Openstack Havana (Storage + Identity)
>
> I encountered some problems when i set permissions (ACLs) on Openstack
> Swift containers.
>
> My swift proxy-server.conf is here:
>      http://pastebin.com/0hpfebNp
>
> My keystone.conf is here:
>     http://pastebin.com/VUGYbcM5
>
> I have the token of test1:test1 and test2:test2
>
> curl -s -H 'Content-type: application/json' \
>  -d '{"auth": {"tenantName": "test1", "passwordCredentials":
>  {"username": "test1", "password": "test1"}}}' \
>  http://192.168.3.100:5000/v2.0/tokens | python -mjson.tool
>
>
> curl -s -H 'Content-type: application/json' \
>  -d '{"auth": {"tenantName": "test2", "passwordCredentials":
>  {"username": "test2", "password": "test2"}}}' \
>  http://192.168.3.100:5000/v2.0/tokens | python -mjson.tool
>
> Then,enable read access to test2:test2
>
> curl -i -X PUT -H "X-Auth-Token: $tokenTest1" \
>  -H "X-Container-Read:test2:test2" \
>  -H "X-Container-Write: test2:test2" \
>  http://192.168.3.100:8080/v1/AUTH_$tenantTest1/foo
>
> Check the permission of the container:
>
> curl -k -v -H "X-Auth-Token:$tokenTest1" \
>  http://192.168.3.100:8080/v1/AUTH_$tenantTest1/foo
>
> This is the reply of the operation:
> HTTP/1.1 204 No Content
> < Content-Length: 0
> < X-Container-Object-Count: 0
> < X-Container-Write: test2:test2
> < Accept-Ranges: bytes
> < X-Timestamp: 1384268871.16508
> < X-Container-Read: test2:test2
> < X-Container-Bytes-Used: 0
> < Content-Type: text/html; charset=UTF-8
> < Date: Tue, 12 Nov 2013 16:30:16 GMT
>
> Now,the user test2:test2 visit the container of test1:test1
>
> curl -k -v -H 'X-Auth-Token:$tokenTest2' \
>  http://127.0.0.1:8080/v1/AUTH_$tenantTest1/foo
>
> < HTTP/1.1 403 Forbidden
> < Content-Length: 73
> < Content-Type: text/html; charset=UTF-8
> < Date: Tue, 12 Nov 2013 16:34:24 GMT
> < Connection: close
> <
> * Closing connection 0
> <html><h1>Forbidden</h1><p>Access was denied to this resource.</p></html>
>
> While,I got 403 error.Can someone help me?
>
>
> Best Regards
>
> _______________________________________________
> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/
> openstack
> Post to     : openstack at lists.openstack.org
> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/
> openstack
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20131113/1968c92c/attachment.html>


More information about the Openstack mailing list