[Openstack] Swift Object Storage ACLs with KeyStone

thorfinn at poivron.org thorfinn at poivron.org
Wed Nov 13 10:01:22 UTC 2013


This syntax is correct:

curl -i -X POST -H "X-Auth-Token: $tokenTest1" -H "X-Container-Read: 
*:*" -H " \
X-Container-Write: *:*"  
http://192.168.3.100:8080/v1/AUTH_$tenantTest1/foo

curl -i -X GET -H "X-Auth-Token: $tokenTest2" 
http://192.168.3.100:8080/v1/AUTH_$tenantTest1/foo
HTTP/1.1 204 No Content
Content-Length: 0
X-Container-Object-Count: 0
Accept-Ranges: bytes
X-Timestamp: 1384268871.16508
X-Container-Bytes-Used: 0
Content-Type: text/html; charset=UTF-8
Date: Wed, 13 Nov 2013 09:42:33 GMT
Connection: close

I don't understand why but today is ok for me.

curl -i -X POST -H "X-Auth-Token: $tokenTest1" -H "X-container-Read: 
test2:test2" \
  -H "X-Container-Write: test2:test2" 
http://192.168.3.100:8080/v1/AUTH_$tenantTest1/foo

curl -i -X GET -H "X-Auth-Token: $tokenTest1" 
http://192.168.3.100:8080/v1/AUTH_$tenantTest1/foo
HTTP/1.1 204 No Content
Content-Length: 0
X-Container-Object-Count: 0
X-Container-Write: test2:test2
Accept-Ranges: bytes
X-Timestamp: 1384268871.16508
X-Container-Read: test2:test2
X-Container-Bytes-Used: 0
Content-Type: text/html; charset=UTF-8
Date: Wed, 13 Nov 2013 09:58:09 GMT
Connection: close

curl -i -X GET -H "X-Auth-Token: $tokenTest2" 
http://192.168.3.100:8080/v1/AUTH_$tenantTest1/foo
HTTP/1.1 204 No Content
Content-Length: 0
X-Container-Object-Count: 0
Accept-Ranges: bytes
X-Timestamp: 1384268871.16508
X-Container-Bytes-Used: 0
Content-Type: text/html; charset=UTF-8
Date: Wed, 13 Nov 2013 09:56:55 GMT
Connection: close

Thank you for help

On 2013-11-13 10:31, thorfinn at poivron.org wrote:
> @Dheerendra:
> the correct IP address is 192.168.3.100. It's a mistake. Same problem
> with correct ip adress.
>
> @Kuo Hugo:
> I don't understand the item 1.
>
> On the item 2:
>
> curl -i -X POST -H "X-Auth-Token: $tokenTest1" -H
> "X-Container-Read:test2" -H "X-Container-Write: test2"
> http://192.168.3.100:8080/v1/AUTH_$tenantTest1/foo
> HTTP/1.1 204 No Content
> Content-Length: 0
> Content-Type: text/html; charset=UTF-8
> Date: Wed, 13 Nov 2013 08:55:57 GMT
> Connection: close
>
> curl -i -X GET -H "X-Auth-Token: $tokenTest1"
> http://192.168.3.100:8080/v1/AUTH_$tenantTest1/foo
> HTTP/1.1 204 No Content
> Content-Length: 0
> X-Container-Object-Count: 0
> X-Container-Write: test2
> Accept-Ranges: bytes
> X-Timestamp: 1384268871.16508
> X-Container-Read: test2
> X-Container-Bytes-Used: 0
> Content-Type: text/html; charset=UTF-8
> Date: Wed, 13 Nov 2013 08:56:00 GMT
> Connection: close
>
>
> curl -i -X GET -H "X-Auth-Token: $tokenTest2"
> http://192.168.3.100:8080/v1/AUTH_$tenantTest1/foo
> HTTP/1.1 403 Forbidden
> Content-Length: 73
> Content-Type: text/html; charset=UTF-8
> Date: Wed, 13 Nov 2013 08:56:18 GMT
> Connection: close
>
> Same problem. Can you test this please?
>
>
>
> On 2013-11-12 18:26, Kuo Hugo wrote:
>> Hi 
>>
>> From my point of view. There may has two potential problems. 
>>
>> 1. The read ACL is not allowing to list objects in a container by
>> default. And your request is for retrieving objects list of a
>> container tho. 
>>
>> 2. For Keystone, I think the value of ACL header should be the
>> username instead of username:tenant-name. 
>>
>> For reference
>>http://docs.openstack.org/developer/swift/misc.html#acls [11]
>>
>> Perhaps I can test it tomorrow morning. 
>>
>> +Hugo Kuo+
>> (+886) 935004793
>>
>> SwiftStack Inc.
>>
>> 2013/11/13 <thorfinn at poivron.org [12]>
>>
>>> Hi all,
>>>
>>> I use Openstack Havana (Storage + Identity)
>>>
>>> I encountered some problems when i set permissions (ACLs) on
>>> Openstack Swift containers.
>>>
>>> My swift proxy-server.conf is here:
>>>      http://pastebin.com/0hpfebNp [1]
>>>
>>> My keystone.conf is here:
>>>     http://pastebin.com/VUGYbcM5 [2]
>>>
>>> I have the token of test1:test1 and test2:test2
>>>
>>> curl -s -H 'Content-type: application/json'
>>>  -d '{"auth": {"tenantName": "test1", "passwordCredentials":
>>>  {"username": "test1", "password": "test1"}}}'
>>>  http://192.168.3.100:5000/v2.0/tokens [3] | python -mjson.tool
>>>
>>> curl -s -H 'Content-type: application/json'
>>>  -d '{"auth": {"tenantName": "test2", "passwordCredentials":
>>>  {"username": "test2", "password": "test2"}}}'
>>>  http://192.168.3.100:5000/v2.0/tokens [4] | python -mjson.tool
>>>
>>> Then,enable read access to test2:test2
>>>
>>> curl -i -X PUT -H "X-Auth-Token: $tokenTest1"
>>>  -H "X-Container-Read:test2:test2"
>>>  -H "X-Container-Write: test2:test2"
>>>  http://192.168.3.100:8080/v1/AUTH_$tenantTest1/foo [5]
>>>
>>> Check the permission of the container:
>>>
>>> curl -k -v -H "X-Auth-Token:$tokenTest1"
>>>  http://192.168.3.100:8080/v1/AUTH_$tenantTest1/foo [6]
>>>
>>> This is the reply of the operation:
>>> HTTP/1.1 204 No Content
>>> < Content-Length: 0
>>> < X-Container-Object-Count: 0
>>> < X-Container-Write: test2:test2
>>> < Accept-Ranges: bytes
>>> < X-Timestamp: 1384268871.16508
>>> < X-Container-Read: test2:test2
>>> < X-Container-Bytes-Used: 0
>>> < Content-Type: text/html; charset=UTF-8
>>> < Date: Tue, 12 Nov 2013 16:30:16 GMT
>>>
>>> Now,the user test2:test2 visit the container of test1:test1
>>>
>>> curl -k -v -H 'X-Auth-Token:$tokenTest2'
>>>  http://127.0.0.1:8080/v1/AUTH_$tenantTest1/foo [7]
>>>
>>> < HTTP/1.1 403 Forbidden
>>> < Content-Length: 73
>>> < Content-Type: text/html; charset=UTF-8
>>> < Date: Tue, 12 Nov 2013 16:34:24 GMT
>>> < Connection: close
>>> <
>>> * Closing connection 0
>>> <html><h1>Forbidden</h1><p>Access was denied to this
>>> resource.</p></html>
>>>
>>> While,I got 403 error.Can someone help me?
>>>
>>> Best Regards
>>>
>>> _______________________________________________
>>> Mailing list:
>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack [8]
>>> Post to     : openstack at lists.openstack.org [9]
>>> Unsubscribe :
>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack [10]
>>
>>
>>
>> Links:
>> ------
>> [1] http://pastebin.com/0hpfebNp
>> [2] http://pastebin.com/VUGYbcM5
>> [3] http://192.168.3.100:5000/v2.0/tokens
>> [4] http://192.168.3.100:5000/v2.0/tokens
>> [5] http://192.168.3.100:8080/v1/AUTH_$tenantTest1/foo
>> [6] http://192.168.3.100:8080/v1/AUTH_$tenantTest1/foo
>> [7] http://127.0.0.1:8080/v1/AUTH_$tenantTest1/foo
>> [8] http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>> [9] mailto:openstack at lists.openstack.org
>> [10] http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>> [11] http://docs.openstack.org/developer/swift/misc.html#acls
>> [12] mailto:thorfinn at poivron.org





More information about the Openstack mailing list