[Openstack] [Swift] Access control using keystoneauth - new user can create container by default

Jake Kugel jkugel at us.ibm.com
Wed Jan 14 16:40:39 UTC 2015


Hello,

I am just beginning to learn Swift, and had a question about how access 
control using keystoneauth works.  I noticed that the documentation here 
[1] says that:

"By default the only users able to perform operations (e.g. create a 
container) on an account are those having a Keystone role for the 
corresponding Keystone project that matches one of the roles specified in 
the operator_roles option."

However I have built two Swift test clusters using Swift 2.2.0, one using 
Icehouse Keystone and one with Juno Keystone, and in both cases I can 
create a new user and tenant with no special role, and this new user and 
tenant is able to create new containers by default.  Do I have things 
configured incorrectly?  Here is the keystone section of 
/etc/swift/proxy-server.conf:

[filter:keystone]
use = egg:swift#keystoneauth
operator_roles = admin, SwiftOperator
is_admin = true
cache = swift.cache

-Jake

[1]  http://docs.openstack.org/developer/swift/overview_auth.html






More information about the Openstack mailing list