[Openstack] [Swift] Access control using keystoneauth - new user can create container by default
Jake Kugel
jkugel at us.ibm.com
Wed Jan 14 16:40:39 UTC 2015
Hello,
I am just beginning to learn Swift, and had a question about how access
control using keystoneauth works. I noticed that the documentation here
[1] says that:
"By default the only users able to perform operations (e.g. create a
container) on an account are those having a Keystone role for the
corresponding Keystone project that matches one of the roles specified in
the operator_roles option."
However I have built two Swift test clusters using Swift 2.2.0, one using
Icehouse Keystone and one with Juno Keystone, and in both cases I can
create a new user and tenant with no special role, and this new user and
tenant is able to create new containers by default. Do I have things
configured incorrectly? Here is the keystone section of
/etc/swift/proxy-server.conf:
[filter:keystone]
use = egg:swift#keystoneauth
operator_roles = admin, SwiftOperator
is_admin = true
cache = swift.cache
-Jake
[1] http://docs.openstack.org/developer/swift/overview_auth.html
More information about the Openstack
mailing list