[Openstack] [Swift] Access control using keystoneauth - new user can create container by default

Jake Kugel jkugel at us.ibm.com
Wed Jan 21 19:07:18 UTC 2015 

I found out what I had done that caused the behavior in original note, 
posting here for reference.

In my proxy-server.conf file I had setting 'is_admin = true' in the 
filter:keystone section, which I didn't realize will grant swift operator 
privileges to any user whose name matches its tenant name.  And in each 
test I was creating a new tenant and new user with the same name, so I 
would always see new users be given swift operator privileges.

When I created a user with a name different than its tenant, then I was 
given unauthorized error as expected.

-Jake

Jake Kugel/Rochester/IBM at IBMUS wrote on 01/14/2015 10:40:39 AM:

> From: Jake Kugel/Rochester/IBM at IBMUS
> To: openstack at lists.openstack.org
> Date: 01/14/2015 10:53 AM
> Subject: [Openstack] [Swift] Access control using keystoneauth - new
> user can create container by default
> 
> Hello,
> 
> I am just beginning to learn Swift, and had a question about how access 
> control using keystoneauth works.  I noticed that the documentation here 

> [1] says that:
> 
> "By default the only users able to perform operations (e.g. create a 
> container) on an account are those having a Keystone role for the 
> corresponding Keystone project that matches one of the roles specified 
in 
> the operator_roles option."
> 
> However I have built two Swift test clusters using Swift 2.2.0, one 
using 
> Icehouse Keystone and one with Juno Keystone, and in both cases I can 
> create a new user and tenant with no special role, and this new user and 

> tenant is able to create new containers by default.  Do I have things 
> configured incorrectly?  Here is the keystone section of 
> /etc/swift/proxy-server.conf:
> 
> [filter:keystone]
> use = egg:swift#keystoneauth
> operator_roles = admin, SwiftOperator
> is_admin = true
> cache = swift.cache
> 
> -Jake
> 
> [1]  http://docs.openstack.org/developer/swift/overview_auth.html
> 
> 
> 
> _______________________________________________
> Mailing list: 
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to     : openstack at lists.openstack.org
> Unsubscribe : 
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>

More information about the Openstack mailing list