[Openstack] [Swift] Access control using keystoneauth - new user can create container by default
Jake Kugel
jkugel at us.ibm.com
Wed Jan 21 19:07:18 UTC 2015
I found out what I had done that caused the behavior in original note,
posting here for reference.
In my proxy-server.conf file I had setting 'is_admin = true' in the
filter:keystone section, which I didn't realize will grant swift operator
privileges to any user whose name matches its tenant name. And in each
test I was creating a new tenant and new user with the same name, so I
would always see new users be given swift operator privileges.
When I created a user with a name different than its tenant, then I was
given unauthorized error as expected.
-Jake
Jake Kugel/Rochester/IBM at IBMUS wrote on 01/14/2015 10:40:39 AM:
> From: Jake Kugel/Rochester/IBM at IBMUS
> To: openstack at lists.openstack.org
> Date: 01/14/2015 10:53 AM
> Subject: [Openstack] [Swift] Access control using keystoneauth - new
> user can create container by default
>
> Hello,
>
> I am just beginning to learn Swift, and had a question about how access
> control using keystoneauth works. I noticed that the documentation here
> [1] says that:
>
> "By default the only users able to perform operations (e.g. create a
> container) on an account are those having a Keystone role for the
> corresponding Keystone project that matches one of the roles specified
in
> the operator_roles option."
>
> However I have built two Swift test clusters using Swift 2.2.0, one
using
> Icehouse Keystone and one with Juno Keystone, and in both cases I can
> create a new user and tenant with no special role, and this new user and
> tenant is able to create new containers by default. Do I have things
> configured incorrectly? Here is the keystone section of
> /etc/swift/proxy-server.conf:
>
> [filter:keystone]
> use = egg:swift#keystoneauth
> operator_roles = admin, SwiftOperator
> is_admin = true
> cache = swift.cache
>
> -Jake
>
> [1] http://docs.openstack.org/developer/swift/overview_auth.html
>
>
>
> _______________________________________________
> Mailing list:
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to : openstack at lists.openstack.org
> Unsubscribe :
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>
More information about the Openstack
mailing list