Using OpenStack Object Storage ACLs

Access Control Lists (ACLs) allow us to have greater control over individual objects and containers without requiring full read/write access to a particular container. With ACLs you can expose containers globally or restrict to individual tenants and users.

Getting started

Log in to a computer that has the keystone and swift clients available.

How to achieve it…

Carry out the following steps:

We will first create an account in our OpenStack Identity Server that is only a Member in the cookbook. We will call this user, user.

export SERVICE_ENDPOINT=http://${ENDPOINT}:35357/v2.0
First get TENANT_ID related to our 'cookbook' tenant TENANT_ID=$(keystone tenant-list \
 | awk ' / cookbook / {print $2}')
 We then create the user specifying the TENANT_ID keystone user-create \
 --name user \ --tenant_id $TENANT_ID \ --pass openstack \ --email user@localhost \ --enabled true
 We get this new user's ID
USER_ID=$(keystone user-list | awk ' / user / {print $2}')
We get the ID of the 'Member' role ROLE_ID=$(keystone role-list \
 | awk ' / Member / {print $2}')
 Finally add the user to the 'Member' role in cookbook keystone user-role-add \
 --user $USER_ID \ --role $ROLE_ID \ --tenant_id $TENANT_ID

With our new user created, we will now create a container using a user that has admin privileges (and therefore a container that our new user initially doesn’t have access to), as follows:

swift -V 2.0 -A \ -U cookbook:admin -K openstack post testACL

We will then set this container to be Read-Only for our user named user, as follows:

swift -V 2.0 -A \
-U cookbook:admin -K openstack post –r user testACL

We will try to upload a file to this container using our new user, as follows:

swift -V 2.0 -A \ -U cookbook:user -K openstack upload testACL \ /tmp/test/test1

This brings back an HTTP 403 Forbidden message similar to the following:

Object HEAD failed: b/testACL/tmp/test/test1 403 Forbidden

We will now give write access to the test ACL container for our user by allowing them write access to the container:

swift -V 2.0 -A \
-U cookbook:demo -K openstack post –w user –r user \ testACL

When we repeat the upload of the file, it has now succeeded as shown below:

swift -V 2.0 -A \ -U cookbook:user -K openstack upload testACL \

How it works…

Granting access control is done on a container basis and is achieved at the user level. When a user creates a container, other users can be granted access by adding other users to the container. The users will then be granted read and write access to containers, for example:

swift -V 2.0 -A http://keystone_server:5000/v2.0 \
-U tenant:user -K password post -w user -r user container



0 Responses on Using OpenStack Object Storage ACLs"

Leave a Message

Your email address will not be published. Required fields are marked *

Copy Rights Reserved © Mindmajix.com All rights reserved. Disclaimer.