Re: [Openstack] Swift Object Storage ACLs with KeyStone
Hi,
In swift+keystone you are not allowed to have ACL between different
account/tenant/project, you can only allow ACL between different
users in a tenant.
This is probably something not too difficult to implement but it may
needs some tinkering to get it right. Please feel free to log a bug in
keystone and we'll try to address that.
Chmouel.
On Sat, May 12, 2012 at 4:02 AM, 张家龙 zhan...@awcloud.com wrote:
Vish ,
Thank you for answering.
While ,sorry,I don`t understand your said.
Do you mean I have to do like follows when I setting up acls:
curl -X PUT -i \
-H X-Auth-Token: token of demo:demo \
-H X-Container-Read: tenant_id:user_id \
http://127.0.0.1:8080/v1/AUTH_f1723800c821453d9f22d42d1fbb334b/demodirc
Or,other operations and settings?
--
Best Regards
ZhangJialong
-- Original --
From: Vishvananda Ishayavishvana...@gmail.com;
Date: Sat, May 12, 2012 03:03 AM
To: 张家龙zhan...@awcloud.com;
Cc: openstackopenstack@lists.launchpad.net;
Subject: Re: [Openstack] Swift Object Storage ACLs with KeyStone
I'm not totally sure about this, but you might have to use the project_id
from keystone instead of the project_name when setting up acls. The same
may be true of user_id.
Vish
On Fri, May 11, 2012 at 12:51 AM, 张家龙 zhan...@awcloud.com wrote:
Hello, everyone.
I encountered some problems when i set permissions (ACLs) on Openstack
Swift containers.
I installed swift-1.4.8(essex) and use keystone-2012.1 as
authentication system on CentOS 6.2 .
My swift proxy-server.conf and keystone.conf are here:
http://pastebin.com/dUnHjKSj
Then,I use the script named opensatck_essex_data.sh(
http://pastebin.com/LWGVZrK0 ) to
initialize keystone.
After these operations,I got the token of demo:demo and
newuser:newuser
curl -s -H 'Content-type: application/json' \
-d '{auth: {tenantName: demo, passwordCredentials:
{username: demo, password: admin}}}' \
http://127.0.0.1:5000/v2.0/tokens | python -mjson.tool
curl -s -H 'Content-type: application/json' \
-d '{auth: {tenantName: newuser, passwordCredentials:
{username: newuser, password: admin}}}' \
http://127.0.0.1:5000/v2.0/tokens | python -mjson.tool
Then,enable read access to newuser:newuser
curl -X PUT -i \
-H X-Auth-Token: token of demo:demo \
-H X-Container-Read: newuser:newuser \
http://127.0.0.1:8080/v1/AUTH_f1723800c821453d9f22d42d1fbb334b/demodirc
Check the permission of the container:
curl -k -v -H 'X-Auth-Token:token of demo:demo' \
http://127.0.0.1:8080/v1/AUTH_f1723800c821453d9f22d42d1fbb334b/demodirc
This is the reply of the operation:
HTTP/1.1 200 OK
X-Container-Object-Count: 1
X-Container-Read: newuser:newuser
X-Container-Bytes-Used: 2735
Accept-Ranges: bytes
Content-Length: 24
Content-Type: text/plain; charset=utf-8
Date: Fri, 11 May 2012 07:30:23 GMT
opensatck_essex_data.sh
Now,the user newuser:newuser visit the container of demo:demo
curl -k -v -H 'X-Auth-Token:token of newuser:newuser' \
http://127.0.0.1:8080/v1/AUTH_f1723800c821453d9f22d42d1fbb334b/demodirc
While,I got 403 error.Can someone help me?
--
Best Regards
ZhangJialong
___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help : https://help.launchpad.net/ListHelp
___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help : https://help.launchpad.net/ListHelp
___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Swift Object Storage ACLs with KeyStone
There is a nice write-up of Keystone RBAC here:
https://blueprints.launchpad.net/keystone/+spec/rbac-keystone
AFAIK, Keystone will provide CRUD API around policy.json, but policy
enforcement is done at the service level… Joe or Dolph may be able to provide
more insights…
Liem
From: Chmouel Boudjnah [mailto:chmo...@chmouel.com]
Sent: Tuesday, May 15, 2012 9:41 AM
To: Nguyen, Liem Manh
Cc: 张家龙; openstack
Subject: Re: [Openstack] Swift Object Storage ACLs with KeyStone
This has been filled already zhangjialong :
https://bugs.launchpad.net/keystone/+bug/999615
I am not very familiar with how Keystone RBAC u work, AFAIK the current way to
do that with policy.json is going to go away in the future, right?
Chmouel.
On Tue, May 15, 2012 at 6:37 PM, Nguyen, Liem Manh
liem_m_ngu...@hp.commailto:liem_m_ngu...@hp.com wrote:
Yeah, that is because the swift/keystone middleware checks for the tenantId to
match the accountId in the URL path... Perhaps, we should rely strictly on
Swift ACL for granting access to a given Swift container, and rely on Keystone
RBAC for what you can do with a given Swift account.
BTW, we also ran into this issue before... Has a bug/feature request been
filed for this yet? If not, I can file one.
Thanks,
Liem
-Original Message-
From:
openstack-bounces+liem_m_nguyen=hp@lists.launchpad.netmailto:hp@lists.launchpad.net
[mailto:openstack-bounces+liem_m_nguyenmailto:openstack-bounces%2Bliem_m_nguyen=hp@lists.launchpad.netmailto:hp@lists.launchpad.net]
On Behalf Of Chmouel Boudjnah
Sent: Tuesday, May 15, 2012 2:55 AM
To: 张家龙
Cc: openstack
Subject: Re: [Openstack] Swift Object Storage ACLs with KeyStone
Hi,
In swift+keystone you are not allowed to have ACL between different
account/tenant/project, you can only allow ACL between different
users in a tenant.
This is probably something not too difficult to implement but it may
needs some tinkering to get it right. Please feel free to log a bug in
keystone and we'll try to address that.
Chmouel.
On Sat, May 12, 2012 at 4:02 AM, 张家龙
zhan...@awcloud.commailto:zhan...@awcloud.com wrote:
Vish ,
Thank you for answering.
While ,sorry,I don`t understand your said.
Do you mean I have to do like follows when I setting up acls:
curl -X PUT -i \
-H X-Auth-Token: token of demo:demo \
-H X-Container-Read: tenant_id:user_id \
http://127.0.0.1:8080/v1/AUTH_f1723800c821453d9f22d42d1fbb334b/demodirc
Or,other operations and settings?
--
Best Regards
ZhangJialong
-- Original --
From: Vishvananda
Ishayavishvana...@gmail.commailto:vishvana...@gmail.com;
Date: Sat, May 12, 2012 03:03 AM
To: 张家龙zhan...@awcloud.commailto:zhan...@awcloud.com;
Cc:
openstackopenstack@lists.launchpad.netmailto:openstack@lists.launchpad.net;
Subject: Re: [Openstack] Swift Object Storage ACLs with KeyStone
I'm not totally sure about this, but you might have to use the project_id
from keystone instead of the project_name when setting up acls. The same
may be true of user_id.
Vish
On Fri, May 11, 2012 at 12:51 AM, 张家龙
zhan...@awcloud.commailto:zhan...@awcloud.com wrote:
Hello, everyone.
I encountered some problems when i set permissions (ACLs) on Openstack
Swift containers.
I installed swift-1.4.8(essex) and use keystone-2012.1 as
authentication system on CentOS 6.2 .
My swift proxy-server.conf and keystone.conf are here:
http://pastebin.com/dUnHjKSj
Then,I use the script named opensatck_essex_data.sh(
http://pastebin.com/LWGVZrK0 ) to
initialize keystone.
After these operations,I got the token of demo:demo and
newuser:newuser
curl -s -H 'Content-type: application/json' \
-d '{auth: {tenantName: demo, passwordCredentials:
{username: demo, password: admin}}}' \
http://127.0.0.1:5000/v2.0/tokens | python -mjson.tool
curl -s -H 'Content-type: application/json' \
-d '{auth: {tenantName: newuser, passwordCredentials:
{username: newuser, password: admin}}}' \
http://127.0.0.1:5000/v2.0/tokens | python -mjson.tool
Then,enable read access to newuser:newuser
curl -X PUT -i \
-H X-Auth-Token: token of demo:demo \
-H X-Container-Read: newuser:newuser \
http://127.0.0.1:8080/v1/AUTH_f1723800c821453d9f22d42d1fbb334b/demodirc
Check the permission of the container:
curl -k -v -H 'X-Auth-Token:token of demo:demo' \
http://127.0.0.1:8080/v1/AUTH_f1723800c821453d9f22d42d1fbb334b/demodirc
This is the reply of the operation:
HTTP/1.1 200 OK
X-Container-Object-Count: 1
X-Container-Read: newuser:newuser
X-Container-Bytes-Used: 2735
Accept-Ranges: bytes
Content-Length: 24
Content-Type: text/plain; charset=utf-8
Date: Fri, 11 May 2012 07:30:23 GMT
opensatck_essex_data.sh
Now,the user newuser:newuser visit the container of demo:demo
curl -k -v -H 'X-Auth-Token:token
[Openstack] Swift Object Storage ACLs with KeyStone
Hello, everyone.
I encountered some problems when i set permissions (ACLs) on Openstack
Swift containers.
I installed swift-1.4.8(essex) and use keystone-2012.1 as authentication
system on CentOS 6.2 .
My swift proxy-server.conf and keystone.conf are here:
http://pastebin.com/dUnHjKSj
Then,I use the script named
opensatck_essex_data.sh(http://pastebin.com/LWGVZrK0) to
initialize keystone.
After these operations,I got the token of demo:demo and newuser:newuser
curl -s -H 'Content-type: application/json' \
-d '{auth: {tenantName: demo, passwordCredentials: {username:
demo, password: admin}}}' \
http://127.0.0.1:5000/v2.0/tokens | python -mjson.tool
curl -s -H 'Content-type: application/json' \
-d '{auth: {tenantName: newuser, passwordCredentials: {username:
newuser, password: admin}}}' \
http://127.0.0.1:5000/v2.0/tokens | python -mjson.tool
Then,enable read access to newuser:newuser
curl ?CX PUT -i \
-H X-Auth-Token: token of demo:demo \
-H X-Container-Read: newuser:newuser \
http://127.0.0.1:8080/v1/AUTH_f1723800c821453d9f22d42d1fbb334b/demodirc
Check the permission of the container:
curl -k -v -H 'X-Auth-Token:token of demo:demo' \
http://127.0.0.1:8080/v1/AUTH_f1723800c821453d9f22d42d1fbb334b/demodirc
This is the reply of the operation:
HTTP/1.1 200 OK
X-Container-Object-Count: 1
X-Container-Read: newuser:newuser
X-Container-Bytes-Used: 2735
Accept-Ranges: bytes
Content-Length: 24
Content-Type: text/plain; charset=utf-8
Date: Fri, 11 May 2012 07:30:23 GMT
opensatck_essex_data.sh
Now,the user newuser:newuser visit the container of demo:demo
curl -k -v -H 'X-Auth-Token:token of newuser:newuser' \
http://127.0.0.1:8080/v1/AUTH_f1723800c821453d9f22d42d1fbb334b/demodirc
While,I got 403 error.Can someone help me?
--
Best Regards
ZhangJialong___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Swift Object Storage ACLs with KeyStone
I'm not totally sure about this, but you might have to use the project_id
from keystone instead of the project_name when setting up acls. The same
may be true of user_id.
Vish
On Fri, May 11, 2012 at 12:51 AM, 张家龙 zhan...@awcloud.com wrote:
Hello, everyone.
I encountered some problems when i set permissions (ACLs) on Openstack
Swift containers.
I installed swift-1.4.8(essex) and use keystone-2012.1 as
authentication system on CentOS 6.2 .
My swift proxy-server.conf and keystone.conf are here:
http://pastebin.com/dUnHjKSj
Then,I use the script named opensatck_essex_data.sh(
http://pastebin.com/LWGVZrK0) to
initialize keystone.
After these operations,I got the token of demo:demo and newuser:newuser
curl -s -H 'Content-type: application/json' \
-d '{auth: {tenantName: demo, passwordCredentials:
{username: demo, password: admin}}}' \
http://127.0.0.1:5000/v2.0/tokens | python -mjson.tool
curl -s -H 'Content-type: application/json' \
-d '{auth: {tenantName: newuser, passwordCredentials:
{username: newuser, password: admin}}}' \
http://127.0.0.1:5000/v2.0/tokens | python -mjson.tool
Then,enable read access to newuser:newuser
curl –X PUT -i \
-H X-Auth-Token: token of demo:demo \
-H X-Container-Read: newuser:newuser \
http://127.0.0.1:8080/v1/AUTH_f1723800c821453d9f22d42d1fbb334b/demodirc
Check the permission of the container:
curl -k -v -H 'X-Auth-Token:token of demo:demo' \
http://127.0.0.1:8080/v1/AUTH_f1723800c821453d9f22d42d1fbb334b/demodirc
This is the reply of the operation:
HTTP/1.1 200 OK
X-Container-Object-Count: 1
X-Container-Read: newuser:newuser
X-Container-Bytes-Used: 2735
Accept-Ranges: bytes
Content-Length: 24
Content-Type: text/plain; charset=utf-8
Date: Fri, 11 May 2012 07:30:23 GMT
opensatck_essex_data.sh
Now,the user newuser:newuser visit the container of demo:demo
curl -k -v -H 'X-Auth-Token:token of newuser:newuser' \
http://127.0.0.1:8080/v1/AUTH_f1723800c821453d9f22d42d1fbb334b/demodirc
While,I got 403 error.Can someone help me?
**
--
Best Regards
ZhangJialong
**
___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help : https://help.launchpad.net/ListHelp
___
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help : https://help.launchpad.net/ListHelp
