Re: [Openstack] Swift Object Storage ACLs with KeyStone
Hi, In swift+keystone you are not allowed to have ACL between different account/tenant/project, you can only allow ACL between different users in a tenant. This is probably something not too difficult to implement but it may needs some tinkering to get it right. Please feel free to log a bug in keystone and we'll try to address that. Chmouel. On Sat, May 12, 2012 at 4:02 AM, 张家龙 zhan...@awcloud.com wrote: Vish , Thank you for answering. While ,sorry,I don`t understand your said. Do you mean I have to do like follows when I setting up acls: curl -X PUT -i \ -H X-Auth-Token: token of demo:demo \ -H X-Container-Read: tenant_id:user_id \ http://127.0.0.1:8080/v1/AUTH_f1723800c821453d9f22d42d1fbb334b/demodirc Or,other operations and settings? -- Best Regards ZhangJialong -- Original -- From: Vishvananda Ishayavishvana...@gmail.com; Date: Sat, May 12, 2012 03:03 AM To: 张家龙zhan...@awcloud.com; Cc: openstackopenstack@lists.launchpad.net; Subject: Re: [Openstack] Swift Object Storage ACLs with KeyStone I'm not totally sure about this, but you might have to use the project_id from keystone instead of the project_name when setting up acls. The same may be true of user_id. Vish On Fri, May 11, 2012 at 12:51 AM, 张家龙 zhan...@awcloud.com wrote: Hello, everyone. I encountered some problems when i set permissions (ACLs) on Openstack Swift containers. I installed swift-1.4.8(essex) and use keystone-2012.1 as authentication system on CentOS 6.2 . My swift proxy-server.conf and keystone.conf are here: http://pastebin.com/dUnHjKSj Then,I use the script named opensatck_essex_data.sh( http://pastebin.com/LWGVZrK0 ) to initialize keystone. After these operations,I got the token of demo:demo and newuser:newuser curl -s -H 'Content-type: application/json' \ -d '{auth: {tenantName: demo, passwordCredentials: {username: demo, password: admin}}}' \ http://127.0.0.1:5000/v2.0/tokens | python -mjson.tool curl -s -H 'Content-type: application/json' \ -d '{auth: {tenantName: newuser, passwordCredentials: {username: newuser, password: admin}}}' \ http://127.0.0.1:5000/v2.0/tokens | python -mjson.tool Then,enable read access to newuser:newuser curl -X PUT -i \ -H X-Auth-Token: token of demo:demo \ -H X-Container-Read: newuser:newuser \ http://127.0.0.1:8080/v1/AUTH_f1723800c821453d9f22d42d1fbb334b/demodirc Check the permission of the container: curl -k -v -H 'X-Auth-Token:token of demo:demo' \ http://127.0.0.1:8080/v1/AUTH_f1723800c821453d9f22d42d1fbb334b/demodirc This is the reply of the operation: HTTP/1.1 200 OK X-Container-Object-Count: 1 X-Container-Read: newuser:newuser X-Container-Bytes-Used: 2735 Accept-Ranges: bytes Content-Length: 24 Content-Type: text/plain; charset=utf-8 Date: Fri, 11 May 2012 07:30:23 GMT opensatck_essex_data.sh Now,the user newuser:newuser visit the container of demo:demo curl -k -v -H 'X-Auth-Token:token of newuser:newuser' \ http://127.0.0.1:8080/v1/AUTH_f1723800c821453d9f22d42d1fbb334b/demodirc While,I got 403 error.Can someone help me? -- Best Regards ZhangJialong ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Swift Object Storage ACLs with KeyStone
There is a nice write-up of Keystone RBAC here: https://blueprints.launchpad.net/keystone/+spec/rbac-keystone AFAIK, Keystone will provide CRUD API around policy.json, but policy enforcement is done at the service level… Joe or Dolph may be able to provide more insights… Liem From: Chmouel Boudjnah [mailto:chmo...@chmouel.com] Sent: Tuesday, May 15, 2012 9:41 AM To: Nguyen, Liem Manh Cc: 张家龙; openstack Subject: Re: [Openstack] Swift Object Storage ACLs with KeyStone This has been filled already zhangjialong : https://bugs.launchpad.net/keystone/+bug/999615 I am not very familiar with how Keystone RBAC u work, AFAIK the current way to do that with policy.json is going to go away in the future, right? Chmouel. On Tue, May 15, 2012 at 6:37 PM, Nguyen, Liem Manh liem_m_ngu...@hp.commailto:liem_m_ngu...@hp.com wrote: Yeah, that is because the swift/keystone middleware checks for the tenantId to match the accountId in the URL path... Perhaps, we should rely strictly on Swift ACL for granting access to a given Swift container, and rely on Keystone RBAC for what you can do with a given Swift account. BTW, we also ran into this issue before... Has a bug/feature request been filed for this yet? If not, I can file one. Thanks, Liem -Original Message- From: openstack-bounces+liem_m_nguyen=hp@lists.launchpad.netmailto:hp@lists.launchpad.net [mailto:openstack-bounces+liem_m_nguyenmailto:openstack-bounces%2Bliem_m_nguyen=hp@lists.launchpad.netmailto:hp@lists.launchpad.net] On Behalf Of Chmouel Boudjnah Sent: Tuesday, May 15, 2012 2:55 AM To: 张家龙 Cc: openstack Subject: Re: [Openstack] Swift Object Storage ACLs with KeyStone Hi, In swift+keystone you are not allowed to have ACL between different account/tenant/project, you can only allow ACL between different users in a tenant. This is probably something not too difficult to implement but it may needs some tinkering to get it right. Please feel free to log a bug in keystone and we'll try to address that. Chmouel. On Sat, May 12, 2012 at 4:02 AM, 张家龙 zhan...@awcloud.commailto:zhan...@awcloud.com wrote: Vish , Thank you for answering. While ,sorry,I don`t understand your said. Do you mean I have to do like follows when I setting up acls: curl -X PUT -i \ -H X-Auth-Token: token of demo:demo \ -H X-Container-Read: tenant_id:user_id \ http://127.0.0.1:8080/v1/AUTH_f1723800c821453d9f22d42d1fbb334b/demodirc Or,other operations and settings? -- Best Regards ZhangJialong -- Original -- From: Vishvananda Ishayavishvana...@gmail.commailto:vishvana...@gmail.com; Date: Sat, May 12, 2012 03:03 AM To: 张家龙zhan...@awcloud.commailto:zhan...@awcloud.com; Cc: openstackopenstack@lists.launchpad.netmailto:openstack@lists.launchpad.net; Subject: Re: [Openstack] Swift Object Storage ACLs with KeyStone I'm not totally sure about this, but you might have to use the project_id from keystone instead of the project_name when setting up acls. The same may be true of user_id. Vish On Fri, May 11, 2012 at 12:51 AM, 张家龙 zhan...@awcloud.commailto:zhan...@awcloud.com wrote: Hello, everyone. I encountered some problems when i set permissions (ACLs) on Openstack Swift containers. I installed swift-1.4.8(essex) and use keystone-2012.1 as authentication system on CentOS 6.2 . My swift proxy-server.conf and keystone.conf are here: http://pastebin.com/dUnHjKSj Then,I use the script named opensatck_essex_data.sh( http://pastebin.com/LWGVZrK0 ) to initialize keystone. After these operations,I got the token of demo:demo and newuser:newuser curl -s -H 'Content-type: application/json' \ -d '{auth: {tenantName: demo, passwordCredentials: {username: demo, password: admin}}}' \ http://127.0.0.1:5000/v2.0/tokens | python -mjson.tool curl -s -H 'Content-type: application/json' \ -d '{auth: {tenantName: newuser, passwordCredentials: {username: newuser, password: admin}}}' \ http://127.0.0.1:5000/v2.0/tokens | python -mjson.tool Then,enable read access to newuser:newuser curl -X PUT -i \ -H X-Auth-Token: token of demo:demo \ -H X-Container-Read: newuser:newuser \ http://127.0.0.1:8080/v1/AUTH_f1723800c821453d9f22d42d1fbb334b/demodirc Check the permission of the container: curl -k -v -H 'X-Auth-Token:token of demo:demo' \ http://127.0.0.1:8080/v1/AUTH_f1723800c821453d9f22d42d1fbb334b/demodirc This is the reply of the operation: HTTP/1.1 200 OK X-Container-Object-Count: 1 X-Container-Read: newuser:newuser X-Container-Bytes-Used: 2735 Accept-Ranges: bytes Content-Length: 24 Content-Type: text/plain; charset=utf-8 Date: Fri, 11 May 2012 07:30:23 GMT opensatck_essex_data.sh Now,the user newuser:newuser visit the container of demo:demo curl -k -v -H 'X-Auth-Token:token
[Openstack] Swift Object Storage ACLs with KeyStone
Hello, everyone. I encountered some problems when i set permissions (ACLs) on Openstack Swift containers. I installed swift-1.4.8(essex) and use keystone-2012.1 as authentication system on CentOS 6.2 . My swift proxy-server.conf and keystone.conf are here: http://pastebin.com/dUnHjKSj Then,I use the script named opensatck_essex_data.sh(http://pastebin.com/LWGVZrK0) to initialize keystone. After these operations,I got the token of demo:demo and newuser:newuser curl -s -H 'Content-type: application/json' \ -d '{auth: {tenantName: demo, passwordCredentials: {username: demo, password: admin}}}' \ http://127.0.0.1:5000/v2.0/tokens | python -mjson.tool curl -s -H 'Content-type: application/json' \ -d '{auth: {tenantName: newuser, passwordCredentials: {username: newuser, password: admin}}}' \ http://127.0.0.1:5000/v2.0/tokens | python -mjson.tool Then,enable read access to newuser:newuser curl ?CX PUT -i \ -H X-Auth-Token: token of demo:demo \ -H X-Container-Read: newuser:newuser \ http://127.0.0.1:8080/v1/AUTH_f1723800c821453d9f22d42d1fbb334b/demodirc Check the permission of the container: curl -k -v -H 'X-Auth-Token:token of demo:demo' \ http://127.0.0.1:8080/v1/AUTH_f1723800c821453d9f22d42d1fbb334b/demodirc This is the reply of the operation: HTTP/1.1 200 OK X-Container-Object-Count: 1 X-Container-Read: newuser:newuser X-Container-Bytes-Used: 2735 Accept-Ranges: bytes Content-Length: 24 Content-Type: text/plain; charset=utf-8 Date: Fri, 11 May 2012 07:30:23 GMT opensatck_essex_data.sh Now,the user newuser:newuser visit the container of demo:demo curl -k -v -H 'X-Auth-Token:token of newuser:newuser' \ http://127.0.0.1:8080/v1/AUTH_f1723800c821453d9f22d42d1fbb334b/demodirc While,I got 403 error.Can someone help me? -- Best Regards ZhangJialong___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] Swift Object Storage ACLs with KeyStone
I'm not totally sure about this, but you might have to use the project_id from keystone instead of the project_name when setting up acls. The same may be true of user_id. Vish On Fri, May 11, 2012 at 12:51 AM, 张家龙 zhan...@awcloud.com wrote: Hello, everyone. I encountered some problems when i set permissions (ACLs) on Openstack Swift containers. I installed swift-1.4.8(essex) and use keystone-2012.1 as authentication system on CentOS 6.2 . My swift proxy-server.conf and keystone.conf are here: http://pastebin.com/dUnHjKSj Then,I use the script named opensatck_essex_data.sh( http://pastebin.com/LWGVZrK0) to initialize keystone. After these operations,I got the token of demo:demo and newuser:newuser curl -s -H 'Content-type: application/json' \ -d '{auth: {tenantName: demo, passwordCredentials: {username: demo, password: admin}}}' \ http://127.0.0.1:5000/v2.0/tokens | python -mjson.tool curl -s -H 'Content-type: application/json' \ -d '{auth: {tenantName: newuser, passwordCredentials: {username: newuser, password: admin}}}' \ http://127.0.0.1:5000/v2.0/tokens | python -mjson.tool Then,enable read access to newuser:newuser curl –X PUT -i \ -H X-Auth-Token: token of demo:demo \ -H X-Container-Read: newuser:newuser \ http://127.0.0.1:8080/v1/AUTH_f1723800c821453d9f22d42d1fbb334b/demodirc Check the permission of the container: curl -k -v -H 'X-Auth-Token:token of demo:demo' \ http://127.0.0.1:8080/v1/AUTH_f1723800c821453d9f22d42d1fbb334b/demodirc This is the reply of the operation: HTTP/1.1 200 OK X-Container-Object-Count: 1 X-Container-Read: newuser:newuser X-Container-Bytes-Used: 2735 Accept-Ranges: bytes Content-Length: 24 Content-Type: text/plain; charset=utf-8 Date: Fri, 11 May 2012 07:30:23 GMT opensatck_essex_data.sh Now,the user newuser:newuser visit the container of demo:demo curl -k -v -H 'X-Auth-Token:token of newuser:newuser' \ http://127.0.0.1:8080/v1/AUTH_f1723800c821453d9f22d42d1fbb334b/demodirc While,I got 403 error.Can someone help me? ** -- Best Regards ZhangJialong ** ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp