Hi, My answer is may be a little bite late but here's a swift middleware we have just published: https://github.com/cloudwatt/swiftpolicy it allows managing swift authorization using a policy.json file. It is based on the keystoneauth middleware, and uses oslo.policy file format.
Feel free to comment and/or to ask if any questions. -- Nassim ----- Mail original ----- De: "John Dickinson" <m...@not.mn> À: "OpenStack Development Mailing List (not for usage questions)" <openstack-dev@lists.openstack.org> Envoyé: Vendredi 11 Juillet 2014 05:33:13 Objet: Re: [openstack-dev] [keystone/swift] role-based access cotrol in swift There are a couple of places to look to see the current dev effort in Swift around ACLs. In no particular order: * Supporting a service token in Swift https://review.openstack.org/#/c/105228/ * Adding policy engine support to Swift https://review.openstack.org/#/c/89568/ * Fixing ACLs to work with Keystone v3+ https://review.openstack.org/#/c/86430/ Some of the above may be in line with what you're looking for. --John On Jul 10, 2014, at 8:17 PM, Osanai, Hisashi <osanai.hisa...@jp.fujitsu.com> wrote: > > Hi, > > I looked for info about role-based access control in swift because > I would like to prohibit PUT operations to containers like create > containers and set ACLs. > > Other services like Nova, Cinder have "policy.json" file but Swift doesn't. > And I found out the following info. > - Swift ACL's migration > - Centralized policy management > > Do you have detail info for above? > > http://dolphm.com/openstack-juno-design-summit-outcomes-for-keystone/ > --- > Migrate Swift ACL's from a highly flexible Tenant ID/Name basis, which worked > reasonably well against Identity API v2, to strictly be based on v3 Project > IDs. The driving requirement here is that Project Names are no longer > globally unique in v3, as they're only unique within a top-level domain. > --- > Centralized policy management > Keystone currently provides an unused /v3/policies API that can be used to > centralize policy blob management across OpenStack. > > > Best Regards, > Hisashi Osanai > > > _______________________________________________ > OpenStack-dev mailing list > OpenStack-dev@lists.openstack.org > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev _______________________________________________ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev _______________________________________________ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
