Re: [openstack-dev] [keystone/swift] role-based access cotrol in swift
Hi, My answer is may be a little bite late but here's a swift middleware we have just published: https://github.com/cloudwatt/swiftpolicy it allows managing swift authorization using a policy.json file. It is based on the keystoneauth middleware, and uses oslo.policy file format. Feel free to comment and/or to ask if any questions. -- Nassim - Mail original - De: John Dickinson m...@not.mn À: OpenStack Development Mailing List (not for usage questions) openstack-dev@lists.openstack.org Envoyé: Vendredi 11 Juillet 2014 05:33:13 Objet: Re: [openstack-dev] [keystone/swift] role-based access cotrol in swift There are a couple of places to look to see the current dev effort in Swift around ACLs. In no particular order: * Supporting a service token in Swift https://review.openstack.org/#/c/105228/ * Adding policy engine support to Swift https://review.openstack.org/#/c/89568/ * Fixing ACLs to work with Keystone v3+ https://review.openstack.org/#/c/86430/ Some of the above may be in line with what you're looking for. --John On Jul 10, 2014, at 8:17 PM, Osanai, Hisashi osanai.hisa...@jp.fujitsu.com wrote: Hi, I looked for info about role-based access control in swift because I would like to prohibit PUT operations to containers like create containers and set ACLs. Other services like Nova, Cinder have policy.json file but Swift doesn't. And I found out the following info. - Swift ACL's migration - Centralized policy management Do you have detail info for above? http://dolphm.com/openstack-juno-design-summit-outcomes-for-keystone/ --- Migrate Swift ACL's from a highly flexible Tenant ID/Name basis, which worked reasonably well against Identity API v2, to strictly be based on v3 Project IDs. The driving requirement here is that Project Names are no longer globally unique in v3, as they're only unique within a top-level domain. --- Centralized policy management Keystone currently provides an unused /v3/policies API that can be used to centralize policy blob management across OpenStack. Best Regards, Hisashi Osanai ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [keystone/swift] role-based access cotrol in swift
Hi, Thank you for the info. On Monday, July 21, 2014 10:19 PM, Nassim Babaci wrote: * Adding policy engine support to Swift https://review.openstack.org/#/c/89568/ With the commit message in 89568, you have developed same function except supporting policy.json file format. My answer is may be a little bite late but here's a swift middleware we have just published: https://github.com/cloudwatt/swiftpolicy It is based on the keystoneauth middleware, and uses oslo.policy file format. I would like to know the following points. Do you have info for them? - difference b/w policy.json file format and oslo.policy file format - relationship b/w https://review.openstack.org/#/c/89568/; and https://github.com/cloudwatt/swiftpolicy; Best Regards, Hisashi Osanai ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [keystone/swift] role-based access cotrol in swift
John, Thank you for your quick response. On Friday, July 11, 2014 12:33 PM John Dickinson m...@not.mn wrote: Some of the above may be in line with what you're looking for. They are the one what I'm looking for. First I will look at the codes of policy engine whether I can use it. Thanks again, Hisashi Oasnai ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [keystone/swift] role-based access cotrol in swift
There are a couple of places to look to see the current dev effort in Swift around ACLs. In no particular order: * Supporting a service token in Swift https://review.openstack.org/#/c/105228/ * Adding policy engine support to Swift https://review.openstack.org/#/c/89568/ * Fixing ACLs to work with Keystone v3+ https://review.openstack.org/#/c/86430/ Some of the above may be in line with what you're looking for. --John On Jul 10, 2014, at 8:17 PM, Osanai, Hisashi osanai.hisa...@jp.fujitsu.com wrote: Hi, I looked for info about role-based access control in swift because I would like to prohibit PUT operations to containers like create containers and set ACLs. Other services like Nova, Cinder have policy.json file but Swift doesn't. And I found out the following info. - Swift ACL's migration - Centralized policy management Do you have detail info for above? http://dolphm.com/openstack-juno-design-summit-outcomes-for-keystone/ --- Migrate Swift ACL's from a highly flexible Tenant ID/Name basis, which worked reasonably well against Identity API v2, to strictly be based on v3 Project IDs. The driving requirement here is that Project Names are no longer globally unique in v3, as they're only unique within a top-level domain. --- Centralized policy management Keystone currently provides an unused /v3/policies API that can be used to centralize policy blob management across OpenStack. Best Regards, Hisashi Osanai ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev signature.asc Description: Message signed with OpenPGP using GPGMail ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev