Creating read ACLs to authorize object users

The Keystone administrator can create container ACLs to grant read permissions using X-Container-Read headers in curl tool or –read-acl flag in the Swift Command Line Client.

The following example shows how to create read permission in an ACL.
  1. Upload the object imageA.JPG to public_readOnly container as the Keystone administrator. 
    # swift upload public_readOnly imageA.JPG --os-auth-url http://tully-ces-ip.adcons.spectrum:35357/v3 
--os-project-name admin --os-project-domain-name Default --os-username admin 
--os-user-domain-name Default --os-password Passw0rd --auth-version 3
imageA.JPG
  2. Issue the swift post command to provide public read access to the public_readOnly container. 
    # swift post public_readOnly --read-acl ".r:*,.rlistings" --os-auth-url http://tully-ces-ip.
adcons.spectrum:35357/v3 --os-project-name admin --os-project-domain-name Default 
--os-username admin --os-user-domain-name Default --os-password Passw0rd --auth-version 3
    Note: The .r:* ACL specifies access for any referrer regardless of account affiliation or user name. The .rlistings ACL allows to list the containers and read (download) objects.
  3. Issue the swift stat command at the container level to see the access details. 
    # swift stat public_readOnly -v --os-auth-url http://tully-ces-ip.adcons.spectrum:35357/v3 
--os-project-name admin --os-project-domain-name Default --os-username admin 
--os-user-domain-name Default --os-password Passw0rd --auth-version 3
             URL: http://tully-ces-ip.adcons.spectrum:8080/v1/AUTH_bea5a0c632e54eaf85e9150a16c443ce
/public_readOnly
      Auth Token: 91a27a5ed8dc40d582e71844ca019c32
         Account: AUTH_bea5a0c632e54eaf85e9150a16c443ce
       Container: public_readOnly
         Objects: 3
           Bytes: 8167789
        Read ACL: .r:*,.rlistings
       Write ACL:
         Sync To:
        Sync Key:
   Accept-Ranges: bytes
      X-Trans-Id: tx73b0696705b94bf885bd5-0055678ab1
X-Storage-Policy: Policy-0
     X-Timestamp: 1432795292.10297
    Content-Type: text/plain; charset=utf-8
  4. As the student user from the students account, list and download the details of public_readOnly container that is created in the admin account.
    Listing the details: 
    # swift stat public_readOnly -v --os-auth-url http://tully-ces-ip.adcons.spectrum:35357/v3 
--os-project-name students --os-project-domain-name Default --os-username student1 
--os-user-domain-name Default --os-password Passw0rd --auth-version 3 --os-storage-url 
http://tully-ces-ip.adcons.spectrum:8080/v1/AUTH_bea5a0c632e54eaf85e9150a16c443ce
             URL: http://tully-ces-ip.adcons.spectrum:8080/v1/AUTH_bea5a0c632e54eaf85e9150a16c443ce
/public_readOnly
      Auth Token: d6ee0fb5e33748b1b9035a3b690c7587
         Account: AUTH_bea5a0c632e54eaf85e9150a16c443ce
       Container: public_readOnly
         Objects: 3
           Bytes: 8167789
        Read ACL:
       Write ACL:
         Sync To:
        Sync Key:
   Accept-Ranges: bytes
X-Storage-Policy: Policy-0
     X-Timestamp: 1432795292.10297
      X-Trans-Id: tx09893920a6154faab6ace-0055678f6d
    Content-Type: text/plain; charset=utf-8
    Listing the container objects:
    # swift list public_readOnly --os-auth-url http://tully-ces-ip.adcons.spectrum:35357/v3 
--os-project-name students --os-project-domain-name Default --os-username student1 
--os-user-domain-name Default --os-password Passw0rd --auth-version 3 --os-storage-url 
http://tully-ces-ip.adcons.spectrum:8080/v1/AUTH_bea5a0c632e54eaf85e9150a16c443ce
file.txt
imageA.JPG
imageB.JPG
    Downloading container objects: 
    # swift download public_readOnly --os-auth-url http://tully-ces-ip.adcons.spectrum:35357/v3 
--os-project-name students --os-project-domain-name Default --os-username student1 
--os-user-domain-name Default --os-password Passw0rd --auth-version 3 --os-storage-url 
http://tully-ces-ip.adcons.spectrum:8080/v1/AUTH_bea5a0c632e54eaf85e9150a16c443ce
imageB.JPG [auth 0.321s, headers 0.380s, total 0.390s, 37.742 MB/s]
file.txt [auth 0.533s, headers 0.594s, total 0.594s, 0.000 MB/s]
imageA.JPG [auth 0.119s, headers 0.179s, total 18.135s, 0.308 MB/s]
  5. As the student1 user from the students account, receive deny write access, while trying to upload new content in the public_readOnly container: 
    # swift upload public_readOnly photo.jpg --os-auth-url http://tully-ces-ip.adcons.spectrum:35357/v3 
--os-project-name students --os-project-domain-name Default --os-username student1 
--os-user-domain-name Default --os-password Passw0rd --auth-version 3 --os-storage-url 
http://tully-ces-ip.adcons.spectrum:8080/v1/AUTH_bea5a0c632e54eaf85e9150a16c443ce
Warning: failed to create container 'public_readOnly': 403 Forbidden: 

Forbidden

Access was denied to this resourc
Object PUT failed: http://tully-ces-ip.adcons.spectrum:8080/v1/AUTH_bea5a0c632e54eaf85e9150a16c443ce
/public_readOnly/photo.jpg 403 Forbidden

Manipulating the read ACLs

The following table list different read ACLs combinations:
Table 1. ACL options that are available to manipulate object read ACLs
Permission Read ACL options
Read for all referrers .r:*
Read and list for all referrers and listing .r:*,.rlistings
Read and list for a user in a specific project <project_name|project_id>:<user_name|user_id>
Read and list for a user in every project *:<user_name|user_id>
Read and list for every user in a project <project_name|project_id>:<*>
Read and list for every user in every project <*>:<*>
Note: Use comma (,) to separate ACLs. For example, –read-acl admin:admin,students:student1.
Parent topic: Configuring container ACLs to authorize object data users
Related tasks:
Creating containers
Creating write ACLs to authorize object users