Creating write ACLs to authorize object users
The Keystone administrator can create container ACLs to grant write permissions using X-Container-Write headers in the curl tool or –write-acl flag in the Swift Command Line Client.
Provides an example on how to configure write ACLs by using
curl tool.
- Create token and proceed to create a container named writeOnly with
write permissions for member user who is part of
the admin project and student1 user
who is part of the students project.
token=$(openstack --os-auth-url http://tully-ces-ip.adcons.spectrum:35357/v3 --os-project-name admin --os-project-domain-name Default --os-username admin --os-user-domain-name Default --os-password Passw0rd --os-identity-api-version 3 token issue | grep -w "id" | awk '{print $4}') # curl -i http://tully-ces-ip.adcons.spectrum:8080/v1/AUTH_bea5a0c632e54eaf85e9150a16c443ce /writeOnly -X PUT -H "Content-Length: 0" -H "X-Auth-Token: ${token}" -H "X-Container-Write: admin:member,students:student1" -H "X-Container-Read: " HTTP/1.1 201 Created Content-Length: 0 Content-Type: text/html; charset=UTF-8 X-Trans-Id: txf7b0bfef877345949c61c-005567b9d1 Date: Fri, 29 May 2015 00:58:57 GMT - Issue a token as student1 from the students project
and upload an object by using the curl tool.
token=$(openstack --os-auth-url http://tully-ces-ip.adcons.spectrum:35357/v3 --os-project-name students --os-project-domain-name Default --os-username student1 --os-user-domain-name Default --os-password Passw0rd --os-identity-api-version 3 token issue | grep -w "id" | awk '{print $4}') # curl -i http://tully-ces-ip.adcons.spectrum:8080/v1/AUTH_bea5a0c632e54eaf85e9150a16c443ce /writeOnly/imageA.JPG -X PUT -H "X-Auth-Token: ${token}" --upload-file imageA.JPG HTTP/1.1 100 Continue HTTP/1.1 201 Created Last-Modified: Fri, 29 May 2015 01:11:28 GMT Content-Length: 0 Etag: 95d8c44b757f5b0c111750694dffef2b Content-Type: text/html; charset=UTF-8 X-Trans-Id: tx6caa0570bfcd419782274-005567bcbe Date: Fri, 29 May 2015 01:11:28 GMT - List the state of the writeOnly container
as student1 user of the students project.
This operation fails as the user does not have the required privileges.
# curl -i http://tully-ces-ip.adcons.spectrum:8080/v1/AUTH_bea5a0c632e54eaf85e9150a16c443ce /writeOnly/imageA.JPG -X HEAD -H "X-Auth-Token: ${token}" HTTP/1.1 403 Forbidden Content-Type: text/html; charset=UTF-8 X-Trans-Id: tx4f7dfbfd74204785b6b50-005567bd8c Content-Length: 0 Date: Fri, 29 May 2015 01:14:52 GMT - Grant read permissions to student1 user
of the students project:
token=$(openstack --os-auth-url http://tully-ces-ip.adcons.spectrum:35357/v3 --os-project-name admin --os-project-domain-name Default --os-username admin --os-user-domain-name Default --os-password Passw0rd --os-identity-api-version 3 token issue | grep -w "id" | awk '{print $4}') # curl -i http://tully-ces-ip.adcons.spectrum:8080/v1/AUTH_ bea5a0c632e54eaf85e9150a16c443ce /writeOnly -X POST -H "Content-Length: 0" -H "X-Auth-Token: ${token}" -H "X-Container-Read: students:student1" HTTP/1.1 204 No Content Content-Length: 0 Content-Type: text/html; charset=UTF-8 X-Trans-Id: tx77aafe0184da4b68a7756-005567beac Date: Fri, 29 May 2015 01:19:40 GMT - Verify whether the sutdent1 user has
the read access now.
token=$(openstack --os-auth-url http://tully-ces-ip.adcons.spectrum:35357/v3 --os-project-name students --os-project-domain-name Default --os-username student1 --os-user-domain-name Default --os-password Passw0rd --os-identity-api-version 3 token issue | grep -w "id" | awk '{print $4}') # curl -i http://tully-ces-ip.adcons.spectrum:8080/v1/AUTH_bea5a0c632e54eaf85e9150a16c443ce /writeOnly -X GET -H "X-Auth-Token: ${token}" HTTP/1.1 200 OK Content-Length: 11 X-Container-Object-Count: 1 Accept-Ranges: bytes X-Storage-Policy: Policy-0 X-Container-Bytes-Used: 5552466 X-Timestamp: 1432861137.91693 Content-Type: text/plain; charset=utf-8 X-Trans-Id: tx246b39018a5c4bcb90c7f-005567bff3 Date: Fri, 29 May 2015 01:25:07 GMT imageA.JPGNote: Object Storage does not support public write ACLs.