Container ACLs

OpenStack Object Storage containers are usually owned by the user that created them. However, through Swift's ACLs (Access Control Lists), containers can be made accessible to different OpenStack users or made completely public. The owner of the container can set specific read and write rules. The read and write rules must be set separately and have to be enabled explicitly on each container. The owner of the container can make the container completely public or set rules based on the project, user, or rule set.

Getting ready

Ensure that you are logged on to a correctly configured OpenStack client and can access the OpenStack environment as a user with the swiftoperator privileges and an admin user. We will use the developer user created in the Common OpenStack identity tasks recipe in Chapter 2, The OpenStack Client, with the cookbook4 password. We have also granted this user the swiftoperator privileges.

Since the OpenStack CLI does not provide all the functionality available through the individual OpenStack project client, we will need to use Swift CLI for this recipe. Ensure that you have the Swift command-line client installed. If you do not, install it:

pip install python-swiftclient

How to do it…

To view and modify ACLs on containers, follow the following steps:

  1. First, view existing ACLs on a container, if any:
    swift stat books
    

    This gives the information about our container called books:

                   Account: AUTH_402e8fe274c143ea91fe905a1b8c7614
                 Container: books
                   Objects: 3
                     Bytes: 32764
                  Read ACL:
                 Write ACL:
                   Sync To:
                  Sync Key:
             Accept-Ranges: bytes
          X-Storage-Policy: default
             Last-Modified: Mon, 18 Dec 2017 06:09:45 GMT
               X-Timestamp: 1512278405.11522
                X-Trans-Id: tx484e741deb754fdb86f7a-005a375e4c
              Content-Type: text/plain; charset=utf-8
    X-Openstack-Request-Id: tx484e741deb754fdb86f7a-005a375e4c
    
  2. In our example, there are no read or write ACLs set yet. Let's set a read ACL to make the books container public:
    swift post books --read-acl ".r:*,.rlistings"
    

    Note

    There is no output from this command.

  3. To make the books container writable by everybody, issue the following:
    swift post books --write-acl "*:*"
    

    Note

    There is no output from this command.

  4. Now check the details on the books container again with the stat command:
    swift stat books
    

    We can see that the Read ACL and Write ACL fields have been populated:

                   Account: AUTH_402e8fe274c143ea91fe905a1b8c7614
                 Container: books
                   Objects: 3
                     Bytes: 32764
                  Read ACL: .r:*,.rlistings
                 Write ACL: *:*
                   Sync To:
                  Sync Key:
             Accept-Ranges: bytes
                X-Trans-Id: txc0d0d64ed54e48989f3f6-005a3760ba
          X-Storage-Policy: default
             Last-Modified: Mon, 18 Dec 2017 06:22:56 GMT
               X-Timestamp: 1512278405.11522
              Content-Type: text/plain; charset=utf-8
    X-Openstack-Request-Id: txc0d0d64ed54e48989f3f6-005a3760ba
    
  5. Since operating world-writable and readable containers are not very good security practice, we can remove the ACLs from the container. To remove the read ACL, issue this command:
    swift post -r "" books
    
  6. To remove the write ACL, use this command:
    swift post -w "" books
    
  7. If you need to share your container with another user in your OpenStack environment, you can set permissions based on the project and user. In our example, we will set the books container's access to be readable by everyone in the admin project:
    swift post -r "admin:*" books
    

    The asterisk (*) after : indicates that all users in the admin project will have access to the books container.

  8. Now check the details of the books container:
    swift stat -v books
    

    This will produce output like the following:

                       URL: http://172.29.236.100:8080/v1/AUTH_402e8fe/books
                Auth Token: gAAAAABaODQ8R93x7kW46CW_u9ZS3               
                   Account: AUTH_402e8fe274c143ea91fe905a1b8c7614
                 Container: books
                   Objects: 3
                     Bytes: 32764
                  Read ACL: admin:*
                 Write ACL:
                   Sync To:
                  Sync Key:
             Accept-Ranges: bytes
                X-Trans-Id: tx20b0d0d8394b4b0a81cba-005a38343c
          X-Storage-Policy: default
             Last-Modified: Mon, 18 Dec 2017 21:24:27 GMT
               X-Timestamp: 1512278405.11522
              Content-Type: text/plain; charset=utf-8
    X-Openstack-Request-Id: tx20b0d0d8394b4b0a81cba-005a38343c
    

    Notice the URL of the container in the details. Anybody wishing to access this container will need to pass the URL field as a parameter.

  9. As an admin user, test the access to the books container:
    swift
        --os-storage-url http://172.29.236.100:8080/v1/AUTH_402e8fe/books list
    

    This will give objects from our shared container at the specified URL:

    chapter1
    chapter1/swift.txt
    intro.txt
    

    In our example, the admin user is part of the admin project and therefore is able to access the books container via the --os-storage-url flag.

How it works…

Containers can be shared with other users by setting read and write ACLs on them. Currently, the ACLs functionality is not available in the OpenStack client, so we are using the Swift CLI in our examples.

There are two types of ACLs that can be set on a container, read and write, and they have to be set individually.

Set read ACL with the following command:

swift post -r "project:user" container

Set write ACL as follows:

swift post -w "project:user" container

Here both the project and user can be substituted with a wild card (*).

To make a container completely public, use the following commands:

swift post --read-acl ".r:*,.rlistings" container
swift post --write-acl "*:*" container

With the .r:* and .rlistings elements set, the books container is publicly accessible. The .r* element allows access to the objects in a container, and .rlistings allows listing of the container's content.

Note

With write ACL set to "*:*", the container can be updated by anybody, so use it with care.

The -r and --read-acl commands as well as -w and --write-acl are the short and long forms of the same flag. That is, -r and --read-acl are interchangeable as well as -w and --write-acl.

Once access to containers is enabled for other users, find the URL of a container with the following command:

swift stat -v container | grep URL

To access another user's container once access been enabled, use this command:

swift --os-storage-url URL list

Tip

If you are always accessing the same storage URL, it can be set as the OS_STORAGE_URL environment variable.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.129.249.194