OpenStack Object Storage containers are usually owned by the user that created them. However, through Swift's ACLs (Access Control Lists), containers can be made accessible to different OpenStack users or made completely public. The owner of the container can set specific read and write rules. The read and write rules must be set separately and have to be enabled explicitly on each container. The owner of the container can make the container completely public or set rules based on the project, user, or rule set.
Ensure that you are logged on to a correctly configured OpenStack client and can access the OpenStack environment as a user with the swiftoperator
privileges and an admin
user. We will use the developer
user created in the Common OpenStack identity tasks recipe in Chapter 2, The OpenStack Client, with the cookbook4
password. We have also granted this user the swiftoperator
privileges.
Since the OpenStack CLI does not provide all the functionality available through the individual OpenStack project client, we will need to use Swift CLI for this recipe. Ensure that you have the Swift command-line client installed. If you do not, install it:
pip install python-swiftclient
To view and modify ACLs on containers, follow the following steps:
swift stat books
This gives the information about our container called books
:
Account: AUTH_402e8fe274c143ea91fe905a1b8c7614 Container: books Objects: 3 Bytes: 32764 Read ACL: Write ACL: Sync To: Sync Key: Accept-Ranges: bytes X-Storage-Policy: default Last-Modified: Mon, 18 Dec 2017 06:09:45 GMT X-Timestamp: 1512278405.11522 X-Trans-Id: tx484e741deb754fdb86f7a-005a375e4c Content-Type: text/plain; charset=utf-8 X-Openstack-Request-Id: tx484e741deb754fdb86f7a-005a375e4c
read
ACL to make the books
container public:swift post books --read-acl ".r:*,.rlistings"
books
container writable by everybody, issue the following:swift post books --write-acl "*:*"
swift stat books
We can see that the Read ACL
and Write ACL
fields have been populated:
Account: AUTH_402e8fe274c143ea91fe905a1b8c7614 Container: books Objects: 3 Bytes: 32764 Read ACL: .r:*,.rlistings Write ACL: *:* Sync To: Sync Key: Accept-Ranges: bytes X-Trans-Id: txc0d0d64ed54e48989f3f6-005a3760ba X-Storage-Policy: default Last-Modified: Mon, 18 Dec 2017 06:22:56 GMT X-Timestamp: 1512278405.11522 Content-Type: text/plain; charset=utf-8 X-Openstack-Request-Id: txc0d0d64ed54e48989f3f6-005a3760ba
swift post -r "" books
swift post -w "" books
books
container's access to be readable by everyone in the admin
project:swift post -r "admin:*" books
The asterisk (*
) after :
indicates that all users in the admin
project will have access to the books
container.
books
container:swift stat -v books
This will produce output like the following:
URL: http://172.29.236.100:8080/v1/AUTH_402e8fe/books Auth Token: gAAAAABaODQ8R93x7kW46CW_u9ZS3 Account: AUTH_402e8fe274c143ea91fe905a1b8c7614 Container: books Objects: 3 Bytes: 32764 Read ACL: admin:* Write ACL: Sync To: Sync Key: Accept-Ranges: bytes X-Trans-Id: tx20b0d0d8394b4b0a81cba-005a38343c X-Storage-Policy: default Last-Modified: Mon, 18 Dec 2017 21:24:27 GMT X-Timestamp: 1512278405.11522 Content-Type: text/plain; charset=utf-8 X-Openstack-Request-Id: tx20b0d0d8394b4b0a81cba-005a38343c
Notice the URL
of the container in the details. Anybody wishing to access this container will need to pass the URL
field as a parameter.
admin
user, test the access to the books
container:swift --os-storage-url http://172.29.236.100:8080/v1/AUTH_402e8fe/books list
This will give objects from our shared container at the specified URL:
chapter1 chapter1/swift.txt intro.txt
In our example, the admin
user is part of the admin
project and therefore is able to access the books
container via the --os-storage-url
flag.
Containers can be shared with other users by setting read and write ACLs on them. Currently, the ACLs functionality is not available in the OpenStack client, so we are using the Swift CLI in our examples.
There are two types of ACLs that can be set on a container, read and write, and they have to be set individually.
Set read ACL with the following command:
swift post -r "project:user" container
Set write ACL as follows:
swift post -w "project:user" container
Here both the project and user can be substituted with a wild card (*
).
To make a container completely public, use the following commands:
swift post --read-acl ".r:*,.rlistings" container swift post --write-acl "*:*" container
With the .r:*
and .rlistings
elements set, the books
container is publicly accessible. The .r*
element allows access to the objects in a container, and .rlistings
allows listing of the container's content.
Once access to containers is enabled for other users, find the URL of a container with the following command:
swift stat -v container | grep URL
To access another user's container once access been enabled, use this command:
swift --os-storage-url URL list
3.129.249.194