OpenStack Object Storage containers are usually owned by the user that created them. However, through Swift's ACLs (Access Control Lists), containers can be made accessible to different OpenStack users or made completely public. The owner of the container can set specific read and write rules. The read and write rules must be set separately and have to be enabled explicitly on each container. The owner of the container can make the container completely public or set rules based on the project, user, or rule set.
Ensure that you are logged on to a correctly configured OpenStack client and can access the OpenStack environment as a user with the swiftoperator privileges and an admin user. We will use the developer user created in the Common OpenStack identity tasks recipe in Chapter 2, The OpenStack Client, with the cookbook4 password. We have also granted this user the swiftoperator privileges.
Since the OpenStack CLI does not provide all the functionality available through the individual OpenStack project client, we will need to use Swift CLI for this recipe. Ensure that you have the Swift command-line client installed. If you do not, install it:
pip install python-swiftclient
To view and modify ACLs on containers, follow the following steps:
- First, view existing ACLs on a container, if any:
swift stat booksThis gives the information about our container called
books:Account: AUTH_402e8fe274c143ea91fe905a1b8c7614 Container: books Objects: 3 Bytes: 32764 Read ACL: Write ACL: Sync To: Sync Key: Accept-Ranges: bytes X-Storage-Policy: default Last-Modified: Mon, 18 Dec 2017 06:09:45 GMT X-Timestamp: 1512278405.11522 X-Trans-Id: tx484e741deb754fdb86f7a-005a375e4c Content-Type: text/plain; charset=utf-8 X-Openstack-Request-Id: tx484e741deb754fdb86f7a-005a375e4c
- In our example, there are no read or write ACLs set yet. Let's set a
readACL to make thebookscontainer public:swift post books --read-acl ".r:*,.rlistings" - To make the
bookscontainer writable by everybody, issue the following:swift post books --write-acl "*:*" - Now check the details on the books container again with the stat command:
swift stat booksWe can see that the
Read ACLandWrite ACLfields have been populated:Account: AUTH_402e8fe274c143ea91fe905a1b8c7614 Container: books Objects: 3 Bytes: 32764 Read ACL: .r:*,.rlistings Write ACL: *:* Sync To: Sync Key: Accept-Ranges: bytes X-Trans-Id: txc0d0d64ed54e48989f3f6-005a3760ba X-Storage-Policy: default Last-Modified: Mon, 18 Dec 2017 06:22:56 GMT X-Timestamp: 1512278405.11522 Content-Type: text/plain; charset=utf-8 X-Openstack-Request-Id: txc0d0d64ed54e48989f3f6-005a3760ba
- Since operating world-writable and readable containers are not very good security practice, we can remove the ACLs from the container. To remove the read ACL, issue this command:
swift post -r "" books - To remove the write ACL, use this command:
swift post -w "" books - If you need to share your container with another user in your OpenStack environment, you can set permissions based on the project and user. In our example, we will set the
bookscontainer's access to be readable by everyone in theadminproject:swift post -r "admin:*" booksThe asterisk (
*) after:indicates that all users in theadminproject will have access to thebookscontainer. - Now check the details of the
bookscontainer:swift stat -v booksThis will produce output like the following:
URL: http://172.29.236.100:8080/v1/AUTH_402e8fe/books Auth Token: gAAAAABaODQ8R93x7kW46CW_u9ZS3 Account: AUTH_402e8fe274c143ea91fe905a1b8c7614 Container: books Objects: 3 Bytes: 32764 Read ACL: admin:* Write ACL: Sync To: Sync Key: Accept-Ranges: bytes X-Trans-Id: tx20b0d0d8394b4b0a81cba-005a38343c X-Storage-Policy: default Last-Modified: Mon, 18 Dec 2017 21:24:27 GMT X-Timestamp: 1512278405.11522 Content-Type: text/plain; charset=utf-8 X-Openstack-Request-Id: tx20b0d0d8394b4b0a81cba-005a38343c
Notice the
URLof the container in the details. Anybody wishing to access this container will need to pass theURLfield as a parameter. - As an
adminuser, test the access to thebookscontainer:swift --os-storage-url http://172.29.236.100:8080/v1/AUTH_402e8fe/books list
This will give objects from our shared container at the specified URL:
chapter1 chapter1/swift.txt intro.txt
In our example, the
adminuser is part of theadminproject and therefore is able to access thebookscontainer via the--os-storage-urlflag.
Containers can be shared with other users by setting read and write ACLs on them. Currently, the ACLs functionality is not available in the OpenStack client, so we are using the Swift CLI in our examples.
There are two types of ACLs that can be set on a container, read and write, and they have to be set individually.
Set read ACL with the following command:
swift post -r "project:user" container
Set write ACL as follows:
swift post -w "project:user" container
Here both the project and user can be substituted with a wild card (*).
To make a container completely public, use the following commands:
swift post --read-acl ".r:*,.rlistings" container swift post --write-acl "*:*" container
With the .r:* and .rlistings elements set, the books container is publicly accessible. The .r* element allows access to the objects in a container, and .rlistings allows listing of the container's content.
Once access to containers is enabled for other users, find the URL of a container with the following command:
swift stat -v container | grep URL
To access another user's container once access been enabled, use this command:
swift --os-storage-url URL list