Creating write ACLs to authorize object users
The Keystone administrator can create container ACLs to grant write permissions using X-Container-Write headers in the curl tool or –write-acl flag in the Swift command-line client.
Provides an example on how to configure write ACLs by using
curl tool.
-
Run the following command to create a token:
token=$(openstack --os-auth-url http://tully-ces-ip.adcons.spectrum:35357/v3 --os-project-name admin --os-project-domain-name Default --os-username admin --os-user-domain-name Default --os-password Passw0rd --os-identity-api-version 3 token issue | grep -w "id" | awk '{print $4}') -
Create a container that is named writeOnly with write permissions for a
member user (with an ID of
4720614) who is part of the admin project (46b37eb) and a student1 user (f58b7c09) who is part of the students project (d5c05730). In theX-Container-Writestatement, you must specify the project and user IDs rather than the names:# curl -i http://tully-ces-ip.adcons.spectrum:8080/v1/AUTH_bea5a0c632e54eaf85e9150a16c443ce /writeOnly -X PUT -H "Content-Length: 0" -H "X-Auth-Token: ${token}" -H "X-Container-Write: 46b37eb:4720614,d5c05730:f58b7c09" -H "X-Container-Read: " HTTP/1.1 201 Created Content-Length: 0 Content-Type: text/html; charset=UTF-8 X-Trans-Id: txf7b0bfef877345949c61c-005567b9d1 Date: Fri, 29 May 2015 00:58:57 GMT - Issue a token as student1 from the students project
and upload an object by using the curl tool:
token=$(openstack --os-auth-url http://tully-ces-ip.adcons.spectrum:35357/v3 --os-project-name students --os-project-domain-name Default --os-username student1 --os-user-domain-name Default --os-password Passw0rd --os-identity-api-version 3 token issue | grep -w "id" | awk '{print $4}') # curl -i http://tully-ces-ip.adcons.spectrum:8080/v1/AUTH_bea5a0c632e54eaf85e9150a16c443ce /writeOnly/imageA.JPG -X PUT -H "X-Auth-Token: ${token}" --upload-file imageA.JPG HTTP/1.1 100 Continue HTTP/1.1 201 Created Last-Modified: Fri, 29 May 2015 01:11:28 GMT Content-Length: 0 Etag: 95d8c44b757f5b0c111750694dffef2b Content-Type: text/html; charset=UTF-8 X-Trans-Id: tx6caa0570bfcd419782274-005567bcbe Date: Fri, 29 May 2015 01:11:28 GMT - List the state of the writeOnly container as
student1 user of the students project:
# curl -i http://tully-ces-ip.adcons.spectrum:8080/v1/AUTH_bea5a0c632e54eaf85e9150a16c443ce /writeOnly/imageA.JPG -X HEAD -H "X-Auth-Token: ${token}" HTTP/1.1 403 Forbidden Content-Type: text/html; charset=UTF-8 X-Trans-Id: tx4f7dfbfd74204785b6b50-005567bd8c Content-Length: 0 Date: Fri, 29 May 2015 01:14:52 GMTNote: This operation fails as the user does not have the necessary privileges. -
Grant read permissions to student1 user of the students
project. In the
X-Container-Readstatement, you must specify the project and user IDs rather than the names:token=$(openstack --os-auth-url http://tully-ces-ip.adcons.spectrum:35357/v3 --os-project-name admin --os-project-domain-name Default --os-username admin --os-user-domain-name Default --os-password Passw0rd --os-identity-api-version 3 token issue | grep -w "id" | awk '{print $4}') # curl -i http://tully-ces-ip.adcons.spectrum:8080/v1/AUTH_ bea5a0c632e54eaf85e9150a16c443ce /writeOnly -X POST -H "Content-Length: 0" -H "X-Auth-Token: ${token}" -H "X-Container-Read: d5c05730:f58b7c09" HTTP/1.1 204 No Content Content-Length: 0 Content-Type: text/html; charset=UTF-8 X-Trans-Id: tx77aafe0184da4b68a7756-005567beac Date: Fri, 29 May 2015 01:19:40 GMT - Verify whether the sutdent1 user has the read access now:
token=$(openstack --os-auth-url http://tully-ces-ip.adcons.spectrum:35357/v3 --os-project-name students --os-project-domain-name Default --os-username student1 --os-user-domain-name Default --os-password Passw0rd --os-identity-api-version 3 token issue | grep -w "id" | awk '{print $4}') # curl -i http://tully-ces-ip.adcons.spectrum:8080/v1/AUTH_bea5a0c632e54eaf85e9150a16c443ce /writeOnly -X GET -H "X-Auth-Token: ${token}" HTTP/1.1 200 OK Content-Length: 11 X-Container-Object-Count: 1 Accept-Ranges: bytes X-Storage-Policy: Policy-0 X-Container-Bytes-Used: 5552466 X-Timestamp: 1432861137.91693 Content-Type: text/plain; charset=utf-8 X-Trans-Id: tx246b39018a5c4bcb90c7f-005567bff3 Date: Fri, 29 May 2015 01:25:07 GMT imageA.JPGNote: Object Storage does not support public write ACLs.