ACLs for OpenStack Swift Object Storage
An OpenStack Swift object-storage container is usually available only to users in the project in which the container was created, but Swift has an access-control mechanism that allows subtle permission sets to be constructed.
You ordinarly access the Object Store via the web interface: Project
Compute > Object Store > Containers. From there you can create and view containers, upload and download files using the containers, etc.
Swift ACLs cannot be accessed via the web interface; they must be
constructed using the swift command-line utility. (OK, you can
also use curl, but that’s an exercise left to the reader.)
Note: These instructions work with the Mitaka release of OpenStack and version 3.0 of the swift utility. Other release combinations may produce varying results.
Install swift utility
The swift utility is a Python program that comes with the
swiftclient bundle. It’s available as the python-swiftclient
package on newer Ubuntu systems. It’s available via a package of
the same name on CentOS systems from the centos-openstack-mitaka
repository. For full use, you’ll also need the python-keystoneclient
package. If your system doesn’t provide prebuilt packages, you can
install them using pip:
# add the --user option to put these in your home directory
# if you don't have root privileges.
pip install python-swiftclient
pip install python-keystoneclient
On Macs, there’s also a compiler called “swift,” so you’ll want to make sure you’re seeing the right one:
[bash]$ swift --version
python-swiftclient 3.0.0
Example: A container for your many selves
Let’s say that you’re a member of two different projects: Alpha and
Beta. Your username in both projects is memyself.
Create a container in one project
Let’s start by creating a container with the Alpha project:
export OS_USERNAME=memyself
export OS_TENANT_NAME=Alpha
export OS_PASSWORD=myPassWord
export OS_AUTH_URL=http://openstack.domain.com:5000/v2.0
export OS_REGION_NAME=RegionOne
swift post AlphaContainer
swift upload AlphaContainer my-science-project.tar
At this point, we have a container named AlphaContainer that holds one
tar archive, my-science-project.tar. So far, so good.
Add ACLs to new container
What you really want to do is make your tar archive available while you’re working within the Beta project. So let’s tell swift to add read and write privileges to AlphaContainer for the Beta version of you.
# add read privileges
swift post -r 'Beta:memyself' AlphaContainer
# add write privileges
swift post -w 'Beta:memyself' AlphaContainer
Now you can test whether the ACLs have been created:
[bash]$ swift stat AlphaContainer -v | grep ACL:
Read ACL: Beta:memyself
Write ACL: Beta:memyself
Take note of StorageURL
Once the ACLs are adjusted, then take note of the top-level storage URL. We’ll need it when we start working in the Beta project.
[bash]$ swift stat -v | grep StorageURL: | awk '{print $2}'
http://openstack.domain.com:8080/v1/AUTH_e2e476b96336840e5f82f928a815805d
Change context to new project
Now we’ll leave our Alpha self behind and start work in the Beta
project. The main difference is that we’re going to set the
OS_STORAGE_URL variable to the URL we noted in the previous step.
export OS_USERNAME=memyself
export OS_TENANT_NAME=Beta
export OS_PASSWORD=myPassWord
export OS_AUTH_URL=http://openstack.domain.com:5000/v2.0
export OS_REGION_NAME=RegionOne
export OS_STORAGE_URL="http://openstack.domain.com:8080/v1/AUTH_e2e476b96336840e5f82f928a815805d"
swift list AlphaContainer
swift download AlphaContainer my-science-project.tar
If you don’t want to add the URL to your environment, you can also pass it as a command-line option:
swift \
download AlphaContainer my-science-project.tar \
--os-storage-url http://openstack.domain.com:8080/v1/AUTH_e2e476b96336840e5f82f928a815805d
A complex ACL set
More complex Swift ACLs can be constructed with wildcards and comma-separated lists.
# give r/w access every version of my account and to user leslie in
# project Gamma. give read-only access to user joebob in project
# Beta and everyone in project Gamma
swift post -r '*:memyself,Beta:joebob,Beta:leslie,Gamma:*' AlphaContainer
swift post -w '*:memyself,Gamma:leslie' AlphaContainer
An error to ignore
A user who has been given write access to a container using ACLs will encounter an interesting error when uploading files to that container:
Gamma:leslie> swift upload AlphaContainer my-certificate.pem
Warning: failed to create container 'AlphaContainer': 403 Forbidden: <html><h1>Forbidden</h1><p>Access was denied to this resourc
my-certificate.pem
By default, the swift utility will try to create the container into which
the specified file(s) will be uploaded. That process will fail, but the
file upload itself will succeed.
So far, I cannot figure out a way to alter that behavior.