Ask Your Question
0

confusion about the consepts like account, user, group , reseller, admin

asked 2011-12-27 03:59:13 -0500

I am new to swift , and I get quite confused about some concepts here.

I've successfully installed swift 1.4.3 on ubuntu 10.04, but I have to many questions about the administration work about swift For auth subsystem I also tried both tempauth and swauth1.0.2

  1. account and user It seems that when you create a user, you also need to specify an account for that user

for example , if I use tempauth, I have to write in the proxy-server.conf something like user_admin_admin = admin .admin .reseller_admin

  the format is actually :
  user_<account>_<user> = <key> [group] [group] [...] [storage_url]

similarly, if I use swauth swauth-add-user [options] <account> <user> <password>

I don't understand the relation beteween the account and user. It seems to me that we can have multiple users under one account. So, does every account have its own namespace for username ? I mean can user in different account have the same username?

What's the difference beween users in the same account and users in different account ? Is there some access rule for that?

From the Open stack Object storage adminstrator manual
http://docs.openstack.org/diablo/openstack-object-storage/admin/content/authentication-and-access-permissions.html (http://docs.openstack.org/diablo/open...)

I quote here

"Generally speaking, each user has their own storage account and has full access to that account. Users must authenticate with their credentials as described above, but once authenticated they can create/delete containers and objects within that account. The only way a user can access the content from another account is if they share an API access key or a session token provided by your authentication system."

I get confused, should I give each user a different account or we can let users share one account. And if users share one account, what's their permission to those containers and objects created by others who are in the same account with them ?

2. the confusion about user access permisson in one account lead to my second question How do I implement acl rules for users

I have read the developer api document,I got nothing about acl in that http://docs.openstack.org/api/openstack-object-storage/1.0/content/ (http://docs.openstack.org/api/opensta...)

however, from http://docs.openstack.org/diablo/openstack-object-storage/admin/content/swift-cli-basics.html (http://docs.openstack.org/diablo/open...) I did find something about set acl rules with "swift post -r -w " but it doesn't explain the format for the acl rules

the guide on http://swift.openstack.org/misc.html#acls (http://swift.openstack.org/misc.html#...) did have something about acl strings, so may be I should use it with the " swift post -r / -w " ?

Since the swift cli is build above swift restful api, I think there should be someway I can directly use restful api to set acl rules for both containers and objests, right? So, I guess I must have missed some documents about this kind of api, please help me find that.

  1. about ...
(more)
edit retag flag offensive close merge delete

3 answers

Sort by » oldest newest most voted
0

answered 2011-12-27 08:54:47 -0500

I also have a questiong about the access permision of a regular user in a account

I create 2 users in one account system

swauth-add-user -K swauthkey -A https://localhost:8080/auth -a system root testpass

swauth-add-user -K swauthkey -A https://localhost:8080/auth system notroot1 testpass

user root is an account admin with "-a"

so the swift stat swift upload swift list command all work fine for user root

however, notroot1 seems have no perminsion to do such things

root@proxy1:~/swift_test/swauth-1.0.2-1# swift -A https://localhost:8080/auth/v1.0 -U system:root -K testpass stat Account: AUTH_2b2b685b-241d-4bec-b768-f80f407df757 Containers: 0 Objects: 0 Bytes: 0 Accept-Ranges: bytes

swift -A https://localhost:8080/auth/v1.0 -U system:notroot1 -K testpass stat Account HEAD failed: https://192.168.61.89:8080/v1/AUTH_2b2b685b-241d-4bec-b768-f80f407df757 (https://192.168.61.89:8080/v1/AUTH_2b...) 403 Forbidden

swift -A https://localhost:8080/auth/v1.0 -U system:root -K testpass upload root_container1 vmware_player40.pdf vmware_player40.pdf

root@proxy1:~/swift_test# swift -A https://localhost:8080/auth/v1.0 -U system:notroot1 -K testpass upload notroot1_container1 vmware_player40.pdf Object HEAD failed: https://192.168.61.89:8080/v1/AUTH_2b2b685b-241d-4bec-b768-f80f407df757/notroot1_container1/vmware_player40.pdf (https://192.168.61.89:8080/v1/AUTH_2b...) 403 Forbidden

edit flag offensive delete link more
0

answered 2012-01-27 10:13:02 -0500

Hi,

I have the same problem for creating users and accounts for swift

have you found any solution for your problem to create new users and accounts??

Thanks in advance for your help

Best regards Khaled

edit flag offensive delete link more
0

answered 2013-11-18 07:16:23 -0500

anilbhargava777 gravatar image

@ lisha : You have to create container as notroot1_container1 in the 'system' account and then give the read and write permissions to the system:notroot1 user by the admin user of account as:

swift -A https://192.168.62.4:8080/auth/v1.0 -U system:root -K testpass post notroot1_container1 -r system:notroot1 -w system:notroot1

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2011-12-27 03:59:13 -0500

Seen: 184 times

Last updated: Nov 18 '13