Ask Your Question

How to configure Swift to allow a user only creation of objects and deny modify/delete?

asked 2014-12-11 02:28:46 -0500

Mihai gravatar image

updated 2014-12-11 17:21:22 -0500

smaffulli gravatar image

My case is that I provide a web service which receives and serves files using remote openstack swift storage and I want that in case of a credential compromise at the web service level, the person who gains access to those credentials would not be able to alter existing files.

I have created only one user for the web service. I have no problem in using the standard Swift ACL, except that ACLs seem to have only Unix-like permissions: read and write. I was hoping for a little more granular permissions, like delete and modify (in addition to read and write).

Does Swift support richer permissions or is there a way to configure ACL so that for a certain user it allows creation of new objects, but denies deletion and modification of existing objects?

edit retag flag offensive close merge delete


@Mihai I have edited your question to be more precise. Feel free to add also an explanation as of why your use case is not covered by a simple negation of write. you mentioned security which IMHO is covered by simply removing write access.

smaffulli gravatar imagesmaffulli ( 2014-12-11 17:24:53 -0500 )edit

@smaffulli You pretty much said it yourself in the edit: I still want my web service to be able to put new objects. That's all I need it to be able to do: put new objects and get existing objects. No updating, no deleting existing ones. Wish the permissions were more Windows-like...

Mihai gravatar imageMihai ( 2014-12-12 04:54:42 -0500 )edit

1 answer

Sort by ยป oldest newest most voted

answered 2014-12-11 13:42:35 -0500

smaffulli gravatar image

updated 2014-12-11 17:22:06 -0500

Have you already looked at Swift ACL? They're described in the user guide and in swift developer documentation, too.

TempURLs (or temporary signed URLs) are another way to do this if you don't want to set up ACLs for every possible user.

edit flag offensive delete link more


TempURLs (or temporary signed URLs) are another way to do this if you don't want to set up ACLs for every possible user.

notmyname gravatar imagenotmyname ( 2014-12-11 14:01:59 -0500 )edit

@notmyname you should be able to edit answers: feel free to add to existing ones instead of using comments (which are hard to read)

smaffulli gravatar imagesmaffulli ( 2014-12-11 17:25:45 -0500 )edit

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower


Asked: 2014-12-11 01:53:07 -0500

Seen: 418 times

Last updated: Dec 11 '14