asked 2015-01-15 05:24:48 -0600

I want to backup stuff to swift from within an instance. Therefore I need to enter credentials for a user that can write objects to a swift container in the backup script. For security reasons I want to limit what this user can as much as possible.

So given a tenant, I want to create a user in the tenant that can not log in to horizon, cannot use the API to spawn instances or even just list/get stuff. I want this user to be able to do only one thing: Write objects in a specified swift container.

How should I go about this?

I am thinking along the lines of:

  • Create another role "_swift_", and assigning that to this user, but not the "_member_" role. I would also assign this _swift_ role to all other users.

  • Modifying proxy-server.conf so that it contains this role. like this:

use = egg:swift#keystoneauth
operator_roles = admin, SwiftOperator, _swift_
  • Then add some ACLS maybe?

Would this work, or would this break thing?

Sounds about right. You don't need any ACLs after step2. Better yet, you can just use swiftoperator in most cases.

zaitcev ( 2015-01-16 10:12:32 -0600 )

I tested this now, and it is not working as expected. I created a user with only the SwiftOperator role, (removed _member_) but this user has full access to everything on the tenant. What have I overlooked?

Krist ( 2015-01-19 02:02:47 -0600 )

Denial is different from adding roles. Swift allows all access to the user with the same name as the tenant (such as zaitcev:zaitcev). It's called "owner" and works regardless of e.g. swiftoperator role.

zaitcev ( 2015-01-19 11:54:11 -0600 )

My problem is that it's not just swift that allows access. It's nova as well. I removed _member_ as a role from a user, and this user could still log in to Horizon, and could still stop and start instances. Also this user could use the nova command line tool. I want a swift only user.

Krist ( 2015-01-20 00:28:10 -0600 )

Did you ever get this working? Or find another solution?

Bazze ( 2015-11-12 14:54:46 -0600 )