Ask Your Question
1

How to enable policy.json support on SWIFT Openstack Mitaka (Keystone V3)

asked 2016-07-19 10:43:23 -0600

momsecure gravatar image

I try to apply ACL / Policy on containers (MITAKA OPENSTACK Keystone V3) , I can see that the base file policy.json isn't present. How to allow each users to read and write into his own container only.

edit retag flag offensive close merge delete

2 answers

Sort by ยป oldest newest most voted
0

answered 2016-07-19 15:13:12 -0600

This document describes how to manage access to containers.

edit flag offensive delete link more

Comments

2

Thanks a lot barry.davis, it works like a charm with UUID

momsecure gravatar imagemomsecure ( 2016-07-27 12:06:18 -0600 )edit
0

answered 2016-07-20 10:02:09 -0600

momsecure gravatar image

Thanks , but we have already read it and try but nothing works. It's why we have thinking to policy.json

We have 2 users and we want to restrict access of each of them to their own containers

read : .r:,.rlistngs, tenant:users1 => it allowed for user2 not good read : tenant:users1 => it denied for user1 and 2 not good either read : .r:,.rlistngs, => it allowed for user1 and 2 not good either

What's kind of config we must use, to allow containers1 to User1 only and containers2 to user2

edit flag offensive delete link more

Comments

1

Assuming the project name for user1 and user2 is 'demo'. Try this syntax:swift post container1 -r "demo:user1" and swift post container2 -r "demo:user2". Replace demo with the name of the project that user1 and user2 belong to.

barry.davis gravatar imagebarry.davis ( 2016-07-20 10:24:45 -0600 )edit

User1 and User2 must not be added to a role defined as operator_roles in proxy-server.conf. If operator_roles = user, admin then user1 and user2 must not belong to user or admin role in project. Define another role. Add user to that role in project. Remove user from user/admin role in project.

barry.davis gravatar imagebarry.davis ( 2016-07-20 11:35:01 -0600 )edit
1

Also the use of UUID for project and user is preferred over project name and username in swift post command. ie: swift post container1 -r "735ab48ee9cd9983f296de7435558eff:8674bcdea75462369797311442ecd2e3". Use openstack project list and openstack user list to obtain these values.

barry.davis gravatar imagebarry.davis ( 2016-07-20 11:44:38 -0600 )edit

Use openstack role assignment list --names to determine role assignment of users. Additional reference http://docs.openstack.org/developer/swift/overview_auth.html#access-control-using-keystoneauth

barry.davis gravatar imagebarry.davis ( 2016-07-20 11:46:53 -0600 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2016-07-19 10:43:23 -0600

Seen: 183 times

Last updated: Jul 20 '16