Ask Your Question

How to enable policy.json support on SWIFT Openstack Mitaka (Keystone V3)

asked 2016-07-19 10:43:23 -0500

momsecure gravatar image

I try to apply ACL / Policy on containers (MITAKA OPENSTACK Keystone V3) , I can see that the base file policy.json isn't present. How to allow each users to read and write into his own container only.

edit retag flag offensive close merge delete

2 answers

Sort by ยป oldest newest most voted

answered 2016-07-19 15:13:12 -0500

This document describes how to manage access to containers.

edit flag offensive delete link more



Thanks a lot barry.davis, it works like a charm with UUID

momsecure gravatar imagemomsecure ( 2016-07-27 12:06:18 -0500 )edit

answered 2016-07-20 10:02:09 -0500

momsecure gravatar image

Thanks , but we have already read it and try but nothing works. It's why we have thinking to policy.json

We have 2 users and we want to restrict access of each of them to their own containers

read : .r:,.rlistngs, tenant:users1 => it allowed for user2 not good read : tenant:users1 => it denied for user1 and 2 not good either read : .r:,.rlistngs, => it allowed for user1 and 2 not good either

What's kind of config we must use, to allow containers1 to User1 only and containers2 to user2

edit flag offensive delete link more



Assuming the project name for user1 and user2 is 'demo'. Try this syntax:swift post container1 -r "demo:user1" and swift post container2 -r "demo:user2". Replace demo with the name of the project that user1 and user2 belong to.

barry.davis gravatar imagebarry.davis ( 2016-07-20 10:24:45 -0500 )edit

User1 and User2 must not be added to a role defined as operator_roles in proxy-server.conf. If operator_roles = user, admin then user1 and user2 must not belong to user or admin role in project. Define another role. Add user to that role in project. Remove user from user/admin role in project.

barry.davis gravatar imagebarry.davis ( 2016-07-20 11:35:01 -0500 )edit

Also the use of UUID for project and user is preferred over project name and username in swift post command. ie: swift post container1 -r "735ab48ee9cd9983f296de7435558eff:8674bcdea75462369797311442ecd2e3". Use openstack project list and openstack user list to obtain these values.

barry.davis gravatar imagebarry.davis ( 2016-07-20 11:44:38 -0500 )edit

Use openstack role assignment list --names to determine role assignment of users. Additional reference

barry.davis gravatar imagebarry.davis ( 2016-07-20 11:46:53 -0500 )edit

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower


Asked: 2016-07-19 10:43:23 -0500

Seen: 317 times

Last updated: Jul 20 '16