How to authorize keystone users to access their swift objects

asked 2016-10-18 06:41:14 -0500

Hello, I would like to create a scenario that allows a set of Keystone users (U1,U2,U3), members of the role R1, to access only their own associated objects (O1,O2,O3) in a Swift container C1.

By what i understood, I cannot restrict access to API actions ("save" to dowload/"set" to update) in the keystone policy.json file as a rule "something:save":"role:R1 and user_id:..". Is there a way to do so? how would you implement this scenario?

Thanks for every hint and reply, Umberto

edit retag flag offensive close merge delete


For most or all cases, permissions are based on role and project, not user. An OpenStack project maps to a Swift account, so that all users with a role in that project have the same access rights in principle. You can then control access to containers via ACLS, but not access to objects afaik.

Bernd Bausch gravatar imageBernd Bausch ( 2016-10-20 19:39:27 -0500 )edit

A somewhat technical discussion is found in

Bernd Bausch gravatar imageBernd Bausch ( 2016-10-20 19:39:49 -0500 )edit

Also, this has nothing to do with the keystone policy.json file. That file only contains authorizations for keystone, not for swift.

Bernd Bausch gravatar imageBernd Bausch ( 2016-10-20 19:40:20 -0500 )edit