Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

How do I create a Swift only user

I want to backup stuff to swift from within an instance. Therefore I need to enter credentials for a user that can write objects to a swift container in the backup script. For security reasons I want to limit what this user can as much as possible.

So given a tenant, I want to create a user in the tenant that can not log in to horizon, cannot use the API to spawn instances or even just list/get stuff. I want this user to be able to do only one thing: Write objects in a specified swift container.

How should I go about this?

I am thinking along the lines of:

  • Create another role "_swift_", and assigning that to this user, but not the "_member_" role. I would also assign this _swift_ role to all other users.

  • Modifying proxy-server.conf so that it contains this role. like this:

[filter:keystone]
use = egg:swift#keystoneauth
operator_roles = admin, SwiftOperator, _swift_
  • Then add some ACLS maybe?

Would this work, or would this break thing?