Programmer Thoughts

By John Dickinson

Setting Permissions (ACLs) on Openstack Swift containers

August 04, 2011

I frequently see people in the #openstack IRC channel on freenode asking about how to set up ACLs in swift. Here’s a short tutorial.

First, set up two accounts. How to do this is specific to your auth system. Fir this example, I’ll use the default tempauth that ships with swift.

In your proxy server config file, under the tempauth section, add the accounts:

user_test_tester = testing .admin
user_test_tester2 = testing2

The first user (“tester”) has admin privilages on the account (“.admin”). The second user (“tester2”) is in the test account, but will only have access to what the first user grants him. The two accounts don’t need to have the same tempauth account (the “test” part).

Auth the first user and create a container. Then an read permissions on that container for the second user:

$ curl -i -H "X-Auth-User: test:tester" -H "X-Auth-Key: testing" \
    http://swift/auth/v1.0
$ curl -i -XPUT -H "X-Auth-Token: token1" http://swift/v1/AUTH_test/container
$ curl -i -XPOST -H "X-Auth-Token: token1" -H "X-Container-Read: test:tester2" \
    http://swift/v1/AUTH_test/container

Note that in the last curl command the proper value for the ACL is <account>:<user>.

Now, auth the second account. Note that the second account cannot list the containers or do anything but read what’s in the container called “container”.

$ curl -i -H "X-Auth-User: test:tester2" -H "X-Auth-Key: testing2" \
    http://swift/auth/v1.0
$ curl -i -H "X-Auth-Token: token2" http://swift/v1/AUTH_test/
$ curl -i -H "X-Auth-Token: token2" http://swift/v1/AUTH_test/container/
$ curl -i -XPUT --data-binary 1234 -H "X-Auth-Token: token2" \
    http://swift/v1/AUTH_test/container/foo

If one desires, adding the X-Container-Write header to a container will similarly grant write access.

This work is licensed under a Creative Commons Attribution 3.0 Unported License.

The thoughts expressed here are my own and do not necessarily represent those of my employer.