Swift not allow ACLs between different users in different tenants using KeyStone
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Fix Released
|
Medium
|
Chmouel Boudjnah |
Bug Description
I encountered some problems when i set permissions (ACLs) on Openstack Swift containers.
I installed swift-1.4.8(essex) and use keystone-2012.1 as authentication system on CentOS 6.2 .
My swift proxy-server.conf and keystone.conf are here:
Then,I use the script named opensatck_
After these operations,I got the token of demo:demo andnewuser:newuser
curl -s -H 'Content-type: application/json' \
-d '{"auth": {"tenantName": "demo", "passwordCreden
http://
curl -s -H 'Content-type: application/json' \
-d '{"auth": {"tenantName": "newuser", "passwordCreden
http://
Then,enable read access to newuser:newuser
curl -X PUT -i \
-H "X-Auth-Token: <token of demo:demo>" \
-H "X-Container-Read: newuser:newuser" \
http://
Check the permission of the container:
curl -k -v -H 'X-Auth-
http://
This is the reply of the operation:
HTTP/1.1 200 OK
X-
X-
X-
Accept-Ranges: bytes
Content-
Content-Type: text/plain; charset=utf-8
Date: Fri, 11 May 2012 07:30:23 GMT
opensatck_
Now,the user newuser:newuser visit the container of demo:demo
curl -k -v -H 'X-Auth-
http://
While,I got 403 error.
In my opinion,swift acls should be support the sharing between different users in different tenants.
affects: | openstack-manuals → keystone |
Changed in keystone: | |
status: | Triaged → Confirmed |
Changed in keystone: | |
importance: | Undecided → Medium |
tags: | removed: keystone |
Changed in keystone: | |
milestone: | none → grizzly-2 |
status: | Fix Committed → Fix Released |
Changed in keystone: | |
milestone: | grizzly-2 → 2013.1 |
Chmouel,
Would you take a look at the above request? I don't know enough about the S3/swift internals to know if this is a bug, a feature request, or something that's antithetical to the design of ACL's in swift.