I've been trying to get tenant acl permissions to work in devstack + swift, to no avail. I'm pretty sure this is both a bug in glance and at least a documentation bug in swift. I'll try to walk you through my testing.
First, I've created a container in the demo account, with one object.
ubuntu@devstack:~/devstack$ source accrc/demo/demo
ubuntu@devstack:~/devstack$ swift list
shared
ubuntu@devstack:~/devstack$ swift list shared
hello
Now, I'm going to try to give permission to the alt_demo tenant to list and get this container. But to prove to myself I've got the right tenant id, let's have a look:
<html><h1>Forbidden</h1><p>Access was denied to this resource.</p></html>
ubuntu@devstack:~/devstack$ curl -i http://10.130.50.54:8080/v1/AUTH_69802d1079724934b4b6228739b270d4/shared/hello -H "x-auth-token: $alt_demo_token" && echo
HTTP/1.1 403 Forbidden
Content-Length: 73
Content-Type: text/html; charset=UTF-8
X-Trans-Id: tx46992332a50f4472aefa8-00519bcc93
Date: Tue, 21 May 2013 19:35:47 GMT
<html><h1>Forbidden</h1><p>Access was denied to this resource.</p></html>
I get similar results when I try the following acls:
swift post -r "$alt_demo_tenant_id" shared
swift post -r ".r:$alt_demo_tenant_id" shared
swift post -r "$alt_demo_tenant_id,.rlistings" shared
swift post -r ".r:$alt_demo_tenant_id,.rlistings" shared
I've been trying to get tenant acl permissions to work in devstack + swift, to no avail. I'm pretty sure this is both a bug in glance and at least a documentation bug in swift. I'll try to walk you through my testing.
First, I've created a container in the demo account, with one object.
ubuntu@ devstack: ~/devstack$ source accrc/demo/demo devstack: ~/devstack$ swift list devstack: ~/devstack$ swift list shared
ubuntu@
shared
ubuntu@
hello
Now, I'm going to try to give permission to the alt_demo tenant to list and get this container. But to prove to myself I've got the right tenant id, let's have a look:
ubuntu@ devstack: ~/devstack$ source accrc/admin/admin devstack: ~/devstack$ keystone tenant-get $alt_demo_tenant_id ------- +------ ------- ------- ------- ------- + ------- +------ ------- ------- ------- ------- + a9d31165e923710 c2 | ------- +------ ------- ------- ------- ------- +
ubuntu@
+------
| Property | Value |
+------
| description | |
| enabled | True |
| id | 35f623050ffd417
| name | alt_demo |
+------
Also, I saved the alt_demo account token to a local variable, just to prove I don't have anything up that sleeve either:
ubuntu@ devstack: ~/devstack$ source accrc/alt_ demo/alt_ demoubuntu@ devstack: ~/devstack$ swift listalt- demo-private- container devstack: ~/devstack$ curl -i http:// 10.130. 50.54:8080/ v1/AUTH_ 35f623050ffd417 a9d31165e923710 c2 -H "x-auth-token: $alt_demo_token" && echo Bytes-Used: 0 Container- Count: 1 Object- Count: 0 5e1bfe54- 00519bcb70
ubuntu@
HTTP/1.1 200 OK
Content-Length: 27
Accept-Ranges: bytes
X-Timestamp: 1369164600.76605
X-Account-
X-Account-
Content-Type: text/plain; charset=utf-8
X-Account-
X-Trans-Id: tx1d36c4e5e9234
Date: Tue, 21 May 2013 19:30:56 GMT
alt-demo- private- container
Now, I'll see if I can get the demo shared container using the standard "anyone can read" acl. It works.
ubuntu@ devstack: ~/devstack$ source accrc/demo/demo devstack: ~/devstack$ swift post -r '.r:*,.rlistings' sharedubuntu@ devstack: ~/devstack$ curl -i http:// 10.130. 50.54:8080/ v1/AUTH_ 69802d107972493 4b4b6228739b270 d4/shared -H "x-auth-token: $alt_demo_token" && echo Object- Count: 1 Bytes-Used: 14 ed99cfb6- 00519bcc36
ubuntu@
HTTP/1.1 200 OK
Content-Length: 6
X-Container-
Accept-Ranges: bytes
X-Timestamp: 1369163265.54228
X-Container-
Content-Type: text/plain; charset=utf-8
X-Trans-Id: txbae447f4ca0d4
Date: Tue, 21 May 2013 19:34:14 GMT
hello
ubuntu@ devstack: ~/devstack$ curl -i http:// 10.130. 50.54:8080/ v1/AUTH_ 69802d107972493 4b4b6228739b270 d4/shared/ hello -H "x-auth-token: $alt_demo_token" && echo octet-stream 7d9d45736c4f709 f3 Meta-Mtime: 1369164319.763935 7cd8b1a8- 00519bcc3c
HTTP/1.1 200 OK
Content-Length: 14
Content-Type: application/
Accept-Ranges: bytes
Last-Modified: Tue, 21 May 2013 19:25:30 GMT
Etag: 8a9c538c7f848d9
X-Timestamp: 1369164330.47373
X-Object-
X-Trans-Id: tx66a7c40fd4014
Date: Tue, 21 May 2013 19:34:20 GMT
Hello, World.
But if I try to set the acl to just the alt_demo tenant_id, it does not work.
ubuntu@ devstack: ~/devstack$ swift post -r "$alt_demo_ tenant_ id" sharedubuntu@ devstack: ~/devstack$ swift stat shared 724934b4b622873 9b270d4 a9d31165e923710 c2 e07aeca2- 00519bcc83 devstack: ~/devstack$ curl -i http:// 10.130. 50.54:8080/ v1/AUTH_ 69802d107972493 4b4b6228739b270 d4/shared -H "x-auth-token: $alt_demo_token" && echo d4c868b9- 00519bcc8f
Account: AUTH_69802d1079
Container: shared
Objects: 1
Bytes: 14
Read ACL: 35f623050ffd417
Write ACL:
Sync To:
Sync Key:
Accept-Ranges: bytes
X-Timestamp: 1369163265.54228
X-Trans-Id: txd4af28ab301f4
Content-Type: text/plain; charset=utf-8
ubuntu@
HTTP/1.1 403 Forbidden
Content-Length: 73
Content-Type: text/html; charset=UTF-8
X-Trans-Id: tx6c5d45e86bda4
Date: Tue, 21 May 2013 19:35:43 GMT
<html>< h1>Forbidden< /h1><p> Access was denied to this resource. </p></html> devstack: ~/devstack$ curl -i http:// 10.130. 50.54:8080/ v1/AUTH_ 69802d107972493 4b4b6228739b270 d4/shared/ hello -H "x-auth-token: $alt_demo_token" && echo 472aefa8- 00519bcc93
ubuntu@
HTTP/1.1 403 Forbidden
Content-Length: 73
Content-Type: text/html; charset=UTF-8
X-Trans-Id: tx46992332a50f4
Date: Tue, 21 May 2013 19:35:47 GMT
<html>< h1>Forbidden< /h1><p> Access was denied to this resource. </p></html>
I get similar results when I try the following acls: tenant_ id" shared demo_tenant_ id" shared tenant_ id,.rlistings" shared demo_tenant_ id,.rlistings" shared
swift post -r "$alt_demo_
swift post -r ".r:$alt_
swift post -r "$alt_demo_
swift post -r ".r:$alt_