I've been trying to get tenant acl permissions to work in devstack + swift, to no avail. I'm pretty sure this is both a bug in glance and at least a documentation bug in swift. I'll try to walk you through my testing.


First, I've created a container in the demo account, with one object.

ubuntu@devstack:~/devstack$ source accrc/demo/demo
ubuntu@devstack:~/devstack$ swift list
shared
ubuntu@devstack:~/devstack$ swift list shared
hello


Now, I'm going to try to give permission to the alt_demo tenant to list and get this container. But to prove to myself I've got the right tenant id, let's have a look:

ubuntu@devstack:~/devstack$ source accrc/admin/admin
ubuntu@devstack:~/devstack$ keystone tenant-get $alt_demo_tenant_id
+-------------+----------------------------------+
|   Property  |              Value               |
+-------------+----------------------------------+
| description |                                  |
|   enabled   |               True               |
|      id     | 35f623050ffd417a9d31165e923710c2 |
|     name    |             alt_demo             |
+-------------+----------------------------------+


Also, I saved the alt_demo account token to a local variable, just to prove I don't have anything up that sleeve either:

ubuntu@devstack:~/devstack$ source accrc/alt_demo/alt_demoubuntu@devstack:~/devstack$ swift listalt-demo-private-container
ubuntu@devstack:~/devstack$ curl -i http://10.130.50.54:8080/v1/AUTH_35f623050ffd417a9d31165e923710c2 -H "x-auth-token: $alt_demo_token" && echo
HTTP/1.1 200 OK
Content-Length: 27
Accept-Ranges: bytes
X-Timestamp: 1369164600.76605
X-Account-Bytes-Used: 0
X-Account-Container-Count: 1
Content-Type: text/plain; charset=utf-8
X-Account-Object-Count: 0
X-Trans-Id: tx1d36c4e5e92345e1bfe54-00519bcb70
Date: Tue, 21 May 2013 19:30:56 GMT

alt-demo-private-container


Now, I'll see if I can get the demo shared container using the standard "anyone can read" acl. It works.

ubuntu@devstack:~/devstack$ source accrc/demo/demo
ubuntu@devstack:~/devstack$ swift post -r '.r:*,.rlistings' sharedubuntu@devstack:~/devstack$ curl -i http://10.130.50.54:8080/v1/AUTH_69802d1079724934b4b6228739b270d4/shared -H "x-auth-token: $alt_demo_token" && echo
HTTP/1.1 200 OK
Content-Length: 6
X-Container-Object-Count: 1
Accept-Ranges: bytes
X-Timestamp: 1369163265.54228
X-Container-Bytes-Used: 14
Content-Type: text/plain; charset=utf-8
X-Trans-Id: txbae447f4ca0d4ed99cfb6-00519bcc36
Date: Tue, 21 May 2013 19:34:14 GMT

hello

ubuntu@devstack:~/devstack$ curl -i http://10.130.50.54:8080/v1/AUTH_69802d1079724934b4b6228739b270d4/shared/hello -H "x-auth-token: $alt_demo_token" && echo
HTTP/1.1 200 OK
Content-Length: 14
Content-Type: application/octet-stream
Accept-Ranges: bytes
Last-Modified: Tue, 21 May 2013 19:25:30 GMT
Etag: 8a9c538c7f848d97d9d45736c4f709f3
X-Timestamp: 1369164330.47373
X-Object-Meta-Mtime: 1369164319.763935
X-Trans-Id: tx66a7c40fd40147cd8b1a8-00519bcc3c
Date: Tue, 21 May 2013 19:34:20 GMT

Hello, World.


But if I try to set the acl to just the alt_demo tenant_id, it does not work.

ubuntu@devstack:~/devstack$ swift post -r "$alt_demo_tenant_id" sharedubuntu@devstack:~/devstack$ swift stat shared
  Account: AUTH_69802d1079724934b4b6228739b270d4
Container: shared
  Objects: 1
    Bytes: 14
 Read ACL: 35f623050ffd417a9d31165e923710c2
Write ACL:
  Sync To:
 Sync Key:
Accept-Ranges: bytes
X-Timestamp: 1369163265.54228
X-Trans-Id: txd4af28ab301f4e07aeca2-00519bcc83
Content-Type: text/plain; charset=utf-8
ubuntu@devstack:~/devstack$ curl -i http://10.130.50.54:8080/v1/AUTH_69802d1079724934b4b6228739b270d4/shared -H "x-auth-token: $alt_demo_token" && echo
HTTP/1.1 403 Forbidden
Content-Length: 73
Content-Type: text/html; charset=UTF-8
X-Trans-Id: tx6c5d45e86bda4d4c868b9-00519bcc8f
Date: Tue, 21 May 2013 19:35:43 GMT

<html><h1>Forbidden</h1><p>Access was denied to this resource.</p></html>
ubuntu@devstack:~/devstack$ curl -i http://10.130.50.54:8080/v1/AUTH_69802d1079724934b4b6228739b270d4/shared/hello -H "x-auth-token: $alt_demo_token" && echo
HTTP/1.1 403 Forbidden
Content-Length: 73
Content-Type: text/html; charset=UTF-8
X-Trans-Id: tx46992332a50f4472aefa8-00519bcc93
Date: Tue, 21 May 2013 19:35:47 GMT

<html><h1>Forbidden</h1><p>Access was denied to this resource.</p></html>


I get similar results when I try the following acls:
swift post -r "$alt_demo_tenant_id" shared
swift post -r ".r:$alt_demo_tenant_id" shared
swift post -r "$alt_demo_tenant_id,.rlistings" shared
swift post -r ".r:$alt_demo_tenant_id,.rlistings" shared