This has been filled already zhangjialong : https://bugs.launchpad.net/keystone/+bug/999615
I am not very familiar with how Keystone RBAC u work, AFAIK the current way to do that with policy.json is going to go away in the future, right? Chmouel. On Tue, May 15, 2012 at 6:37 PM, Nguyen, Liem Manh <liem_m_ngu...@hp.com>wrote: > Yeah, that is because the swift/keystone middleware checks for the > tenantId to match the accountId in the URL path... Perhaps, we should rely > strictly on Swift ACL for granting access to a given Swift container, and > rely on Keystone RBAC for what you can do with a given Swift account. > > BTW, we also ran into this issue before... Has a bug/feature request been > filed for this yet? If not, I can file one. > > Thanks, > Liem > > -----Original Message----- > From: openstack-bounces+liem_m_nguyen=hp....@lists.launchpad.net [mailto: > openstack-bounces+liem_m_nguyen=hp....@lists.launchpad.net] On Behalf Of > Chmouel Boudjnah > Sent: Tuesday, May 15, 2012 2:55 AM > To: 张家龙 > Cc: openstack > Subject: Re: [Openstack] Swift Object Storage ACLs with KeyStone > > Hi, > > In swift+keystone you are not allowed to have ACL between different > account/tenant/project, you can only allow ACL between different > users in a tenant. > This is probably something not too difficult to implement but it may > needs some tinkering to get it right. Please feel free to log a bug in > keystone and we'll try to address that. > > Chmouel. > > On Sat, May 12, 2012 at 4:02 AM, 张家龙 <zhan...@awcloud.com> wrote: > > Vish , > > Thank you for answering. > > While ,sorry,I don`t understand your said. > > Do you mean I have to do like follows when I setting up acls: > > > > curl -X PUT -i \ > > -H "X-Auth-Token: <token of demo:demo>" \ > > -H "X-Container-Read: <tenant_id:user_id>" \ > > > http://127.0.0.1:8080/v1/AUTH_f1723800c821453d9f22d42d1fbb334b/demodirc > > > > Or,other operations and settings? > > ------------------ > > Best Regards > > > > ZhangJialong > > > > > > > > ------------------ Original ------------------ > > From: "Vishvananda Ishaya"<vishvana...@gmail.com>; > > Date: Sat, May 12, 2012 03:03 AM > > To: "张家龙"<zhan...@awcloud.com>; > > Cc: "openstack"<openstack@lists.launchpad.net>; > > Subject: Re: [Openstack] Swift Object Storage ACLs with KeyStone > > > > I'm not totally sure about this, but you might have to use the project_id > > from keystone instead of the project_name when setting up acls. The > same > > may be true of user_id. > > > > Vish > > > > On Fri, May 11, 2012 at 12:51 AM, 张家龙 <zhan...@awcloud.com> wrote: > >> > >> > >> Hello, everyone. > >> > >> I encountered some problems when i set permissions (ACLs) on > Openstack > >> Swift containers. > >> I installed swift-1.4.8(essex) and use keystone-2012.1 as > >> authentication system on CentOS 6.2 . > >> > >> My swift proxy-server.conf and keystone.conf are here: > >> http://pastebin.com/dUnHjKSj > >> > >> Then,I use the script named opensatck_essex_data.sh( > >> http://pastebin.com/LWGVZrK0 ) to > >> initialize keystone. > >> > >> After these operations,I got the token of demo:demo and > >> newuser:newuser > >> > >> curl -s -H 'Content-type: application/json' \ > >> -d '{"auth": {"tenantName": "demo", "passwordCredentials": > >> {"username": "demo", "password": "admin"}}}' \ > >> http://127.0.0.1:5000/v2.0/tokens | python -mjson.tool > >> > >> curl -s -H 'Content-type: application/json' \ > >> -d '{"auth": {"tenantName": "newuser", "passwordCredentials": > >> {"username": "newuser", "password": "admin"}}}' \ > >> http://127.0.0.1:5000/v2.0/tokens | python -mjson.tool > >> > >> Then,enable read access to newuser:newuser > >> > >> curl -X PUT -i \ > >> -H "X-Auth-Token: <token of demo:demo>" \ > >> -H "X-Container-Read: newuser:newuser" \ > >> > >> http://127.0.0.1:8080/v1/AUTH_f1723800c821453d9f22d42d1fbb334b/demodirc > >> > >> Check the permission of the container: > >> > >> curl -k -v -H 'X-Auth-Token:<token of demo:demo>' \ > >> > >> http://127.0.0.1:8080/v1/AUTH_f1723800c821453d9f22d42d1fbb334b/demodirc > >> > >> This is the reply of the operation: > >> > >> HTTP/1.1 200 OK > >> X-Container-Object-Count: 1 > >> X-Container-Read: newuser:newuser > >> X-Container-Bytes-Used: 2735 > >> Accept-Ranges: bytes > >> Content-Length: 24 > >> Content-Type: text/plain; charset=utf-8 > >> Date: Fri, 11 May 2012 07:30:23 GMT > >> > >> opensatck_essex_data.sh > >> > >> Now,the user newuser:newuser visit the container of demo:demo > >> > >> curl -k -v -H 'X-Auth-Token:<token of newuser:newuser>' \ > >> > >> http://127.0.0.1:8080/v1/AUTH_f1723800c821453d9f22d42d1fbb334b/demodirc > >> > >> While,I got 403 error.Can someone help me? > >> > >> ------------------ > >> Best Regards > >> > >> ZhangJialong > >> > >> > >> _______________________________________________ > >> Mailing list: https://launchpad.net/~openstack > >> Post to : openstack@lists.launchpad.net > >> Unsubscribe : https://launchpad.net/~openstack > >> More help : https://help.launchpad.net/ListHelp > >> > > > > > > _______________________________________________ > > Mailing list: https://launchpad.net/~openstack > > Post to : openstack@lists.launchpad.net > > Unsubscribe : https://launchpad.net/~openstack > > More help : https://help.launchpad.net/ListHelp > > > > _______________________________________________ > Mailing list: https://launchpad.net/~openstack > Post to : openstack@lists.launchpad.net > Unsubscribe : https://launchpad.net/~openstack > More help : https://help.launchpad.net/ListHelp >
_______________________________________________ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
