There is a nice write-up of Keystone RBAC here: https://blueprints.launchpad.net/keystone/+spec/rbac-keystone
AFAIK, Keystone will provide CRUD API around policy.json, but policy enforcement is done at the service level… Joe or Dolph may be able to provide more insights… Liem From: Chmouel Boudjnah [mailto:chmo...@chmouel.com] Sent: Tuesday, May 15, 2012 9:41 AM To: Nguyen, Liem Manh Cc: 张家龙; openstack Subject: Re: [Openstack] Swift Object Storage ACLs with KeyStone This has been filled already zhangjialong : https://bugs.launchpad.net/keystone/+bug/999615 I am not very familiar with how Keystone RBAC u work, AFAIK the current way to do that with policy.json is going to go away in the future, right? Chmouel. On Tue, May 15, 2012 at 6:37 PM, Nguyen, Liem Manh <liem_m_ngu...@hp.com<mailto:liem_m_ngu...@hp.com>> wrote: Yeah, that is because the swift/keystone middleware checks for the tenantId to match the accountId in the URL path... Perhaps, we should rely strictly on Swift ACL for granting access to a given Swift container, and rely on Keystone RBAC for what you can do with a given Swift account. BTW, we also ran into this issue before... Has a bug/feature request been filed for this yet? If not, I can file one. Thanks, Liem -----Original Message----- From: openstack-bounces+liem_m_nguyen=hp....@lists.launchpad.net<mailto:hp....@lists.launchpad.net> [mailto:openstack-bounces+liem_m_nguyen<mailto:openstack-bounces%2Bliem_m_nguyen>=hp....@lists.launchpad.net<mailto:hp....@lists.launchpad.net>] On Behalf Of Chmouel Boudjnah Sent: Tuesday, May 15, 2012 2:55 AM To: 张家龙 Cc: openstack Subject: Re: [Openstack] Swift Object Storage ACLs with KeyStone Hi, In swift+keystone you are not allowed to have ACL between different account/tenant/project, you can only allow ACL between different users in a tenant. This is probably something not too difficult to implement but it may needs some tinkering to get it right. Please feel free to log a bug in keystone and we'll try to address that. Chmouel. On Sat, May 12, 2012 at 4:02 AM, 张家龙 <zhan...@awcloud.com<mailto:zhan...@awcloud.com>> wrote: > Vish , > Thank you for answering. > While ,sorry,I don`t understand your said. > Do you mean I have to do like follows when I setting up acls: > > curl -X PUT -i \ > -H "X-Auth-Token: <token of demo:demo>" \ > -H "X-Container-Read: <tenant_id:user_id>" \ > http://127.0.0.1:8080/v1/AUTH_f1723800c821453d9f22d42d1fbb334b/demodirc > > Or,other operations and settings? > ------------------ > Best Regards > > ZhangJialong > > > > ------------------ Original ------------------ > From: "Vishvananda > Ishaya"<vishvana...@gmail.com<mailto:vishvana...@gmail.com>>; > Date: Sat, May 12, 2012 03:03 AM > To: "张家龙"<zhan...@awcloud.com<mailto:zhan...@awcloud.com>>; > Cc: > "openstack"<openstack@lists.launchpad.net<mailto:openstack@lists.launchpad.net>>; > Subject: Re: [Openstack] Swift Object Storage ACLs with KeyStone > > I'm not totally sure about this, but you might have to use the project_id > from keystone instead of the project_name when setting up acls. The same > may be true of user_id. > > Vish > > On Fri, May 11, 2012 at 12:51 AM, 张家龙 > <zhan...@awcloud.com<mailto:zhan...@awcloud.com>> wrote: >> >> >> Hello, everyone. >> >> I encountered some problems when i set permissions (ACLs) on Openstack >> Swift containers. >> I installed swift-1.4.8(essex) and use keystone-2012.1 as >> authentication system on CentOS 6.2 . >> >> My swift proxy-server.conf and keystone.conf are here: >> http://pastebin.com/dUnHjKSj >> >> Then,I use the script named opensatck_essex_data.sh( >> http://pastebin.com/LWGVZrK0 ) to >> initialize keystone. >> >> After these operations,I got the token of demo:demo and >> newuser:newuser >> >> curl -s -H 'Content-type: application/json' \ >> -d '{"auth": {"tenantName": "demo", "passwordCredentials": >> {"username": "demo", "password": "admin"}}}' \ >> http://127.0.0.1:5000/v2.0/tokens | python -mjson.tool >> >> curl -s -H 'Content-type: application/json' \ >> -d '{"auth": {"tenantName": "newuser", "passwordCredentials": >> {"username": "newuser", "password": "admin"}}}' \ >> http://127.0.0.1:5000/v2.0/tokens | python -mjson.tool >> >> Then,enable read access to newuser:newuser >> >> curl -X PUT -i \ >> -H "X-Auth-Token: <token of demo:demo>" \ >> -H "X-Container-Read: newuser:newuser" \ >> >> http://127.0.0.1:8080/v1/AUTH_f1723800c821453d9f22d42d1fbb334b/demodirc >> >> Check the permission of the container: >> >> curl -k -v -H 'X-Auth-Token:<token of demo:demo>' \ >> >> http://127.0.0.1:8080/v1/AUTH_f1723800c821453d9f22d42d1fbb334b/demodirc >> >> This is the reply of the operation: >> >> HTTP/1.1 200 OK >> X-Container-Object-Count: 1 >> X-Container-Read: newuser:newuser >> X-Container-Bytes-Used: 2735 >> Accept-Ranges: bytes >> Content-Length: 24 >> Content-Type: text/plain; charset=utf-8 >> Date: Fri, 11 May 2012 07:30:23 GMT >> >> opensatck_essex_data.sh >> >> Now,the user newuser:newuser visit the container of demo:demo >> >> curl -k -v -H 'X-Auth-Token:<token of newuser:newuser>' \ >> >> http://127.0.0.1:8080/v1/AUTH_f1723800c821453d9f22d42d1fbb334b/demodirc >> >> While,I got 403 error.Can someone help me? >> >> ------------------ >> Best Regards >> >> ZhangJialong >> >> >> _______________________________________________ >> Mailing list: https://launchpad.net/~openstack >> Post to : >> openstack@lists.launchpad.net<mailto:openstack@lists.launchpad.net> >> Unsubscribe : https://launchpad.net/~openstack >> More help : https://help.launchpad.net/ListHelp >> > > > _______________________________________________ > Mailing list: https://launchpad.net/~openstack > Post to : > openstack@lists.launchpad.net<mailto:openstack@lists.launchpad.net> > Unsubscribe : https://launchpad.net/~openstack > More help : https://help.launchpad.net/ListHelp > _______________________________________________ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net<mailto:openstack@lists.launchpad.net> Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
_______________________________________________ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
