I found out what I had done that caused the behavior in original note, posting here for reference.
In my proxy-server.conf file I had setting 'is_admin = true' in the filter:keystone section, which I didn't realize will grant swift operator privileges to any user whose name matches its tenant name. And in each test I was creating a new tenant and new user with the same name, so I would always see new users be given swift operator privileges. When I created a user with a name different than its tenant, then I was given unauthorized error as expected. -Jake Jake Kugel/Rochester/IBM@IBMUS wrote on 01/14/2015 10:40:39 AM: > From: Jake Kugel/Rochester/IBM@IBMUS > To: openstack@lists.openstack.org > Date: 01/14/2015 10:53 AM > Subject: [Openstack] [Swift] Access control using keystoneauth - new > user can create container by default > > Hello, > > I am just beginning to learn Swift, and had a question about how access > control using keystoneauth works. I noticed that the documentation here > [1] says that: > > "By default the only users able to perform operations (e.g. create a > container) on an account are those having a Keystone role for the > corresponding Keystone project that matches one of the roles specified in > the operator_roles option." > > However I have built two Swift test clusters using Swift 2.2.0, one using > Icehouse Keystone and one with Juno Keystone, and in both cases I can > create a new user and tenant with no special role, and this new user and > tenant is able to create new containers by default. Do I have things > configured incorrectly? Here is the keystone section of > /etc/swift/proxy-server.conf: > > [filter:keystone] > use = egg:swift#keystoneauth > operator_roles = admin, SwiftOperator > is_admin = true > cache = swift.cache > > -Jake > > [1] http://docs.openstack.org/developer/swift/overview_auth.html > > > > _______________________________________________ > Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack > Post to : openstack@lists.openstack.org > Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack > _______________________________________________ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : openstack@lists.openstack.org Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
