ACLs for OpenStack Swift Object Storage

By Paul Heinlein | Aug 11, 2016

An OpenStack Swift object-storage container is usually available only to users in the project in which the container was created, but Swift has an access-control mechanism that allows subtle permission sets to be constructed.

You ordinarly access the Object Store via the web interface: Project > Compute > Object Store > Containers. From there you can create and view containers, upload and download files using the containers, etc.

Swift ACLs cannot be accessed via the web interface; they must be constructed using the swift command-line utility. (OK, you can also use curl, but that’s an exercise left to the reader.)

Note: These instructions work with the Mitaka release of OpenStack and version 3.0 of the swift utility. Other release combinations may produce varying results.

Install swift utility

The swift utility is a Python program that comes with the swiftclient bundle. It’s available as the python-swiftclient package on newer Ubuntu systems. It’s available via a package of the same name on CentOS systems from the centos-openstack-mitaka repository. For full use, you’ll also need the python-keystoneclient package. If your system doesn’t provide prebuilt packages, you can install them using pip:

# add the --user option to put these in your home directory
# if you don't have root privileges.
pip install python-swiftclient
pip install python-keystoneclient

On Macs, there’s also a compiler called “swift,” so you’ll want to make sure you’re seeing the right one:

[bash]$ swift --version
python-swiftclient 3.0.0

Example: A container for your many selves

Let’s say that you’re a member of two different projects: Alpha and Beta. Your username in both projects is memyself.

Create a container in one project

Let’s start by creating a container with the Alpha project:

export OS_USERNAME=memyself
export OS_TENANT_NAME=Alpha
export OS_PASSWORD=myPassWord
export OS_AUTH_URL=http://openstack.domain.com:5000/v2.0
export OS_REGION_NAME=RegionOne
swift post AlphaContainer
swift upload AlphaContainer my-science-project.tar

At this point, we have a container named AlphaContainer that holds one tar archive, my-science-project.tar. So far, so good.

Add ACLs to new container

What you really want to do is make your tar archive available while you’re working within the Beta project. So let’s tell swift to add read and write privileges to AlphaContainer for the Beta version of you.

# add read privileges
swift post -r 'Beta:memyself' AlphaContainer
# add write privileges
swift post -w 'Beta:memyself' AlphaContainer

Now you can test whether the ACLs have been created:

[bash]$ swift stat AlphaContainer -v | grep ACL:
        Read ACL: Beta:memyself
       Write ACL: Beta:memyself

Take note of StorageURL

Once the ACLs are adjusted, then take note of the top-level storage URL. We’ll need it when we start working in the Beta project.

[bash]$ swift stat -v | grep StorageURL: | awk '{print $2}'
http://openstack.domain.com:8080/v1/AUTH_e2e476b96336840e5f82f928a815805d

Change context to new project

Now we’ll leave our Alpha self behind and start work in the Beta project. The main difference is that we’re going to set the OS_STORAGE_URL variable to the URL we noted in the previous step.

export OS_USERNAME=memyself
export OS_TENANT_NAME=Beta
export OS_PASSWORD=myPassWord
export OS_AUTH_URL=http://openstack.domain.com:5000/v2.0
export OS_REGION_NAME=RegionOne
export OS_STORAGE_URL="http://openstack.domain.com:8080/v1/AUTH_e2e476b96336840e5f82f928a815805d"
swift list AlphaContainer
swift download AlphaContainer my-science-project.tar

If you don’t want to add the URL to your environment, you can also pass it as a command-line option:

swift \ 
  download AlphaContainer my-science-project.tar \
  --os-storage-url http://openstack.domain.com:8080/v1/AUTH_e2e476b96336840e5f82f928a815805d

A complex ACL set

More complex Swift ACLs can be constructed with wildcards and comma-separated lists.

# give r/w access every version of my account and to user leslie in
# project Gamma. give read-only access to user joebob in project
# Beta and everyone in project Gamma
swift post -r '*:memyself,Beta:joebob,Beta:leslie,Gamma:*' AlphaContainer
swift post -w '*:memyself,Gamma:leslie' AlphaContainer

An error to ignore

A user who has been given write access to a container using ACLs will encounter an interesting error when uploading files to that container:

Gamma:leslie> swift upload AlphaContainer my-certificate.pem
Warning: failed to create container 'AlphaContainer': 403 Forbidden: <html><h1>Forbidden</h1><p>Access was denied to this resourc
my-certificate.pem

By default, the swift utility will try to create the container into which the specified file(s) will be uploaded. That process will fail, but the file upload itself will succeed.

So far, I cannot figure out a way to alter that behavior.