OpenStack Object Storage (swift)

Is there a way to allow a non-admin user to list objects within a container?

Asked by Timur Irmatov

Let's say a have an account 'myaccount', admin user 'root' within that account and ordinary user 'joe'. Admin grants public access to container 'myfiles' and write access to user 'joe':

st -A ... -U myaccount:admin -K ... post -r '.r:*' -w 'myaccount:joe' myfiles

User 'joe' can successfully upload files to that container. But he cannot list objects within this container (st list myfiles gives 403 Forbidden). Is there a possibility to grant him such ability?

P.S. I am using Swift 1.3.0 Cactus

Question information

Language:
English Edit question
Status:
Solved
For:
OpenStack Object Storage (swift) Edit question
Assignee:
No assignee Edit question
Solved by:
Marcelo Martins
Solved:
Last query:
Last reply:
Revision history for this message
Best Marcelo Martins (btorch) said : 		#1

Hi Timur,

I have tested this on 1.3 and seems to work fine. Here it what I have done in order to allow the listing.

stackusers = the account where I have one admin user and one regular user

- Using the admin account I set the X-Container-Read for the container as shown below:
curl -i -H "TOKEN" -H "X-Container-Read: .r:*,stakusers,.rlistings" -X POST URL/container1

Then I was able to do a listing with the regular user account

Ref: http://swift.openstack.org/misc.html#module-swift.common.middleware.acl

------

root@saio-2:~/swift-saio.sh# curl -i -H "REGULAR USER TOKEN" -X GET URL/container1
HTTP/1.1 403 Forbidden
Content-Length: 157
Content-Type: text/html; charset=UTF-8
Date: Sun, 26 Jun 2011 14:43:03 GMT

<html>
 <head>
  <title>403 Forbidden</title>
 </head>
 <body>
  <h1>403 Forbidden</h1>
  Access was denied to this resource.<br /><br />

 </body>

root@saio-2:~/swift-saio.sh# curl -i -H "ADMIN USER TOKEN" -H "X-Container-Read: .r:*,stakusers,.rlistings" -X POST URL/container1
HTTP/1.1 204 No Content
Content-Length: 0
Content-Type: text/html; charset=UTF-8
Date: Sun, 26 Jun 2011 14:43:28 GMT

root@saio-2:~/swift-saio.sh# curl -i -H "ADMIN USER TOKEN" -X HEAD URL/container1
HTTP/1.1 204 No Content
X-Container-Object-Count: 30
X-Container-Read: .r:*,stakusers,.rlistings
X-Container-Bytes-Used: 12573393
Content-Length: 0
Date: Sun, 26 Jun 2011 14:43:46 GMT

root@saio-2:~/swift-saio.sh# curl -i -H "REGULAR USER TOKEN" -X GET URL/container1
HTTP/1.1 200 OK
X-Container-Object-Count: 30
X-Container-Read: .r:*,stakusers,.rlistings
X-Container-Bytes-Used: 12573393
Content-Length: 1257
Content-Type: text/plain; charset=utf8
Date: Sun, 26 Jun 2011 14:43:56 GMT

/etc/swift/account-server/1-account-server.conf
/etc/swift/account-server/2-account-server.conf
/etc/swift/account-server/3-account-server.conf
/etc/swift/account-server/4-account-server.conf
/etc/swift/account.builder
/etc/swift/account.ring.gz
/etc/swift/backups/1309098889.object.builder
/etc/swift/backups/1309098898.object.builder
/etc/swift/backups/1309098898.object.ring.gz
/etc/swift/backups/1309098909.container.builder
/etc/swift/backups/1309098917.container.builder
/etc/swift/backups/1309098917.container.ring.gz
/etc/swift/backups/1309098928.account.builder
/etc/swift/backups/1309098937.account.builder
/etc/swift/backups/1309098937.account.ring.gz
/etc/swift/container-server/1-container-server.conf
/etc/swift/container-server/2-container-server.conf
/etc/swift/container-server/3-container-server.conf
/etc/swift/container-server/4-container-server.conf
/etc/swift/container.builder
/etc/swift/container.ring.gz
/etc/swift/drive-audit.conf
/etc/swift/object-server/1-object-server.conf
/etc/swift/object-server/2-object-server.conf
/etc/swift/object-server/3-object-server.conf
/etc/swift/object-server/4-object-server.conf
/etc/swift/object.builder
/etc/swift/object.ring.gz
/etc/swift/proxy-server/proxy-server.conf
/etc/swift/swift.conf
root@saio-2:~/swift-saio.sh#

Revision history for this message
Sarkor Telecom sysadmins (t-admin-sarkor-uz) said : 		#2

Does option '.rlistings' permit listings for all unauthenticated requests or only for authorised users who has read permissions on a container?

Revision history for this message
Marcelo Martins (btorch) said : 		#3

Sarkor, I believe that if you give the container only "X-Container-Read: .r:*,.rlistings" , it will make it public and allow object listing.

Revision history for this message
Timur Irmatov (irmatov) said : 		#4

Thanks Marcelo Martins, that solved my question.