OpenStack Object Storage (Swift)

confusion about the consepts like account, user, group , reseller, admin

Asked by lisha on 2011-12-27

I am new to swift , and I get quite confused about some concepts here.

I've successfully installed swift 1.4.3 on ubuntu 10.04, but I have to many questions about the administration work about swift
For auth subsystem I also tried both tempauth and swauth1.0.2

1. account and user
It seems that when you create a user, you also need to specify an account for that user

for example ,
      if I use tempauth, I have to write in the proxy-server.conf something like
      user_admin_admin = admin .admin .reseller_admin

      the format is actually :
      user_<account>_<user> = <key> [group] [group] [...] [storage_url]

similarly, if I use swauth
       swauth-add-user [options] <account> <user> <password>

I don't understand the relation beteween the account and user.
It seems to me that we can have multiple users under one account.
So, does every account have its own namespace for username ? I mean can user in different account have the same username?

What's the difference beween users in the same account and users in different account ?
Is there some access rule for that?

From the Open stack Object storage adminstrator manual
http://docs.openstack.org/diablo/openstack-object-storage/admin/content/authentication-and-access-permissions.html

I quote here

"Generally speaking, each user has their own storage account and has full access to that account. Users must authenticate with their credentials as described above, but once authenticated they can create/delete containers and objects within that account. The only way a user can access the content from another account is if they share an API access key or a session token provided by your authentication system."

I get confused, should I give each user a different account or we can let users share one account.
And if users share one account, what's their permission to those containers and objects created by others who are in
the same account with them ?

2.
 the confusion about user access permisson in one account lead to my second question
How do I implement acl rules for users

I have read the developer api document´╝îI got nothing about acl in that
http://docs.openstack.org/api/openstack-object-storage/1.0/content/

however,
from http://docs.openstack.org/diablo/openstack-object-storage/admin/content/swift-cli-basics.html
I did find something about set acl rules with "swift post -r -w "
but it doesn't explain the format for the acl rules

the guide on http://swift.openstack.org/misc.html#acls did have something about acl strings,
so may be I should use it with the " swift post -r / -w " ?

Since the swift cli is build above swift restful api, I think there should be someway I can directly use restful api to set acl rules for both containers and objests, right?
So, I guess I must have missed some documents about this kind of api, please help me find that.

3. about reseller , admin

From both swauth and tempauth, when you create a user, you can make the user a reseller admin or accout admin.
in tempauth: user_<account>_<user> = <key> [group] [group] [...] [storage_url]
group can be .reseller_admin .admin

in swauth: swauth-add-user [options] <account> <user> <password> with -a or -r option

I got this from the proxy-server.conf-sample.
# .reseller_admin= can do anything to any account for this auth
# .admin = can do anything within the account

and in swauth, theres is this super_admin, it is the site admin, right?
so does a reseller admin have the same permission with site admin ?

4. about group

so, what exactly does group mean in swift

reseller admin and accout admin are both some kind of group in swift ?

I notice that the swauth api doc also mentioned 'group' in the section "user service - > Get User Details"
https://github.com/gholt/swauth/blob/master/doc/source/api.rst

Is there other group I can use besides reseller admin and account admin ? or I can just self define some group?
I how can I use the group and how it affect uers ?

Question information

Language:
English Edit question
Status:
Solved
For:
OpenStack Object Storage (swift) Edit question
Assignee:
No assignee Edit question
Solved by:
lisha
Solved:
2011-12-27
Last query:
2011-12-27
Last reply:
lisha (lisha880730) said : #1

I also have a questiong about the access permision of a regular user in a account

I create 2 users in one account system

# swauth-add-user -K swauthkey -A https://localhost:8080/auth -a system root testpass

# swauth-add-user -K swauthkey -A https://localhost:8080/auth system notroot1 testpass

user root is an account admin with "-a"

so the swift stat swift upload swift list command all work fine for user root

however, notroot1 seems have no perminsion to do such things

root@proxy1:~/swift_test/swauth-1.0.2-1# swift -A https://localhost:8080/auth/v1.0 -U system:root -K testpass stat
   Account: AUTH_2b2b685b-241d-4bec-b768-f80f407df757
Containers: 0
   Objects: 0
     Bytes: 0
Accept-Ranges: bytes

swift -A https://localhost:8080/auth/v1.0 -U system:notroot1 -K testpass stat
Account HEAD failed: https://192.168.61.89:8080/v1/AUTH_2b2b685b-241d-4bec-b768-f80f407df757 403 Forbidden

swift -A https://localhost:8080/auth/v1.0 -U system:root -K testpass upload root_container1 vmware_player40.pdf
vmware_player40.pdf

root@proxy1:~/swift_test# swift -A https://localhost:8080/auth/v1.0 -U system:notroot1 -K testpass upload notroot1_container1 vmware_player40.pdf
Object HEAD failed: https://192.168.61.89:8080/v1/AUTH_2b2b685b-241d-4bec-b768-f80f407df757/notroot1_container1/vmware_player40.pdf 403 Forbidden

K. BAHRI (khaled-bbk) said : #2

Hi,

I have the same problem for creating users and accounts for swift

have you found any solution for your problem to create new users and accounts??

Thanks in advance for your help

Best regards
Khaled

@ lisha : You have to create container as notroot1_container1 in the 'system' account and then give the read and write permissions to the system:notroot1 user by the admin user of account as:

swift -A https://192.168.62.4:8080/auth/v1.0 -U system:root -K testpass post notroot1_container1 -r system:notroot1 -w system:notroot1