Note for PEP 8 -- Style Guide for Python Code

This summary is not available. Please click here to view the post.

Quick Share Swift Container ACL POC

I am too busy to update my blog for a long time. I feel guilty thus I think I should randomly update whatever I have. Today, I would like to quick share about how to setup Swift Account ACL ( Readonly ). 


Welcome to test it and share your thought to me :)

=== ReadOnly POC ===

The following table list different read ACLs combinations:
Table 1. ACL options that are available to manipulate object read ACLs

Read for all referrers	.r:*
Read and list for all referrers and listing	.r:*,.rlistings
Read and list for a user in a specific tenant	<tenant_name|tenant_id>:<user_name|user_id>
Read and list for a user in every tenant	*:<user_name|user_id>
Read and list for every user in a tenant	<tenant_name|tenant_id>:<*>
Read and list for every user in every project	<*>:<*>

Icon

***add container acl eg: Read ACL: .r:*,.rlistings***

$ swift post test --read-acl ".r:*,.rlistings" --os-auth-url https://us-test-2-int.test.com:5000/v2.0 --os-tenant-name test-test --os-username johnnywa --os-password test1234

*** show stat detial ***

us-test-2 [admin@admin] johnnywa@Test10-1-test-a-infra-001:~$ swift stat test -v --os-auth-url https://us-test-2-int.johnny.com:5000/v2.0 --os-tenant-name Test-test --os-username johnnywa --os-password Test1234

           URL: https://storage-us-test-2.johnny.com:443/v1/KEY_9524cecf3ae3446e85093b8c4e611222/test

    Auth Token: 6a6c2e5d13314446b8aae214afc8d7a3

       Account: KEY_9524cecf3ae3446e85093b8c4e611222

     Container: test

       Objects: 2

         Bytes: 40

      Read ACL: .r:*,.rlistings

     Write ACL:

       Sync To:

      Sync Key:

 Accept-Ranges: bytes

X-Storage-Policy: Standard-Replica

    Connection: keep-alive

   X-Timestamp: 1469076950.95918

    X-Trans-Id: txdc3dfcda2dfe428cbef81-0057905aff

  Content-Type: text/plain; charset=utf-8

*** create another user in another tenant ***

| 7795c234ed844eefaab164854435df35 |                     storage-test                    |   True  |

us-test-2 [admin@admin] johnnywa@Test10-1-test-a-infra-001:~$ keystone user-create --name=testreadonly --pass=test1234 --tenant-id 7795c234ed844eefaab164854435df35

+----------+----------------------------------+

| Property |              Value               |

+----------+----------------------------------+

|  email   |                                  |

| enabled  |               True               |

|    id    | f57c2aa15ad7472d85598c5d3397f346 |

|   name   |           testreadonly           |

| tenantId | 7795c234ed844eefaab164854435df35 |

| username |           testreadonly           |

+----------+----------------------------------+

*** try to show container stat - OK but didn't show ACL detail ***

us-test-2 [admin@admin] johnnywa@Test10-1-test-a-infra-001:~$ swift stat test -v --os-auth-url https://us-test-2-int.johnny.com:5000/v2.0 --os-tenant-name storage-test --os-username testreadonly --os-password test1234 --os-storage-url https://storage-us-test-2.johnny.com:443/v1/KEY_9524cecf3ae3446e85093b8c4e611222

           URL: https://storage-us-test-2.johnny.com:443/v1/KEY_9524cecf3ae3446e85093b8c4e611222/test

    Auth Token: d013918299ed49ce9e9f0e3b0fda9bfd

       Account: KEY_9524cecf3ae3446e85093b8c4e611222

     Container: test

       Objects: 3

         Bytes: 45

      Read ACL:

     Write ACL:

       Sync To:

      Sync Key:

 Accept-Ranges: bytes

X-Storage-Policy: Standard-Replica

    Connection: keep-alive

   X-Timestamp: 1469076950.95918

    X-Trans-Id: txf4ac014f92fd4ba89e61d-0057905e82

  Content-Type: text/plain; charset=utf-8

*** try to list (read) the container - OK ***

us-test-2 [admin@admin] johnnywa@Test10-1-test-a-infra-001:~$ swift list test --os-auth-url https://us-test-2-int.johnny.com:5000/v2.0 --os-tenant-name storage-test --os-username testreadonly --os-password test1234 --os-storage-url https://storage-us-test-2.johnny.com:443/v1/KEY_9524cecf3ae3446e85093b8c4e611222

download.txt

test.txt

*** quick generate a test file ***

us-test-2 [admin@admin] johnnywa@Test10-1-test-a-infra-001:~$ vi uploadreadonly.txt

  

*** try to upload (write) the container - Fail ***

us-test-2 [admin@admin] johnnywa@Test10-1-test-a-infra-001:~$ swift upload test uploadreadonly.txt --os-auth-url https://us-test-2-int.johnny.com:5000/v2.0 --os-tenant-name storage-test --os-username testreadonly --os-password test1234 --os-storage-url https://storage-us-test-2.johnny.com:443/v1/KEY_9524cecf3ae3446e85093b8c4e611222

Error trying to create container 'test': 403 Forbidden: <html><h1>Forbidden</h1><p>Access was denied to this resourc

Object PUT failed: https://storage-us-test-2.johnny.com:443/v1/KEY_9524cecf3ae3446e85093b8c4e611222/test/uploadreadonly.txt 403 Forbidden  [first 60 chars of response] <html><h1>Forbidden</h1><p>Access was denied to this resourc

+++ double check w/ Same Tenant but diff user +++

*** same tenant but different user is OK for read/write , stat show detail Read ACL ***

us-test-2 [admin@admin] johnnywa@Test10-1-test-a-infra-001:~$ swift stat test -v --os-auth-url https://us-test-2-int.johnny.com:5000/v2.0 --os-tenant-name Test-test --os-username test --os-password test1234

           URL: https://storage-us-test-2.johnny.com:443/v1/KEY_9524cecf3ae3446e85093b8c4e611222/test

    Auth Token: 3a5abafedbe0445c9204e593c6a35663

       Account: KEY_9524cecf3ae3446e85093b8c4e611222

     Container: test

       Objects: 2

         Bytes: 40

      Read ACL: .r:*,.rlistings

     Write ACL:

       Sync To:

      Sync Key:

 Accept-Ranges: bytes

X-Storage-Policy: Standard-Replica

    Connection: keep-alive

   X-Timestamp: 1469076950.95918

    X-Trans-Id: txfb4087445195416aaf73b-0057905c30

  Content-Type: text/plain; charset=utf-8

*** list object in container - OK ***

us-test-2 [admin@admin] johnnywa@Test10-1-test-a-infra-001:~$ swift list test --os-auth-url https://us-test-2-int.johnny.com:5000/v2.0 --os-tenant-name Test-test --os-username test --os-password test1234 --os-storage-url https://storage-us-test-2.johnny.com:443/v1/KEY_9524cecf3ae3446e85093b8c4e611222

download.txt

test.txt

*** download object in container - OK ***

us-test-2 [admin@admin] johnnywa@Test10-1-test-a-infra-001:~$ swift download test --os-auth-url https://us-test-2-int.johnny.com:5000/v2.0 --os-tenant-name Test-test --os-username test --os-password test1234 --os-storage-url https://storage-us-test-2.johnny.com:443/v1/KEY_9524cecf3ae3446e85093b8c4e611222

download.txt [auth 0.117s, headers 0.248s, total 0.248s, 0.000 MB/s]

test.txt [auth 0.118s, headers 0.294s, total 0.294s, 0.000 MB/s]

*** upload ( write ) test file - OK ***

us-test-2 [admin@admin] johnnywa@Test10-1-test-a-infra-001:~$ swift upload test uploadreadonly.txt --os-auth-url https://us-test-2-int.johnny.com:5000/v2.0 --os-tenant-name Test-test --os-username test --os-password test1234 --os-storage-url https://storage-us-test-2.johnny.com:443/v1/KEY_9524cecf3ae3446e85093b8c4e611222

uploadreadonly.txt

*** list object in container to double check - OK ***

us-test-2 [admin@admin] johnnywa@Test10-1-test-a-infra-001:~$ swift list test --lh --os-auth-url https://us-test-2-int.johnny.com:5000/v2.0 --os-tenant-name Test-test --os-username test --os-password test1234 --os-storage-url https://storage-us-test-2.johnny.com:443/v1/KEY_9524cecf3ae3446e85093b8c4e611222

  12 2016-07-21 04:57:09 download.txt

  28 2016-07-21 05:10:03 test.txt

   5 2016-07-21 05:27:52 uploadreadonly.txt

  45

=== Write Only POC ===

( I couldn't use swift post --wirte-acl, I have to use curl )

*** setup write acl ***

$ curl -i https://storage-us-johnny-2.johnny.com:443/v1/KEY_9524cecf3ae3446e85093b8c4e611222/test -X 
PUT -H "Content-Length: 0" -H "X-Auth-Token:9e4330ce609d4b46b4b6cd12b636201c" 
-H "X-Container-Write: storage-test:testreadonly" -H "X-Container-Read: "

HTTP/1.1 202 Accepted

Content-Length: 76

Content-Type: text/html; charset=UTF-8

X-Trans-Id: txc8db5faa9aec42328d5fc-0057907095

Date: Thu, 21 Jul 2016 06:49:57 GMT

<html><h1>Accepted</h1><p>The request is accepted

*** double check setting ***

$ swift stat test -v --os-auth-url https://us-johnny-2-int.johnny.com:5000/v2.0 
--os-tenant-name CIS-Infra --os-username johnnywa --os-password Chianing1234

           URL: https://storage-us-johnny-2.johnny.com:443/v1/KEY_9524cecf3ae3446e85093b8c4e611222/test

    Auth Token: b5509afe98d449b2b991b259c9a9a978

       Account: KEY_9524cecf3ae3446e85093b8c4e611222

     Container: test

       Objects: 3

         Bytes: 45

      Read ACL: .r:*,.rlistings

     Write ACL: storage-test:testreadonly

       Sync To:

      Sync Key:

 Accept-Ranges: bytes

X-Storage-Policy: Standard-Replica

    Connection: keep-alive

   X-Timestamp: 1469076950.95918

    X-Trans-Id: txfe46f8d5ff7542478564e-005790743a

  Content-Type: text/plain; charset=utf-8

*** get token from another tenant/user ***

$ swift stat -v --os-auth-url https://us-johnny-2-int.johnny.com:5000/v2.0 
--os-tenant-name storage-test --os-username testreadonly --os-password test1234

    StorageURL: https://storage-us-johnny-2.johnny.com:443/v1/KEY_7795c234ed844eefaab164854435df35

    Auth Token: cac25822af2a4617acf6cb6a9097b434

       Account: KEY_7795c234ed844eefaab164854435df35

    Containers: 0

       Objects: 0

         Bytes: 0

  Content-Type: text/plain; charset=utf-8

    Connection: keep-alive

   X-Timestamp: 1469084387.34702

    X-Trans-Id: txe93586f604fd411d86b69-00579072e3

X-Put-Timestamp: 1469084387.34702

*** upload ( write ) from storage-test tenant and user testreadonly ***

$ curl -i https://storage-us-johnny-2.johnny.com:443/v1/KEY_9524cecf3ae3446e85093b8c4e611222/test/uploadwriteonly.txt 
-X PUT -H "X-Auth-Token: cac25822af2a4617acf6cb6a9097b434" --upload-file uploadwriteonly.txt

HTTP/1.1 100 Continue

HTTP/1.1 201 Created

Last-Modified: Thu, 21 Jul 2016 07:01:28 GMT

Content-Length: 0

Etag: d8e8fca2dc0f896fd7cb4cb0031ba249

Content-Type: text/html; charset=UTF-8

X-Trans-Id: txf58b47458fc1428ca129b-0057907347

Date: Thu, 21 Jul 2016 07:01:27 GMT

*** double check upload is ok or not ***

$ swift list test --lh --os-auth-url https://us-johnny-2-int.johnny.com:5000/v2.0 --os-tenant-name CIS-Infra 
--os-username johnnywa --os-password Chianing1234

  12 2016-07-21 04:57:09 download.txt

  28 2016-07-21 05:10:03 test.txt

   5 2016-07-21 05:27:52 uploadreadonly.txt

   5 2016-07-21 07:01:27 uploadwriteonly.txt

  50

*** right now # of object is 4 ***

$ swift stat test -v --os-auth-url https://us-johnny-2-int.johnny.com:5000/v2.0 
--os-tenant-name CIS-Infra --os-username johnnywa --os-password Chianing1234

           URL: https://storage-us-johnny-2.johnny.com:443/v1/KEY_9524cecf3ae3446e85093b8c4e611222/test

    Auth Token: b182d52f800340daa50e0f9b3f011306

       Account: KEY_9524cecf3ae3446e85093b8c4e611222

     Container: test

       Objects: 4

         Bytes: 50

      Read ACL: .r:*,.rlistings

     Write ACL: storage-test:testreadonly

       Sync To:

      Sync Key:

 Accept-Ranges: bytes

X-Storage-Policy: Standard-Replica

    Connection: keep-alive

   X-Timestamp: 1469076950.95918

    X-Trans-Id: tx6d6d1a1230cd4b8cbbb05-005790749e

  Content-Type: text/plain; charset=utf-8







Reference:

https://www.ibm.com/support/knowledgecenter/STXKQY_4.2.0/com.ibm.spectrum.scale.v4r2.adm.doc/bl1adm_createreadacl.htm

https://www.ibm.com/support/knowledgecenter/STXKQY_4.2.0/com.ibm.spectrum.scale.v4r2.adm.doc/bl1adm_writeacls.htm