Welcome to test it and share your thought to me :)
=== ReadOnly POC ===
The following table list different read ACLs combinations:Table 1. ACL options that are available to manipulate object read ACLs
Read for all referrers | .r:* |
Read and list for all referrers and listing | .r:*,.rlistings |
Read and list for a user in a specific tenant | <tenant_name|tenant_id>:<user_name|user_id> |
Read and list for a user in every tenant | *:<user_name|user_id> |
Read and list for every user in a tenant | <tenant_name|tenant_id>:<*> |
Read and list for every user in every project | <*>:<*> |
***add container acl eg: Read ACL: .r:*,.rlistings***
$ swift post test --read-acl ".r:*,.rlistings" --os-auth-url https://us-test-2-int.test.com:5000/v2.0 --os-tenant-name test-test --os-username johnnywa --os-password test1234
*** show stat detial ***
us-test-2 [admin@admin] johnnywa@Test10-1-test-a-infra-001:~$ swift stat test -v --os-auth-url https://us-test-2-int.johnny.com:5000/v2.0 --os-tenant-name Test-test --os-username johnnywa --os-password Test1234
URL: https://storage-us-test-2.johnny.com:443/v1/KEY_9524cecf3ae3446e85093b8c4e611222/test
Auth Token: 6a6c2e5d13314446b8aae214afc8d7a3
Account: KEY_9524cecf3ae3446e85093b8c4e611222
Container: test
Objects: 2
Bytes: 40
Read ACL: .r:*,.rlistings
Write ACL:
Sync To:
Sync Key:
Accept-Ranges: bytes
X-Storage-Policy: Standard-Replica
Connection: keep-alive
X-Timestamp: 1469076950.95918
X-Trans-Id: txdc3dfcda2dfe428cbef81-0057905aff
Content-Type: text/plain; charset=utf-8
*** create another user in another tenant ***
| 7795c234ed844eefaab164854435df35 | storage-test | True |
us-test-2 [admin@admin] johnnywa@Test10-1-test-a-infra-001:~$ keystone user-create --name=testreadonly --pass=test1234 --tenant-id 7795c234ed844eefaab164854435df35
+----------+----------------------------------+
| Property | Value |
+----------+----------------------------------+
| email | |
| enabled | True |
| id | f57c2aa15ad7472d85598c5d3397f346 |
| name | testreadonly |
| tenantId | 7795c234ed844eefaab164854435df35 |
| username | testreadonly |
+----------+----------------------------------+
*** try to show container stat - OK but didn't show ACL detail ***
us-test-2 [admin@admin] johnnywa@Test10-1-test-a-infra-001:~$ swift stat test -v --os-auth-url https://us-test-2-int.johnny.com:5000/v2.0 --os-tenant-name storage-test --os-username testreadonly --os-password test1234 --os-storage-url https://storage-us-test-2.johnny.com:443/v1/KEY_9524cecf3ae3446e85093b8c4e611222
URL: https://storage-us-test-2.johnny.com:443/v1/KEY_9524cecf3ae3446e85093b8c4e611222/test
Auth Token: d013918299ed49ce9e9f0e3b0fda9bfd
Account: KEY_9524cecf3ae3446e85093b8c4e611222
Container: test
Objects: 3
Bytes: 45
Read ACL:
Write ACL:
Sync To:
Sync Key:
Accept-Ranges: bytes
X-Storage-Policy: Standard-Replica
Connection: keep-alive
X-Timestamp: 1469076950.95918
X-Trans-Id: txf4ac014f92fd4ba89e61d-0057905e82
Content-Type: text/plain; charset=utf-8
*** try to list (read) the container - OK ***
us-test-2 [admin@admin] johnnywa@Test10-1-test-a-infra-001:~$ swift list test --os-auth-url https://us-test-2-int.johnny.com:5000/v2.0 --os-tenant-name storage-test --os-username testreadonly --os-password test1234 --os-storage-url https://storage-us-test-2.johnny.com:443/v1/KEY_9524cecf3ae3446e85093b8c4e611222
download.txt
test.txt
*** quick generate a test file ***
us-test-2 [admin@admin] johnnywa@Test10-1-test-a-infra-001:~$ vi uploadreadonly.txt
*** try to upload (write) the container - Fail ***
us-test-2 [admin@admin] johnnywa@Test10-1-test-a-infra-001:~$ swift upload test uploadreadonly.txt --os-auth-url https://us-test-2-int.johnny.com:5000/v2.0 --os-tenant-name storage-test --os-username testreadonly --os-password test1234 --os-storage-url https://storage-us-test-2.johnny.com:443/v1/KEY_9524cecf3ae3446e85093b8c4e611222
Error trying to create container 'test': 403 Forbidden: <html><h1>Forbidden</h1><p>Access was denied to this resourc
Object PUT failed: https://storage-us-test-2.johnny.com:443/v1/KEY_9524cecf3ae3446e85093b8c4e611222/test/uploadreadonly.txt 403 Forbidden [first 60 chars of response] <html><h1>Forbidden</h1><p>Access was denied to this resourc
+++ double check w/ Same Tenant but diff user +++
*** same tenant but different user is OK for read/write , stat show detail Read ACL ***
us-test-2 [admin@admin] johnnywa@Test10-1-test-a-infra-001:~$ swift stat test -v --os-auth-url https://us-test-2-int.johnny.com:5000/v2.0 --os-tenant-name Test-test --os-username test --os-password test1234
URL: https://storage-us-test-2.johnny.com:443/v1/KEY_9524cecf3ae3446e85093b8c4e611222/test
Auth Token: 3a5abafedbe0445c9204e593c6a35663
Account: KEY_9524cecf3ae3446e85093b8c4e611222
Container: test
Objects: 2
Bytes: 40
Read ACL: .r:*,.rlistings
Write ACL:
Sync To:
Sync Key:
Accept-Ranges: bytes
X-Storage-Policy: Standard-Replica
Connection: keep-alive
X-Timestamp: 1469076950.95918
X-Trans-Id: txfb4087445195416aaf73b-0057905c30
Content-Type: text/plain; charset=utf-8
*** list object in container - OK ***
us-test-2 [admin@admin] johnnywa@Test10-1-test-a-infra-001:~$ swift list test --os-auth-url https://us-test-2-int.johnny.com:5000/v2.0 --os-tenant-name Test-test --os-username test --os-password test1234 --os-storage-url https://storage-us-test-2.johnny.com:443/v1/KEY_9524cecf3ae3446e85093b8c4e611222
download.txt
test.txt
*** download object in container - OK ***
us-test-2 [admin@admin] johnnywa@Test10-1-test-a-infra-001:~$ swift download test --os-auth-url https://us-test-2-int.johnny.com:5000/v2.0 --os-tenant-name Test-test --os-username test --os-password test1234 --os-storage-url https://storage-us-test-2.johnny.com:443/v1/KEY_9524cecf3ae3446e85093b8c4e611222
download.txt [auth 0.117s, headers 0.248s, total 0.248s, 0.000 MB/s]
test.txt [auth 0.118s, headers 0.294s, total 0.294s, 0.000 MB/s]
*** upload ( write ) test file - OK ***
us-test-2 [admin@admin] johnnywa@Test10-1-test-a-infra-001:~$ swift upload test uploadreadonly.txt --os-auth-url https://us-test-2-int.johnny.com:5000/v2.0 --os-tenant-name Test-test --os-username test --os-password test1234 --os-storage-url https://storage-us-test-2.johnny.com:443/v1/KEY_9524cecf3ae3446e85093b8c4e611222
uploadreadonly.txt
*** list object in container to double check - OK ***
us-test-2 [admin@admin] johnnywa@Test10-1-test-a-infra-001:~$ swift list test --lh --os-auth-url https://us-test-2-int.johnny.com:5000/v2.0 --os-tenant-name Test-test --os-username test --os-password test1234 --os-storage-url https://storage-us-test-2.johnny.com:443/v1/KEY_9524cecf3ae3446e85093b8c4e611222
12 2016-07-21 04:57:09 download.txt
28 2016-07-21 05:10:03 test.txt
5 2016-07-21 05:27:52 uploadreadonly.txt
45
=== Write Only POC ===
( I couldn't use swift post --wirte-acl, I have to use curl )
*** setup write acl ***
$ curl -i https://storage-us-johnny-2.johnny.com:443/v1/KEY_9524cecf3ae3446e85093b8c4e611222/test -X
PUT -H "Content-Length: 0" -H "X-Auth-Token:9e4330ce609d4b46b4b6cd12b636201c"
-H "X-Container-Write: storage-test:testreadonly" -H "X-Container-Read: "
PUT -H "Content-Length: 0" -H "X-Auth-Token:9e4330ce609d4b46b4b6cd12b636201c"
-H "X-Container-Write: storage-test:testreadonly" -H "X-Container-Read: "
HTTP/1.1 202 Accepted
Content-Length: 76
Content-Type: text/html; charset=UTF-8
X-Trans-Id: txc8db5faa9aec42328d5fc-0057907095
Date: Thu, 21 Jul 2016 06:49:57 GMT
<html><h1>Accepted</h1><p>The request is accepted
*** double check setting ***
$ swift stat test -v --os-auth-url https://us-johnny-2-int.johnny.com:5000/v2.0
--os-tenant-name CIS-Infra --os-username johnnywa --os-password Chianing1234
--os-tenant-name CIS-Infra --os-username johnnywa --os-password Chianing1234
URL: https://storage-us-johnny-2.johnny.com:443/v1/KEY_9524cecf3ae3446e85093b8c4e611222/test
Auth Token: b5509afe98d449b2b991b259c9a9a978
Account: KEY_9524cecf3ae3446e85093b8c4e611222
Container: test
Objects: 3
Bytes: 45
Read ACL: .r:*,.rlistings
Write ACL: storage-test:testreadonly
Sync To:
Sync Key:
Accept-Ranges: bytes
X-Storage-Policy: Standard-Replica
Connection: keep-alive
X-Timestamp: 1469076950.95918
X-Trans-Id: txfe46f8d5ff7542478564e-005790743a
Content-Type: text/plain; charset=utf-8
*** get token from another tenant/user ***
$ swift stat -v --os-auth-url https://us-johnny-2-int.johnny.com:5000/v2.0
--os-tenant-name storage-test --os-username testreadonly --os-password test1234
--os-tenant-name storage-test --os-username testreadonly --os-password test1234
StorageURL: https://storage-us-johnny-2.johnny.com:443/v1/KEY_7795c234ed844eefaab164854435df35
Auth Token: cac25822af2a4617acf6cb6a9097b434
Account: KEY_7795c234ed844eefaab164854435df35
Containers: 0
Objects: 0
Bytes: 0
Content-Type: text/plain; charset=utf-8
Connection: keep-alive
X-Timestamp: 1469084387.34702
X-Trans-Id: txe93586f604fd411d86b69-00579072e3
X-Put-Timestamp: 1469084387.34702
*** upload ( write ) from storage-test tenant and user testreadonly ***
$ curl -i https://storage-us-johnny-2.johnny.com:443/v1/KEY_9524cecf3ae3446e85093b8c4e611222/test/uploadwriteonly.txt-X PUT -H "X-Auth-Token: cac25822af2a4617acf6cb6a9097b434" --upload-file uploadwriteonly.txt
HTTP/1.1 100 Continue
HTTP/1.1 201 Created
Last-Modified: Thu, 21 Jul 2016 07:01:28 GMT
Content-Length: 0
Etag: d8e8fca2dc0f896fd7cb4cb0031ba249
Content-Type: text/html; charset=UTF-8
X-Trans-Id: txf58b47458fc1428ca129b-0057907347
Date: Thu, 21 Jul 2016 07:01:27 GMT
*** double check upload is ok or not ***
$ swift list test --lh --os-auth-url https://us-johnny-2-int.johnny.com:5000/v2.0 --os-tenant-name CIS-Infra
--os-username johnnywa --os-password Chianing1234
--os-username johnnywa --os-password Chianing1234
12 2016-07-21 04:57:09 download.txt
28 2016-07-21 05:10:03 test.txt
5 2016-07-21 05:27:52 uploadreadonly.txt
5 2016-07-21 07:01:27 uploadwriteonly.txt
50
*** right now # of object is 4 ***
$ swift stat test -v --os-auth-url https://us-johnny-2-int.johnny.com:5000/v2.0
--os-tenant-name CIS-Infra --os-username johnnywa --os-password Chianing1234
--os-tenant-name CIS-Infra --os-username johnnywa --os-password Chianing1234
URL: https://storage-us-johnny-2.johnny.com:443/v1/KEY_9524cecf3ae3446e85093b8c4e611222/test
Auth Token: b182d52f800340daa50e0f9b3f011306
Account: KEY_9524cecf3ae3446e85093b8c4e611222
Container: test
Objects: 4
Bytes: 50
Read ACL: .r:*,.rlistings
Write ACL: storage-test:testreadonly
Sync To:
Sync Key:
Accept-Ranges: bytes
X-Storage-Policy: Standard-Replica
Connection: keep-alive
X-Timestamp: 1469076950.95918
X-Trans-Id: tx6d6d1a1230cd4b8cbbb05-005790749e
Content-Type: text/plain; charset=utf-8
Reference:
No comments:
Post a Comment