Fine-grain control of permissions in OpenStack Swift can be done natively using Access Control Lists. Unfortunately, this was not enough to cover some use cases we have here at Cloudwatt. We needed a way to manage permission for multiple profiles, based on roles assigned to each user. In order to solve this problem, we wrote a middleware that adds proper permission control via a policy.json file, the same way other OpenStack components deal with this issue. The middleware is called Swiftpolicy and is available on Stackforge.
Installing swiftpolicy can be done from source. Here’re simple steps to follow
$ virtualenv swiftpolicy_env New python executable in swiftpolicy_env/bin/python2.7 Also creating executable in swiftpolicy_env/bin/python Installing setuptools, pip...done. $ source swiftpolicy_env/bin/activate (swiftpolicy_env)$ git clone https://github.com/cloudwatt/swiftpolicy.git Cloning into 'swiftpolicy'... remote: Counting objects: 172, done. remote: Total 172 (delta 0), reused 0 (delta 0) Receiving objects: 100% (172/172), 46.93 KiB | 0 bytes/s, done. Resolving deltas: 100% (81/81), done. Checking connectivity... done. (swiftpolicy_env)$ cd swiftpolicy (swiftpolicy_env)$ pip install -r requirements Downloading/unpacking dnspython>=1.9.4 (from -r requirements (line 1)) ... ... ... Successfully installed dnspython eventlet greenlet netifaces pastedeploy simplejson xattr swift-1.13.0 six cffi pycparser Cleaning up... (swiftpolicy_env)$ python setup.py install
Note that these steps install the middleware in a virtualenv and therefore make sure to launch the swift proxy-server inside the same virtualenv. Depending on your use case, you might be able to ignore virtualenv altogether.
Activating the middleware is done by including it in the Swift proxy pipeline. To do so, modify the proxy configuration file (usualy /etc/swift/proxy-server.conf). The simplest thing to do is replace the keystoneauth middleware with swiftpolicy.
[pipeline:main] pipeline = catch_errors cache keystoneauth tempauth ... proxy-server
[pipeline:main] pipeline = catch_errors cache swiftpolicy tempauth ... proxy-server
In the same file, include the proper section of the swiftpolicy WSGI filter:
[filter:swiftpolicy] use = egg:swiftpolicy#swiftpolicy policy = %(here)s/default.json
policy directive indicates the path to the policy.json file. In this case, the file will be located in the same directory as the configuration file. Restart the proxy server and you’re done.
The policy file will list all possible actions on a swift proxy.
Action’s syntax is:
<http verb>_<swift entity> (example: “get_container”, “put_object”, etc).
"get_container": "rule:allowed_for_user", "put_container": "rule:allowed_for_user", "delete_container": "rule:allowed_for_user",
The policy file contains also two specific rules: “swift_owner” “reseller_request”, they are defined when swift_owner and reseller_request headers are set to true, as those two values are part of the contract with the auth system (more details here)
"swift_owner": "rule:swift_reseller or rule:swift_operator", "reseller_request": "rule:swift_reseller",
"get_container": "rule:allowed_for_user", "put_container": "!",
"get_container": "rule:allowed_for_user", "put_container": "role:admin",
Here’s how to test and validate the usage of the swiftpolicy middleware:
$ source openrc demo demo password $ swift list $ swift post my_container Container PUT failed: http://10.0.48.252:8080:8080/v1/AUTH_01b059eda9a24f66b84d9b72284d7369/my_container2 403 Forbidden [first 60 chars of response] <html><h1>Forbidden</h1><p>Access was denied to this resourc $ # as an admin $ source openrc admin admin password $ swift list $ swift post my_container $ swift list my_container