OpenStack Object Storage (swift)

Cross-Tenant ACLs

Registered by Guang Yee

Need the flexibility to support "<tenant_id>:<username>" and <tenant_name>:<username" ACLs without restricting users to shared the same tenant and account. Furthermore, we need the flexibility to support cross-tenant ACLs, ACLs without tenant association (i.e. "*:<username>"), to improve usability.

Blueprint information

Status:
Complete
Approver:
None
Priority:
Undefined
Drafter:
None
Direction:
Needs approval
Assignee:
None
Definition:
New
Series goal:
Accepted for grizzly
Implementation:
Implemented
Milestone target:
milestone icon 1.7.6
Started by
John Dickinson
Completed by
John Dickinson

Related branches

Sprints

Whiteboard

Looking at the Swift keystoneauth middleware code, only way “<tenant ID>:<username>” and “<tenant name>:<username>” are applicable is the given account matches “<reseller><tenant_id>”.

https://github.com/openstack/swift/blob/master/swift/common/middleware/keystoneauth.py

Line 169-172

This means users must shared the same tenant and account. This is not flexible enough to support use cases such as userA of tenantA wants to grant read-only access to his container UserAContainer to userB of tenantB, where userB does not have/need any role association with TenantA. UserA should be able to just create an ACL “X-Container-Read: TenantB:userB”.

Furthermore, we need cross-tenant ACLs, sharing container with users regardless of their tenant association. For example, “*:<username>”. The benefit with cross-tenant ACLs is improved usability as there’s no need to lookup tenant ID/name when creating ACLs.

Gerrit topic: https://review.openstack.org/#q,topic:bp/cross-tenant-acls,n,z

Addressed by: https://review.openstack.org/17229
    bp/cross-tenant-acls: allow tenantId:user, tenantName:user, and *:user ALCs

(?)

Work Items

Nearby

This blueprint contains Public information 
Everyone can see this information.