I may know the problem now. You can have a look at @fbo's blog : http://blog.fsquat.net/?p=40 I had a deep diving on the auth middleware today.
The authtoken middleware will reject the request if the token's tenant mapping is not matching to the one your requested. *[Debug log]* Nov 13 01:39:30 proxy-server tenant mismatch: SWIFTSTACK_e2dbb13e5e18496aafe251c64aca8919 != 5c5791c3dca54885a862bbd214587759 (txn: txc94a550c9adb4305b21a8-00528348d2) (client_ip: 192.168.1.222) Nov 13 01:39:30 proxy-server tenant mismatch: SWIFTSTACK_e2dbb13e5e18496aafe251c64aca8919 != 5c5791c3dca54885a862bbd214587759 (txn: txc94a550c9adb4305b21a8-00528348d2) (client_ip: 192.168.1.222) Nov 13 01:39:30 proxy-server 192.168.1.222 127.0.0.1 13/Nov/2013/09/39/30 GET /v1/SWIFTSTACK_e2dbb13e5e18496aafe251c64aca8919/share-U1 HTTP/1.0 403 - curl/7.22.0%20%28x86_64-pc-linux-gnu%29%20libcurl/7.22.0%20OpenSSL/1.0.1%20zlib/1.2.3.4%20libidn/1.23%20librtmp/2.3 21371d0927a742e0b7ae79680548c49f - 73 - txc94a550c9adb4305b21a8-00528348d2 - 0.0125 - - *For your purpose, more efforts are needed.* 1. Create a role whatever you want. But the role should not in the operator's role list of keystone_auth middleware. Let's have one named *share* keystone role-create --name share 2. Give the non-privilege role to user test2 of tenant test1 , for passing the authtoken middleware : keystone user-role-add --user test2 --tenant test1 --role share 3. [*Trick*] Set the read ACL on account AUTH_test1's container foo for test1:test2 (Tenant:UserName) : curl -i -X PUT -H "X-Auth-Token: $tokenTest1" -H "X-Container-Read: test1:test2" http://192.168.3.100:8080/v1/AUTH_$tenantTest1/foo 4. To retrieve the token of tenant test1 for user test2 rather then using tenant test2's token: curl -s -H 'Content-type: application/json' \ -d '{"auth": {"tenantName": "*test1*", "passwordCredentials": {"username": "test2", "password": "test2"}}}' \ http://192.168.3.100:5000/v2.0/tokens | python -mjson.tool 5. To get the object from test1/foo with this token. As I mentioned before, the default ACL is not allowing list objects in a list. You need to set .rlistings in the header. curl -i -X PUT -H "X-Auth-Token: $tokenTest1" -H "X-Container-Read: test1:test2,.rlistings" http://192.168.3.100:8080/v1/AUTH_$tenantTest1/foo Hope it help +Hugo Kuo+ (+886) 935004793 SwiftStack Inc. 2013/11/13 <thorf...@poivron.org> > This syntax is correct: > > curl -i -X POST -H "X-Auth-Token: $tokenTest1" -H "X-Container-Read: *:*" > -H " \ > X-Container-Write: *:*" http://192.168.3.100:8080/v1/ > AUTH_$tenantTest1/foo > > > curl -i -X GET -H "X-Auth-Token: $tokenTest2" > http://192.168.3.100:8080/v1/AUTH_$tenantTest1/foo > HTTP/1.1 204 No Content > Content-Length: 0 > X-Container-Object-Count: 0 > Accept-Ranges: bytes > X-Timestamp: 1384268871.16508 > > X-Container-Bytes-Used: 0 > Content-Type: text/html; charset=UTF-8 > Date: Wed, 13 Nov 2013 09:42:33 GMT > Connection: close > > I don't understand why but today is ok for me. > > curl -i -X POST -H "X-Auth-Token: $tokenTest1" -H "X-container-Read: > test2:test2" \ > > -H "X-Container-Write: test2:test2" http://192.168.3.100:8080/v1/ > AUTH_$tenantTest1/foo > > curl -i -X GET -H "X-Auth-Token: $tokenTest1" > http://192.168.3.100:8080/v1/AUTH_$tenantTest1/foo > HTTP/1.1 204 No Content > Content-Length: 0 > X-Container-Object-Count: 0 > X-Container-Write: test2:test2 > Accept-Ranges: bytes > X-Timestamp: 1384268871.16508 > X-Container-Read: test2:test2 > X-Container-Bytes-Used: 0 > Content-Type: text/html; charset=UTF-8 > Date: Wed, 13 Nov 2013 09:58:09 GMT > > Connection: close > > curl -i -X GET -H "X-Auth-Token: $tokenTest2" > http://192.168.3.100:8080/v1/AUTH_$tenantTest1/foo > HTTP/1.1 204 No Content > Content-Length: 0 > X-Container-Object-Count: 0 > Accept-Ranges: bytes > X-Timestamp: 1384268871.16508 > > X-Container-Bytes-Used: 0 > Content-Type: text/html; charset=UTF-8 > Date: Wed, 13 Nov 2013 09:56:55 GMT > Connection: close > > Thank you for help > > > On 2013-11-13 10:31, thorf...@poivron.org wrote: > >> @Dheerendra: >> the correct IP address is 192.168.3.100. It's a mistake. Same problem >> with correct ip adress. >> >> @Kuo Hugo: >> I don't understand the item 1. >> >> On the item 2: >> >> curl -i -X POST -H "X-Auth-Token: $tokenTest1" -H >> "X-Container-Read:test2" -H "X-Container-Write: test2" >> http://192.168.3.100:8080/v1/AUTH_$tenantTest1/foo >> HTTP/1.1 204 No Content >> Content-Length: 0 >> Content-Type: text/html; charset=UTF-8 >> Date: Wed, 13 Nov 2013 08:55:57 GMT >> Connection: close >> >> curl -i -X GET -H "X-Auth-Token: $tokenTest1" >> http://192.168.3.100:8080/v1/AUTH_$tenantTest1/foo >> HTTP/1.1 204 No Content >> Content-Length: 0 >> X-Container-Object-Count: 0 >> X-Container-Write: test2 >> Accept-Ranges: bytes >> X-Timestamp: 1384268871.16508 >> X-Container-Read: test2 >> X-Container-Bytes-Used: 0 >> Content-Type: text/html; charset=UTF-8 >> Date: Wed, 13 Nov 2013 08:56:00 GMT >> Connection: close >> >> >> curl -i -X GET -H "X-Auth-Token: $tokenTest2" >> http://192.168.3.100:8080/v1/AUTH_$tenantTest1/foo >> HTTP/1.1 403 Forbidden >> Content-Length: 73 >> Content-Type: text/html; charset=UTF-8 >> Date: Wed, 13 Nov 2013 08:56:18 GMT >> Connection: close >> >> Same problem. Can you test this please? >> >> >> >> On 2013-11-12 18:26, Kuo Hugo wrote: >> >>> Hi >>> >>> From my point of view. There may has two potential problems. >>> >>> 1. The read ACL is not allowing to list objects in a container by >>> default. And your request is for retrieving objects list of a >>> container tho. >>> >>> 2. For Keystone, I think the value of ACL header should be the >>> username instead of username:tenant-name. >>> >>> For reference >>> : http://docs.openstack.org/developer/swift/misc.html#acls [11] >>> >>> Perhaps I can test it tomorrow morning. >>> >>> +Hugo Kuo+ >>> (+886) 935004793 >>> >>> SwiftStack Inc. >>> >>> 2013/11/13 <thorf...@poivron.org [12]> >>> >>> Hi all, >>>> >>>> I use Openstack Havana (Storage + Identity) >>>> >>>> I encountered some problems when i set permissions (ACLs) on >>>> Openstack Swift containers. >>>> >>>> My swift proxy-server.conf is here: >>>> http://pastebin.com/0hpfebNp [1] >>>> >>>> My keystone.conf is here: >>>> http://pastebin.com/VUGYbcM5 [2] >>>> >>>> I have the token of test1:test1 and test2:test2 >>>> >>>> curl -s -H 'Content-type: application/json' >>>> -d '{"auth": {"tenantName": "test1", "passwordCredentials": >>>> {"username": "test1", "password": "test1"}}}' >>>> http://192.168.3.100:5000/v2.0/tokens [3] | python -mjson.tool >>>> >>>> curl -s -H 'Content-type: application/json' >>>> -d '{"auth": {"tenantName": "test2", "passwordCredentials": >>>> {"username": "test2", "password": "test2"}}}' >>>> http://192.168.3.100:5000/v2.0/tokens [4] | python -mjson.tool >>>> >>>> Then,enable read access to test2:test2 >>>> >>>> curl -i -X PUT -H "X-Auth-Token: $tokenTest1" >>>> -H "X-Container-Read:test2:test2" >>>> -H "X-Container-Write: test2:test2" >>>> http://192.168.3.100:8080/v1/AUTH_$tenantTest1/foo [5] >>>> >>>> Check the permission of the container: >>>> >>>> curl -k -v -H "X-Auth-Token:$tokenTest1" >>>> http://192.168.3.100:8080/v1/AUTH_$tenantTest1/foo [6] >>>> >>>> This is the reply of the operation: >>>> HTTP/1.1 204 No Content >>>> < Content-Length: 0 >>>> < X-Container-Object-Count: 0 >>>> < X-Container-Write: test2:test2 >>>> < Accept-Ranges: bytes >>>> < X-Timestamp: 1384268871.16508 >>>> < X-Container-Read: test2:test2 >>>> < X-Container-Bytes-Used: 0 >>>> < Content-Type: text/html; charset=UTF-8 >>>> < Date: Tue, 12 Nov 2013 16:30:16 GMT >>>> >>>> Now,the user test2:test2 visit the container of test1:test1 >>>> >>>> curl -k -v -H 'X-Auth-Token:$tokenTest2' >>>> http://127.0.0.1:8080/v1/AUTH_$tenantTest1/foo [7] >>>> >>>> < HTTP/1.1 403 Forbidden >>>> < Content-Length: 73 >>>> < Content-Type: text/html; charset=UTF-8 >>>> < Date: Tue, 12 Nov 2013 16:34:24 GMT >>>> < Connection: close >>>> < >>>> * Closing connection 0 >>>> <html><h1>Forbidden</h1><p>Access was denied to this >>>> resource.</p></html> >>>> >>>> While,I got 403 error.Can someone help me? >>>> >>>> Best Regards >>>> >>>> _______________________________________________ >>>> Mailing list: >>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack [8] >>>> Post to : openstack@lists.openstack.org [9] >>>> Unsubscribe : >>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack [10] >>>> >>> >>> >>> >>> Links: >>> ------ >>> [1] http://pastebin.com/0hpfebNp >>> [2] http://pastebin.com/VUGYbcM5 >>> [3] http://192.168.3.100:5000/v2.0/tokens >>> [4] http://192.168.3.100:5000/v2.0/tokens >>> [5] http://192.168.3.100:8080/v1/AUTH_$tenantTest1/foo >>> [6] http://192.168.3.100:8080/v1/AUTH_$tenantTest1/foo >>> [7] http://127.0.0.1:8080/v1/AUTH_$tenantTest1/foo >>> [8] http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack >>> [9] mailto:openstack@lists.openstack.org >>> [10] http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack >>> [11] http://docs.openstack.org/developer/swift/misc.html#acls >>> [12] mailto:thorf...@poivron.org >>> >> > > _______________________________________________ > Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/ > openstack > Post to : openstack@lists.openstack.org > Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/ > openstack >
_______________________________________________ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : openstack@lists.openstack.org Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack