Using ACL’s in Object Storage on SoftLayer

images

When you are using Object Storage in SoftLayer, there will come a time when you may find you need to share files with other SoftLayer accounts.  Unfortunately, manipulating container ACL’s appears to be not supported via the SoftLayer portal.  But, since SoftLayer Object Storage API is compatible with OpenStack Swift – this allows us to solve this problem using the API.  This means the examples in this post should work with any OpenStack Swift compatible Object Storage implementation.

I found howto’s around this topic hard to come by, so I have written up this quick guide.

First of all, ensure you have a working Python installation, and you have pip installed.

Next, install the python-swiftclient module:

$ pip install python-swiftclient

Hopefully you have a working swift command-line now like so:

$ swift
Usage: swift [--version] [--help] [--os-help] [--snet] [--verbose]
[--debug] [--info] [--quiet] [--auth <auth_url>]
[--auth-version <auth_version> |
[...]

For this example, I am using two swift configurations implemented via environment variables.  In SoftLayer, you can get your credentials from the Object Storage screen by clicking View Credentials:

view_credentials

For User A:

UserA$ cat user-a-swift-vars.sh
export ST_USER=SLO12345-2:UserA@me.com
export ST_KEY=1871e8b4595079a…
export ST_AUTH=https://syd01.objectstorage.softlayer.net/auth/v1.0/

For User B:

UserB$ cat user-b-swift-vars.sh
export ST_USER=SLO22345-2:UserB@me.com
export ST_KEY=9fe12cc1927a5877…
export ST_AUTH=https://syd01.objectstorage.softlayer.net/auth/v1.0/

Source each shell file:

UserA$ . user-a-swift-vars.sh
UserB$ . user-b-swift-vars.sh

Now, we want to share the MyNewContainer container in UserA SoftLayer account with UserB.

In the SoftLayer GUI under Object Storage the container looks like this:

20160510_093237-CapturFiles

Lets look at the default ACL’s on MyNewContainer:

UserA$ swift stat MyNewContainer
 Account: AUTH_150fef84-e459-4df7-a050-9f9f9f9f9f9c
 Container: MyNewContainer
 Objects: 2
 Bytes: 5
 Read ACL:
 Write ACL:
 Sync To:
 Sync Key:
 Accept-Ranges: bytes
X-Storage-Policy: standard
 X-Timestamp: 1462838226.47452
 X-Trans-Id: tx51d3b7ac89f64502ad3ba-0057314450
 Content-Type: text/plain; charset=utf-8

They look empty to me.  Now, lets get UserB to try and list the contents of the above object.  Note that we need to specify the URL to the storage which you can find either in the SoftLayer object storage GUI, or you can extract the important AUTH_ information from the above swift stat command. Pass –os-storage-url to swift and you can attempt to access the container:

UserB$ swift --os-storage-url https://syd01.objectstorage.softlayer.net/v1.0/AUTH_150fef84-e459-4df7-a050-9f9f9f9f9f9c list MyNewContainer
Container GET failed: https://syd01.objectstorage.softlayer.net/v1.0/AUTH_150fef84-e459-4df7-a050-9f9f9f9f9f9c/MyNewContainer?format=json 403 Forbidden [first 60 chars of response] <html><h1>Forbidden</h1><p>Access was denied to this resourc

As expected, it does not work.

Now update the ACL for MyNewContainer by adding UserB into the ACL:

UserA$ swift post MyNewContainer --read-acl "SLO22345-2:UserB@me.com"

Check that the ACL was applied:

UserA$ swift stat MyNewContainer
 Account: AUTH_150fef84-e459-4df7-a050-9f9f9f9f9f9c
 Container: MyNewContainer
 Objects: 2
 Bytes: 5
 Read ACL: SLO22345-2:UserB@me.com
 Write ACL:
 Sync To:
 Sync Key:
 Accept-Ranges: bytes
 X-Trans-Id: txfb18c6b3823c444b8e56b-005731449b
X-Storage-Policy: standard
 X-Timestamp: 1462838226.47452
 Content-Type: text/plain; charset=utf-8

Now try and list the contents of the MyNewContainer which is successful:

UserB$ swift --os-storage-url https://syd01.objectstorage.softlayer.net/v1.0/AUTH_150fef84-e459-4df7-a050-279b3d95f54c list MyNewContainer
Files
Files/test.txt

Thats it!  Some references I used for this post:

https://swiftstack.com/docs/integration/python-swiftclient.html

https://swiftstack.com/docs/cookbooks/swift_usage/container_acl.html?highlight=acl

http://docs.openstack.org/developer/swift/misc.html?highlight=acl#swift.common.middleware.acl

https://www.ibm.com/support/knowledgecenter/#!/STXKQY_4.2.0/com.ibm.spectrum.scale.v4r2.adm.doc/bl1adm_createreadacl.htm

http://sldn.softlayer.com/blog/waelriac/managing-softlayer-object-storage-through-rest-apis

http://sldn.softlayer.com/reference/objectstorageapi

Advertisements

2 thoughts on “Using ACL’s in Object Storage on SoftLayer

  1. Thanks for this post – it’s very informative! I’m wondering if you have also explored using versioning in ObjectStorage. The description from Open Stack seems like it is basically a stack metaphor for object versions. You can peek into the stack, but if you pop the most recent version, it is gone forever, and you see the 2nd most recent version of the object as the current one. This isn’t that useful for cases like protecting against accidental deletions…. any idea if there are other features related to versioning?

    • My understanding is that you have to download the version you want, and re-upload it if you need to go back to another version. All versions remain until the container is deleted.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s