Using ACL’s in Object Storage on SoftLayer

images

When you are using Object Storage in SoftLayer, there will come a time when you may find you need to share files with other SoftLayer accounts.  Unfortunately, manipulating container ACL’s appears to be not supported via the SoftLayer portal.  But, since SoftLayer Object Storage API is compatible with OpenStack Swift – this allows us to solve this problem using the API.  This means the examples in this post should work with any OpenStack Swift compatible Object Storage implementation.

I found howto’s around this topic hard to come by, so I have written up this quick guide.

First of all, ensure you have a working Python installation, and you have pip installed.

Next, install the python-swiftclient module:

$ pip install python-swiftclient

Hopefully you have a working swift command-line now like so:

$ swift
Usage: swift [--version] [--help] [--os-help] [--snet] [--verbose]
[--debug] [--info] [--quiet] [--auth <auth_url>]
[--auth-version <auth_version> |
[...]

For this example, I am using two swift configurations implemented via environment variables.  In SoftLayer, you can get your credentials from the Object Storage screen by clicking View Credentials:

view_credentials

For User A:

UserA$ cat user-a-swift-vars.sh
export ST_USER=SLO12345-2:UserA@me.com
export ST_KEY=1871e8b4595079a…
export ST_AUTH=https://syd01.objectstorage.softlayer.net/auth/v1.0/

For User B:

UserB$ cat user-b-swift-vars.sh
export ST_USER=SLO22345-2:UserB@me.com
export ST_KEY=9fe12cc1927a5877…
export ST_AUTH=https://syd01.objectstorage.softlayer.net/auth/v1.0/

Source each shell file:

UserA$ . user-a-swift-vars.sh
UserB$ . user-b-swift-vars.sh

Now, we want to share the MyNewContainer container in UserA SoftLayer account with UserB.

In the SoftLayer GUI under Object Storage the container looks like this:

20160510_093237-CapturFiles

Lets look at the default ACL’s on MyNewContainer:

UserA$ swift stat MyNewContainer
 Account: AUTH_150fef84-e459-4df7-a050-9f9f9f9f9f9c
 Container: MyNewContainer
 Objects: 2
 Bytes: 5
 Read ACL:
 Write ACL:
 Sync To:
 Sync Key:
 Accept-Ranges: bytes
X-Storage-Policy: standard
 X-Timestamp: 1462838226.47452
 X-Trans-Id: tx51d3b7ac89f64502ad3ba-0057314450
 Content-Type: text/plain; charset=utf-8

They look empty to me.  Now, lets get UserB to try and list the contents of the above object.  Note that we need to specify the URL to the storage which you can find either in the SoftLayer object storage GUI, or you can extract the important AUTH_ information from the above swift stat command. Pass –os-storage-url to swift and you can attempt to access the container:

UserB$ swift --os-storage-url https://syd01.objectstorage.softlayer.net/v1.0/AUTH_150fef84-e459-4df7-a050-9f9f9f9f9f9c list MyNewContainer
Container GET failed: https://syd01.objectstorage.softlayer.net/v1.0/AUTH_150fef84-e459-4df7-a050-9f9f9f9f9f9c/MyNewContainer?format=json 403 Forbidden [first 60 chars of response] <html><h1>Forbidden</h1><p>Access was denied to this resourc

As expected, it does not work.

Now update the ACL for MyNewContainer by adding UserB into the ACL:

UserA$ swift post MyNewContainer --read-acl "SLO22345-2:UserB@me.com"

Check that the ACL was applied:

UserA$ swift stat MyNewContainer
 Account: AUTH_150fef84-e459-4df7-a050-9f9f9f9f9f9c
 Container: MyNewContainer
 Objects: 2
 Bytes: 5
 Read ACL: SLO22345-2:UserB@me.com
 Write ACL:
 Sync To:
 Sync Key:
 Accept-Ranges: bytes
 X-Trans-Id: txfb18c6b3823c444b8e56b-005731449b
X-Storage-Policy: standard
 X-Timestamp: 1462838226.47452
 Content-Type: text/plain; charset=utf-8

Now try and list the contents of the MyNewContainer which is successful:

UserB$ swift --os-storage-url https://syd01.objectstorage.softlayer.net/v1.0/AUTH_150fef84-e459-4df7-a050-279b3d95f54c list MyNewContainer
Files
Files/test.txt

Thats it!  Some references I used for this post:

https://swiftstack.com/docs/integration/python-swiftclient.html

https://swiftstack.com/docs/cookbooks/swift_usage/container_acl.html?highlight=acl

http://docs.openstack.org/developer/swift/misc.html?highlight=acl#swift.common.middleware.acl

https://www.ibm.com/support/knowledgecenter/#!/STXKQY_4.2.0/com.ibm.spectrum.scale.v4r2.adm.doc/bl1adm_createreadacl.htm

http://sldn.softlayer.com/blog/waelriac/managing-softlayer-object-storage-through-rest-apis

http://sldn.softlayer.com/reference/objectstorageapi

Advertisements