Account ACLs¶
Account Access Control Lists (ACLs) are a core Swift feature starting in Swift 1.13. Auth systems which support Account ACLs allow users to grant account-level access to other users. You can read more about account ACLs in the core Swift documentation.
SwiftStack Auth supports account ACLs, and its use and syntax follow the model set by TempAuth.
For more granular access control, Container ACLs may be more appropriate.
Access Levels¶
SwiftStack Auth's account ACLs allow you to grant the following levels of access to everything in the account:
| Access Level | Description |
|---|---|
| read-only | These identities can read everything (except privileged headers) in the account. Specifically, a user with read-only account access can get a list of containers in the account, list the contents of any container, retrieve any object, and see the (non-privileged) headers of the account, any container, or any object. |
| read-write | These identities can read or write (or create) any container. A user with read-write account access can create new containers, set any unprivileged container headers, overwrite objects, delete containers, etc. A read-write user can NOT set account headers (or perform any PUT/POST/DELETE requests on the account). |
| admin | These identities have "swift_owner" privileges. A user with admin account access can do anything the account owner can, including setting account headers and any privileged headers -- and thus granting read-only, read-write, or admin access to other users. |
ACL Format¶
Account ACLs use a JSON dictionary format. The dictionary's keys are the access levels described above (i.e., any combination of read-only, read-write, and admin). Each key's value is a list of authorization groups. (Each user gets a default authorization group which looks like that user's account name, e.g. user alice gets a default authorization group named AUTH_alice, such that the AUTH_alice group contains user alice and no other users.)
Since manually typing JSON dictionaries is prone to human error, we recommend generating the ACLs programmatically, as follows:
from swift.common.middleware.acl import format_acl
acl_data = { 'admin': ['AUTH_alice'], 'read-write': ['LDAP_admins'] }
acl_string = format_acl(version=2, acl_dict=acl_data)
Setting ACLs¶
To set an account ACL, you need administrative (swift_owner) access to the account. You will send a POST request to the account's URL, with the header X-Account-Access-Control set to the JSON dictionary representation of the ACL:
curl -X POST -i -H "X-Auth-Token: <TOKEN>" \
-H 'X-Account-Access-Control: {"admin":["AUTH_alice"],"read-only":["AUTH_readers"]}' \
<STORAGE_URL>
Once the POST completes successfully, subsequent requests from newly-authorized users should succeed immediately.
Removing ACLs¶
To remove an account ACL, set the ACL to {}, the empty dictionary:
$curl -X POST -i -H "X-Auth-Token: <TOKEN>" \
-H 'X-Account-Access-Control: {}' \
<STORAGE_URL>
