Container ACLs¶
Container Access Control Lists (ACLs) are available on any Swift cluster, and are enabled per container, rather than per cluster.
For broader account-level access control, see Account ACLs.
ACL Format¶
| .r:* | All referrers. |
| .r:example.com,swift.example.com | Comma separated list of referrers |
| .rlistings | Container listing access. |
| AUTH_<username> | Access for a particular SwiftStack Auth user. |
| LDAP_<username> | Access for a particular LDAP-based Authentication for SwiftStackAuth user. |
Setting Container Read ACL¶
Using the `swift` command line tool
swift post -r '<ACL>' <container> [-A AUTH_URL] [-U user] [-K password]
Using `curl`
See Authentication and Authorization for instructions on getting the TOKEN and STORAGE_URL. Use POST if the container already exists, or PUT if it does not.
curl -X <PUT|POST> -i -H "X-Auth-Token: <TOKEN>" -H "X-Container-Read: <ACL>" <STORAGE_URL>/<container>
$ curl -X PUT -i \
> -H "X-Auth-Token: AUTH_tke9a821bd80984f31ac106e8e445a3372" \
> -H "X-Container-Read: .r:*" \
> http://swift.example.com/v1/AUTH_bob/everyone_can_read_container
HTTP/1.1 201 Created
Content-Length: 0
Content-Type: text/html; charset=UTF-8
X-Trans-Id: tx9b1f560ed4694373a0326-00523cb2e4
Date: Fri, 20 Sep 2013 20:41:08 GMT
Making a GET Request¶
GET requests no longer require a token, so use of the swift command line tool is no longer relevant. Since the user does not need to do authentication to get a token, they must have in their possession the full URL they are GETing from, for example http://swift.example.com/v1/AUTH_bob/everyone_can_read_container/file.txt.
curl <URL>
Setting Container Write ACL¶
Using the `swift` command line tool
swift post -w '<ACL>' <container> [-A AUTH_URL] [-U user] [-K password]
Using `curl`
See Authentication and Authorization for instructions on getting the TOKEN and STORAGE_URL. Use POST if the container already exists, or PUT if it does not.
curl -X <PUT|POST> -i -H "X-Auth-Token: <TOKEN>" -H "X-Container-Write: <ACL>" <STORAGE_URL>/<container>
$ curl -X POST -i \
> -H "X-Auth-Token: AUTH_tke9a821bd80984f31ac106e8e445a3372" \
> -H "X-Container-Write: AUTH_bill" \
> http://swift.example.com/v1/AUTH_bob/everyone_can_write_container
HTTP/1.1 204 No Content
Content-Length: 0
Content-Type: text/html; charset=UTF-8
X-Trans-Id: txff0f993810e742b7acc0a-00523cb3c4
Date: Fri, 20 Sep 2013 20:44:52 GMT
Making a PUT Request¶
Since we set the ACL to AUTH_bill (publicly writable containers are rare), user bill will need a token to PUT the file. See Authentication and Authorization for instructions on getting the TOKEN and STORAGE_URL. For example http://swift.example.com/v1/AUTH_bob/everyone_can_write_container/upload.txt.
curl -H "X-Auth-Token: <TOKEN>" -X PUT <STORAGE_URL>/<container>/<object> --data-binary @<filename>
Removing ACLs¶
To remove container ACLs, you need update the container's read and write ACLs separately.
Using the `swift` command line tool
swift post -r "" <container> [-A AUTH_URL] [-U user] [-K password]
swift post -w "" <container> [-A AUTH_URL] [-U user] [-K password]
Using `curl`
Send the X-Remove-Container-Read or X-Remove-Container-Write headers
with any value to remove read or write ACLs from the container, respectively.
X-Remove-Container-Read: <ANY_STRING>
curl -X POST -i -H "X-Auth-Token: <TOKEN>" -H "X-Remove-Container-Read: <ANY_STRING>" <STORAGE_URL>/<container>
X-Remove-Container-Write: <ANY_STRING>
curl -X POST -i -H "X-Auth-Token: <TOKEN>" -H "X-Remove-Container-Write: <ANY_STRING>" <STORAGE_URL>/<container>
$ curl -X POST -i \
> -H "X-Auth-Token: AUTH_tke9a821bd80984f31ac106e8e445a3372" \
> -H "X-Remove-Container-Write: 1" \
> http://swift.example.com/v1/AUTH_bob/everyone_can_write_container
HTTP/1.1 204 No Content
Content-Length: 0
Content-Type: text/html; charset=UTF-8
X-Trans-Id: txff0f993810e742b7acc0a-00523cb3c4
Date: Fri, 20 Sep 2013 20:44:52 GMT
