Using OpenStack Object Storage ACLs
by Tony Campbell, Egle Sigler, Cody Bunch, Kevin Jackson, Sunil Sarat, Alok Shrivas
OpenStack: Building a Cloud Environment
- OpenStack: Building a Cloud Environment
- Table of Contents
- OpenStack: Building a Cloud Environment
- OpenStack: Building a Cloud Environment
- Credits
- Preface
- 1. Module 1
- 1. An Introduction to OpenStack
- 2. Authentication and Authorization Using Keystone
- Identity concepts in Keystone
- Architecture and subsystems
- Installing common components
- Installing Keystone
- Verifying the installation
- Troubleshooting the installation and configuration
- Summary
- 3. Storing and Retrieving Data and Images using Glance, Cinder, and Swift
- Introducing storage services
- Working with Glance
- Working with Cinder
- Working with Swift
- Troubleshooting steps
- Summary
- 4. Building Your Cloud Fabric Controller Using Nova
- 5. Technology-Agnostic Network Abstraction Using Neutron
- The software-defined network paradigm
- Neutron
- Installing Neutron
- Troubleshooting Neutron
- Summary
- 6. Building Your Portal in the Cloud
- 7. Your OpenStack Cloud in Action
- 8. Taking Your Cloud to the Next Level
- Working with Heat
- Ceilometer
- Installing Ceilometer
- Installing Ceilometer on the compute node
- Installing Ceilometer on the storage node
- Testing the installation
- Billing and usage reporting
- Summary
- 9. Looking Ahead
- A. New Releases
- 2. Module 2
- 1. Keystone – OpenStack Identity Service
- Introduction
- Installing the OpenStack Identity Service
- Configuring OpenStack Identity for SSL communication
- Creating tenants in Keystone
- Configuring roles in Keystone
- Adding users to Keystone
- Defining service endpoints
- Creating the service tenant and service users
- Configuring OpenStack Identity for LDAP Integration
- 2. Glance – OpenStack Image Service
- Introduction
- Installing OpenStack Image Service
- Configuring OpenStack Image Service with OpenStack Identity Service
- Configuring OpenStack Image Service with OpenStack Object Storage
- Managing images with OpenStack Image Service
- Registering a remotely stored image
- Sharing images among tenants
- Viewing shared images
- Using image metadata
- Migrating a VMware image
- Creating an OpenStack image
- 3. Neutron – OpenStack Networking
- Introduction
- Installing Neutron and Open vSwitch on a dedicated network node
- Configuring Neutron and Open vSwitch
- Installing and configuring the Neutron API service
- Creating a tenant Neutron network
- Deleting a Neutron network
- Creating an external floating IP Neutron network
- Using Neutron networks for different purposes
- Configuring Distributed Virtual Routers
- Using Distributed Virtual Routers
- 4. Nova – OpenStack Compute
- Introduction
- Installing OpenStack Compute controller services
- Installing OpenStack Compute packages
- Configuring database services
- Configuring OpenStack Compute
- Configuring OpenStack Compute with OpenStack Identity Service
- Stopping and starting nova services
- Installation of command-line tools on Ubuntu
- Using the command-line tools with HTTPS
- Checking OpenStack Compute services
- Using OpenStack Compute
- Managing security groups
- Creating and managing key pairs
- Launching our first cloud instance
- Fixing a broken instance deployment
- Terminating your instances
- Using live migration
- Working with nova-schedulers
- Creating flavors
- Defining host aggregates
- Launching instances in specific Availability Zones
- Launching instances on specific Compute hosts
- Removing Nova nodes from a cluster
- 5. Swift – OpenStack Object Storage
- Introduction
- Configuring Swift services and users in Keystone
- Installing OpenStack Object Storage services – proxy server
- Configuring OpenStack Object Storage – proxy server
- Installing OpenStack Object Storage services – storage nodes
- Configuring physical storage for use with Swift
- Configuring Object Storage replication
- Configuring OpenStack Object Storage – storage services
- Making the Object Storage rings
- Stopping and starting OpenStack Object Storage
- Setting up SSL access
- 6. Using OpenStack Object Storage
- 7. Administering OpenStack Object Storage
- 8. Cinder – OpenStack Block Storage
- 9. More OpenStack
- Introduction
- Using cloud-init to run post-installation commands
- Using cloud-config to run the post-installation configuration
- Installing OpenStack Telemetry
- Using OpenStack Telemetry to interrogate usage statistics
- Installing Neutron LBaaS
- Using Neutron LBaaS
- Configuring Neutron FWaaS
- Using Neutron FWaaS
- Installing the Heat OpenStack Orchestration service
- Using Heat to spin up instances
- 10. Using the OpenStack Dashboard
- Introduction
- Installing OpenStack Dashboard
- Using OpenStack Dashboard for key management
- Using OpenStack Dashboard to manage Neutron networks
- Using OpenStack Dashboard for security group management
- Using OpenStack Dashboard to launch instances
- Using OpenStack Dashboard to terminate instances
- Using OpenStack Dashboard to connect to instances using a VNC
- Using OpenStack Dashboard to add new tenants – projects
- Using OpenStack Dashboard for user management
- Using OpenStack Dashboard with LBaaS
- Using OpenStack Dashboard with OpenStack Orchestration
- 11. Production OpenStack
- Introduction
- Installing the MariaDB Galera cluster
- Configuring HA Proxy for the MariaDB Galera cluster
- Configuring HA Proxy for high availability
- Installing and configuring Pacemaker with Corosync
- Configuring OpenStack services with Pacemaker and Corosync
- Bonding network interfaces for redundancy
- Automating OpenStack installations using Ansible – host configuration
- Automating OpenStack installations using Ansible – Playbook configuration
- Automating OpenStack installations using Ansible – running Playbooks
- 1. Keystone – OpenStack Identity Service
- 3. Module 3
- 1. The Troubleshooting Toolkit
- 2. Troubleshooting OpenStack Identity
- 3. Troubleshooting the OpenStack Image Service
- 4. Troubleshooting OpenStack Networking
- 5. Troubleshooting OpenStack Compute
- 6. Troubleshooting OpenStack Block Storage
- 7. Troubleshooting OpenStack Object Storage
- 8. Troubleshooting the OpenStack the Orchestration Service
- 9. Troubleshooting the OpenStack Telemetry Service
- 10. OpenStack Performance, Availability, and Reliability
- A. Bibliography
- Index
Access Control Lists (ACLs) allow us to have greater control over individual objects and containers without requiring full read/write access to a particular container. With ACLs, you can expose containers globally or restrict them to individual tenants and users.
Ensure you are logged in to a Ubuntu host that has access to our OpenStack environment on the 192.168.100.0/24 public network. This host will be used to run client tools against the OpenStack environment created. If you are using the accompanying Vagrant environment, as described in the Preface, you can use the controller node. It has the python-swiftclient package installed that provides the swift command-line client.
If you created this node with Vagrant, you can execute the following command:
vagrant ssh controller
Ensure you have set the following credentials (adjust the path to your certificates and key file to match your environment if not using the Vagrant environment):
export OS_TENANT_NAME=cookbook export OS_USERNAME=admin export OS_PASSWORD=openstack export OS_AUTH_URL=https://192.168.100.200:5000/v2.0/ export OS_NO_CACHE=1 export OS_KEY=/vagrant/cakey.pem export OS_CACERT=/vagrant/ca.pem
Carry out the following steps:
- We will first create an account in our OpenStack Identity Server that is only a
Memberin the cookbooktenant. We will call this useruser. The code is as follows:export ENDPOINT=192.168.100.200 export SERVICE_TOKEN=ADMIN export SERVICE_ENDPOINT=https://${ENDPOINT}:35357/v2.0 export OS_KEY=/vagrant/cakey.pem export OS_CACERT=/vagrant/ca.pem # First get TENANT_ID related to our 'cookbook' tenant TENANT_ID=$(keystone tenant-list | awk ' / cookbook / {print $2}') # We then create the user specifying the TENANT_ID keystone user-create --name test_user --tenant_id $TENANT_ID --pass openstack --email user@localhost --enabled true # We get this new user's ID USER_ID=$(keystone user-list | awk ' / user / {print $2}') # We get the ID of the 'Member' role ROLE_ID=$(keystone role-list | awk ' / Member / {print $2}') # Finally add the user to the 'Member' role in cookbook keystone user-role-add --user $USER_ID --role $ROLE_ID --tenant_id $TENANT_ID - After creating our new user, we will now create a container using a user that has admin privileges (and therefore a container that our new user initially doesn't have access to), as follows:
swift post testACL - We will then set this container to be read-only for our user named
test_user:swift post –r test_user testACL - We will upload a file to this container using our new user:
swift upload testACL /tmp/test/test1This brings back an "HTTP 403 Forbidden" message similar like this:
Object HEAD failed: https://proxy-server:8080/v1/AUTH_53d87d9b66794904aa2c84c17274392b/testACL/tmp/test/test1 403 Forbidden - We will now give write access to the
testACLcontainer for our user by allowing write access to the container:swift post –w test_user –r test_user testACL - When we try to upload the file again, it is successful:
swift upload testACL /tmp/test/test1
Granting access control is done on a container basis and is achieved at the user level. When a user creates a container, other users can be granted that access by adding them to the container. The users will then be granted read and write access to containers, for example:
swift post -w user -r user container
-
No Comment
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.