Set up Cloud Files and ACLs
This tutorial teaches account owners how to use Access Control Lists (ACLs)
with Cloud Files. A Cloud Files ACL enables account owners to specify read or
write access to a particular container for a specific user.
Set up a new user
Use the following steps to set up a new Role-Based Access Control (RBAC) user:
- Log in to the Cloud Control Panel.
- Click on your username at the top right of the screen, then click
User Management. - Click Create User.
- Enter the user's information and click Create User.
- On the User Details page that appears, assign the user
roles. Under
User Permissions, ensure that you leave the Cloud Files role set
to No Access. - In the Security Settings section, click Show to display your
Rackspace API Key and make a note of it.
About container headers
You cannot create ACLs in the Cloud Control Panel. However, you can enable
container-level access by using cURL and passing in the following headers:
X-Container-Read
: This header holds a comma-delimited list
of the users that can read the container. It allows the GET HTTP method for
all of the objects in the container.X-Container-Write
: This header holds a comma-delimited
list of users that can write to the container. It allows the PUT, POST, COPY
and DELETE HTTP methods for all of the objects in the container.
You set these special headers only on containers. The headers apply to all of the
objects in a container.
For example, if you create a user named RBAC_USER
and have a container named
ACL_Container
in Cloud Files, you can give this user read access to
ACL_Container
by setting the X-Container-Read
header to RBAC_USER
.
Similarly, you can give the user write access to ACL_Container
by setting its
X-Container-Write header
to RBAC_USER
.
You do not need to include yourself in either ACL because the account owner
always has read and write access to everything in their Cloud Files
account. If you create additional users, you can set the header values to
RBAC_USER, RBAC_USER2, RBAC_USER3,
where a space before or after a comma is
acceptable.
Authenticate by using cURL
First, you need to authenticate with the Identity service by
using your username and API key, as shown in the following example:
curl -s -XPOST https://identity.api.rackspacecloud.com/v2.0/tokens -d '{ "auth":{ "RAX-KSKEY:apiKeyCredentials":{ "username":"USERNAME_HERE", "apiKey":"API_KEY_HERE" } } }' -H "Content-type: application/json" |python -m json.tool
The response to this request includes a token
, as shown
in the following example:
"token": {
"RAX-AUTH:authenticatedBy": [
"APIKEY"
],
"expires": "2014-09-12T03:02:40.024Z",
"id": "TOKEN_HERE",
"tenant": {
"id": "ACCOUNT_ID",
"name": "ACCOUNT_ID"
}
},
.
.
.
Create a container
Next, create a container by using the token that you retrieved. You need to
provide the following information in the request:
- The token
- The correct storage endpoint
- The name of the container that you are creating
The following example creates the container ACL_Container
by using cURL:
curl -XPUT -H 'X-Auth-Token: $token' https://storage101.iad3.clouddrive.com/v1/MossoCloudFS_0a0a000a-000a-000a-000a-00a00000a00a/ACL_Container
Alternatively, you can use the python-swiftclient, or swift, a Python-based tool that is primarily used to manage Rackspace Cloud
Files.
The following example creates the same container by using swift:
swift -A https://auth.api.rackspacecloud.com/v1.0 -U USERNAME_HERE -K API_KEY_HERE post ACL_Container
Add ACLs to the container
After you have successfully added the container, you can add ACLs to the
container by using a cURL command that is similar to the following example:
curl -XPOST -H 'X-Auth-Token: $token' https://storage101.iad3.clouddrive.com/v1/MossoCloudFS_0a0a000a-000a-000a-000a-00a00000a00a/ACL_Container -H 'x-container-read: RBAC_USER' -H 'x-container-write: RBAC_USER'
The following example shows how to add ACLs to the container by using swift:
swift -A https://auth.api.rackspacecloud.com/v1.0 -U ACCOUNT_USERNAME -K ACCOUNT_APIKEY post -r RBAC_USER ACL_Container
swift -A https://auth.api.rackspacecloud.com/v1.0 -U ACCOUNT_USERNAME -K ACCOUNT_APIKEY post -w RBAC_USER ACL_Container
Verify the new ACLs
Check the container headers to verify the ACLs by using the following cURL
command:
curl -i -XHEAD -H 'X-Auth-Token: $token' https://storage101.iad3.clouddrive.com/v1/MossoCloudFS_0a0a000a-000a-000a-000a-00a00000a00a/ACL_Container
HTTP/1.1 204 No Content
Content-Length: 0
X-Container-Object-Count: 0
X-Container-Write: RBAC_USER
Accept-Ranges: bytes
X-Storage-Policy: Policy-0
X-Container-Read: RBAC_USER
X-Container-Bytes-Used: 0
X-Timestamp: 1410426988.44932
Content-Type: text/plain; charset=utf-8
X-Trans-Id: tx898647c0f1d5410aa4168-00541168bdord1
Date: Thu, 11 Sep 2014 09:17:49 GMT
The following example shows how to check the headers by using swift:
swift -A https://auth.api.rackspacecloud.com/v1.0 -U ACCOUNT_USERNAME -K ACCOUNT_APIKEY stat ACL_Container
Account: MossoCloudFS_0a0a000a-000a-000a-000a-00a00000a00a
Container: ACL_Container
Objects: 0
Bytes: 0
Read ACL: RBAC_USER
Write ACL: RBAC_USER
Sync To:
Sync Key:
Accept-Ranges: bytes
X-Storage-Policy: Policy-0
X-Timestamp: 1410425120.72477
X-Trans-Id: txc8a18e53f6d24796b5cd7-0054116635ord1
Content-Type: text/plain; charset=utf-8
ACL issue with swift
Swift is a helpful tool, but it has some limitations. The most significant
issue occurs when an RBAC_USER
who does not have access to Cloud Files and
has only read/write access to the container that they specify attempts to upload
a file by using a command like the following example:
swift -A https://auth.api.rackspacecloud.com/v1.0 -U RBAC_USER -K $API_KEY upload ACL_Container testfile
This example first attempts to create the container ACL_Container
. However,
because the restricted user does not have access to Cloud Files, this command
returns a 403 Forbidden
HTTP response and then attempts to upload the file
testfile
.
You can avoid this issue by using another tool for swift, swiftly. You can pass additional parameters with swiftly, which
enables your restricted user to upload the file directly, without attempting
to create the container. The swiftly command for performing this action looks
like the following example:
swiftly -A https://identity.api.rackspacecloud.com/v2.0/ -U RBAC_USER -K $API_KEY put --input=testfile ACL_Container/testfile
This command returns a 201 Created
HTTP response and uploads the file.
Conclusion
Because you gave No Access
to RBAC_USER
when you created this user,
RBAC_USER
cannot access the container from the Cloud Control Panel.
After using the tools described in this article, RBAC_USER
now has
read and write access to the container ACL_Container
and
can only access the container and its objects by using the Cloud Files API.
ACL functionality enables account owners to set up fine-grained access
control for their Cloud Files containers.
Helpful resources
You might find the following additional resources helpful:
Updated about 1 year ago