Created
June 30, 2014 13:28
-
-
Save alistairncoles/3fe41733fb06459e177c to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Usual 'default domain' operations... | |
$ swift --os-auth-url http://u132.localdomain:5000/v3 -V 3 --os-username tester --os-tenant-name test --os-password testing post c1 | |
$ swift --os-auth-url http://u132.localdomain:5000/v3 -V 3 --os-username tester --os-tenant-name test --os-password testing upload c1 junkfile | |
junkfile | |
$ swift --os-auth-url http://u132.localdomain:5000/v3 -V 3 --os-username tester --os-tenant-name test --os-password testing download c1 junkfile | |
junkfile [auth 0.195s, headers 0.235s, total 0.236s, 0.000 MB/s] | |
# Get a token for tester2... | |
$ keystonev3.py token-get --os-endpoint http://u132.localdomain:5000/v3 --os-project-name test2 --os-username tester2 --os-password testing2 | |
kwargs {'username': 'tester2', 'password': 'testing2', 'user_domain_name': None, 'domain_name': None, 'project_name': 'test2', 'auth_url': 'http://u132.localdomain:5000/v3', 'project_id': None, 'project_domain_name': None} | |
WARNING:keystoneclient.httpclient:Failed to retrieve management_url from token | |
f75ec14a70464753b3a0da89bd8f10f0 | |
{ | |
... snip ... | |
} | |
# Get account name to use in storage-url... | |
$ swift --os-auth-url http://u132.localdomain:5000/v3 -V 3 --os-username tester --os-tenant-name test --os-password testing statNo handlers could be found for logger "keystoneclient.httpclient" | |
Account: AUTH_cfb8d9d45212408b90bc0776117aec9e | |
Containers: 1 | |
Objects: 1 | |
Bytes: 10 | |
X-Account-Project-Domain-Id: default | |
X-Account-Storage-Policy-Policy-0-Bytes-Used: 10 | |
X-Timestamp: 1404129972.03069 | |
X-Account-Storage-Policy-Policy-0-Object-Count: 1 | |
X-Trans-Id: tx0d059208269f49809dd94-0053b15943 | |
Content-Type: text/plain; charset=utf-8 | |
Accept-Ranges: bytes | |
# Use token to attempt access to tester1 container... | |
$ swift --os-auth-token f75ec14a70464753b3a0da89bd8f10f0 --os-storage-url http://saio-1.localdomain:8080/v1/AUTH_cfb8d9d45212408b90bc0776117aec9e download c1 junkfile | |
Object GET failed: http://saio-1.localdomain:8080/v1/AUTH_cfb8d9d45212408b90bc0776117aec9e/c1/junkfile 403 Forbidden [first 60 chars of response] <html><h1>Forbidden</h1><p>Access was denied to this resourc | |
# tester1 grants ACL access to tester2 using name | |
$ swift --os-auth-url http://u132.localdomain:5000/v3 -V 3 --os-username tester --os-tenant-name test --os-password testing post c1 -H 'X-Container-Read: test2:tester2' | |
$ swift --os-auth-token f75ec14a70464753b3a0da89bd8f10f0 --os-storage-url http://saio-1.localdomain:8080/v1/AUTH_cfb8d9d45212408b90bc0776117aec9e download c1 junkfile | |
junkfile [auth 0.000s, headers 0.031s, total 0.032s, 0.000 MB/s] | |
# and revokes... | |
$ swift --os-auth-url http://u132.localdomain:5000/v3 -V 3 --os-username tester --os-tenant-name test --os-password testing post c1 -H 'X-Container-Read: ' | |
$ swift --os-auth-token f75ec14a70464753b3a0da89bd8f10f0 --os-storage-url http://saio-1.localdomain:8080/v1/AUTH_cfb8d9d45212408b90bc0776117aec9e download c1 junkfile | |
Object GET failed: http://saio-1.localdomain:8080/v1/AUTH_cfb8d9d45212408b90bc0776117aec9e/c1/junkfile 403 Forbidden [first 60 chars of response] <html><h1>Forbidden</h1><p>Access was denied to this resourc | |
# Setup users/projects in other domain... | |
$ keystonev3.py setup-test-env --os-endpoint http://u132.localdomain:5000/v3 --os-token ADMIN --os-domain-name other | |
WARNING:keystoneclient.utils:create takes at most 1 positional argument (2 given) | |
Created domain other | |
Role admin exists | |
Created user tester | |
Created project test | |
Created user tester2 | |
Created project test2 | |
User tester granted role admin for project test | |
User tester2 granted role admin for project test2 | |
# tester 1 creates container | |
$ swift --os-auth-url http://u132.localdomain:5000/v3 -V 3 --os-username tester --os-user-domain-name other --os-tenant-name test --os-project-domain-name other --os-password testing post c1 | |
$ swift --os-auth-url http://u132.localdomain:5000/v3 -V 3 --os-username tester --os-user-domain-name other --os-tenant-name test --os-project-domain-name other --os-password testing upload c1 junkfile | |
junkfile | |
$ swift --os-auth-url http://u132.localdomain:5000/v3 -V 3 --os-username tester --os-user-domain-name other --os-tenant-name test --os-project-domain-name other --os-password testing download c1 junkfile | |
junkfile [auth 0.263s, headers 0.313s, total 0.314s, 0.000 MB/s] | |
# get a token for tester2... | |
$ keystonev3.py token-get --os-endpoint http://u132.localdomain:5000/v3 --os-project-name test2 --os-project-domain-name other --os-username tester2 --os-user-domain-name other --os-password testing | |
0430722fa05f479785d4a7cbcb47ec3b | |
{ | |
...snip... | |
} | |
# get test1 account name... | |
$ swift --os-auth-url http://u132.localdomain:5000/v3 -V 3 --os-username tester --os-user-domain-name other --os-tenant-name test --os-project-domain-name other --os-password testing stat | |
Account: AUTH_7c31ace322b444d39ef7b4d3545334e4 | |
Containers: 1 | |
Objects: 0 | |
Bytes: 0 | |
X-Account-Project-Domain-Id: dfcbbf7f8ccb4d50875c242b9708aa18 | |
X-Account-Storage-Policy-Policy-0-Bytes-Used: 0 | |
X-Timestamp: 1404130928.97338 | |
X-Account-Storage-Policy-Policy-0-Object-Count: 0 | |
X-Trans-Id: tx4a057340ad02471bb9cda-0053b156e4 | |
Content-Type: text/plain; charset=utf-8 | |
Accept-Ranges: bytes | |
# tester2 attempts access... | |
$ swift --os-auth-token 0430722fa05f479785d4a7cbcb47ec3b --os-storage-url http://saio-1.localdomain:8080/v1/AUTH_7c31ace322b444d39ef7b4d3545334e4 download c1 junkfile | |
Object GET failed: http://saio-1.localdomain:8080/v1/AUTH_7c31ace322b444d39ef7b4d3545334e4/c1/junkfile 403 Forbidden [first 60 chars of response] <html><h1>Forbidden</h1><p>Access was denied to this resourc | |
# tester1 grants name based ACL to tester2... | |
$ swift --os-auth-url http://u132.localdomain:5000/v3 -V 3 --os-username tester --os-user-domain-name other --os-tenant-name test --os-project-domain-name other --os-password testing post c1 -H 'X-Container-Read: test2:tester2' | |
# access still denied | |
$ swift --os-auth-token 0430722fa05f479785d4a7cbcb47ec3b --os-storage-url http://saio-1.localdomain:8080/v1/AUTH_7c31ace322b444d39ef7b4d3545334e4 download c1 junkfile | |
Object GET failed: http://saio-1.localdomain:8080/v1/AUTH_7c31ace322b444d39ef7b4d3545334e4/c1/junkfile 403 Forbidden [first 60 chars of response] <html><h1>Forbidden</h1><p>Access was denied to this resourc | |
# lookup id of tester2 | |
$ ./keystonev3.py user-list --os-endpoint http://u132.localdomain:5000/v3 | |
tester (3e1b511d0c0841d5af382a4932799631) in Default (default) dflt proj:test (cfb8d9d45212408b90bc0776117aec9e) | |
swift (94a340346bf844f0bc1fc6878398cd37) in Default (default) dflt proj:service (8eb5a7b7d7494fbe8945fa9446166d4f) | |
tester2 (4311a96625aa46119782f66af57ad634) in Default (default) dflt proj:test2 (14a4d630abea491eb21a7a50864f6003) | |
tester (795532a9cbcf4162b721c676d73ec11b) in other (dfcbbf7f8ccb4d50875c242b9708aa18) dflt proj:non-existent (None) | |
tester2 (ca19f7c13ee9471b8623f10a5afeb898) in other (dfcbbf7f8ccb4d50875c242b9708aa18) dflt proj:non-existent (None) | |
# use id in ACL... | |
$ swift --os-auth-url http://u132.localdomain:5000/v3 -V 3 --os-username tester --os-user-domain-name other --os-tenant-name test --os-project-domain-name other --os-password testing post c1 -H 'X-Container-Read: *:ca19f7c13ee9471b8623f10a5afeb898' | |
# now tester2 has access... | |
$ swift --os-auth-token ac7038cdd15745779707419def95c962 --os-storage-url http://saio-1.localdomain:8080/v1/AUTH_7c31ace322b444d39ef7b4d3545334e4 download c1 junkfile | |
junkfile [auth 0.000s, headers 0.037s, total 0.037s, 0.000 MB/s] |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
keystonev3 CLI tool:
https://github.com/alistairncoles/keystonev3