Hi, Maybe i forgot something but i can't use this behavior: I will try to explain my setting: I have two keystone users: 'x' and 'y' And two keystone tenants: 'xtenant' and 'ytenant' In ceph.conf I have the option: rgw enforce swift acls = true I have got the token for x and xtenant with curl -k -X 'POST' -v http://mykeystone:5000/v2.0/tokens -d '{"auth":{"passwordCredentials":{"username": "x", "password":"pass"}, "tenantId":"the_id_of_xtenant"}}' -H 'Content-type: application/json' Create a container (with permissions to ytenant) and an object curl -v -X PUT -H 'X-Container-Read: the_id_of_ytenant' -H 'X-Auth-Token: x_token' http://myradosgw/swift/v1/bucket1 curl -v -X PUT -H 'X-Auth-Token: x_token' http://myradosgw/swift/v1/bucket1/object1 I can get the container and object with x_token: curl -v -X GET -H 'X-Auth-Token: x_token' http://myradosgw/swift/v1/bucket1 curl -v -X GET -H 'X-Auth-Token: x_token' http://myradosgw/swift/v1/bucket1/object1 until this moment, all ok. I have got the token for y and ytenant with curl -k -X 'POST' -v http://mykeystone:5000/v2.0/tokens -d '{"auth":{"passwordCredentials":{"username": "y", "password":"pass2"}, "tenantId":"the_id_of_ytenant"}}' -H 'Content-type: application/json' But, radosgw returns a 401 when I try to get the container or the bucket: curl -v -X GET -H 'X-Auth-Token: y_token' http://myradosgw/swift/v1/bucket1 curl -v -X GET -H 'X-Auth-Token: y_token' http://myradosgw/swift/v1/bucket1/object1 What have I forgotten? Thanks and regards, Álvaro. -----Mensaje original----- De: Yehuda Sadeh [mailto:yehuda@xxxxxxxxxxx] Enviado el: viernes, 05 de julio de 2013 8:39 Para: Alvaro Izquierdo Jimeno CC: ceph-users@xxxxxxxxxxxxxx Asunto: Re: (keystone + radosgw ) users The rados gateway supports swift form of ACLs on buckets in which it is possible to set read/write permissions for each bucket to allow access for its objects. This can be done by setting the X-Container-Read, and X-Container-Write attributes on the containers. Each attribute is a comma delimited list of permitted users that are given the specific permission. Note that when using the keystone backed, the permissions are given at the tenant level, so they should be referred as such (using the tenant hex id). On Thu, Jul 4, 2013 at 11:27 PM, Alvaro Izquierdo Jimeno <aizquierdo@xxxxxxxx> wrote: > May anybody help me? > > > > Many thanks and regards, > > Álvaro. > > > > > > De: ceph-users-bounces@xxxxxxxxxxxxxx > [mailto:ceph-users-bounces@xxxxxxxxxxxxxx] En nombre de Alvaro > Izquierdo Jimeno Enviado el: martes, 02 de julio de 2013 14:30 > Para: ceph-users@xxxxxxxxxxxxxx > Asunto: (keystone + radosgw ) users > > > > Hi all, > > > > I have been able to bind openstack keystone and radosgw and have > checked users created from keystone can make requests on radosgw. > > > > But, how can we handle several tenants and users from keystone? In > swift, we have the option of setting up ACLs in the config file and > headers to mark which user can make an operation in each container in > a specific tenant (for example). Does it exist that option with radosgw instead of swift? > > > > Many thanks in advanced and best regards, > > Álvaro. > > > > > > > ____________ > Verificada la ausencia de virus por G Data AntiVirus Versión: AVA > 22.10661 del 02.07.2013 Noticias de virus: www.antiviruslab.com > > > _______________________________________________ > ceph-users mailing list > ceph-users@xxxxxxxxxxxxxx > http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com > ____________ Verificada la ausencia de virus por G Data AntiVirus Versión: AVA 22.10718 del 05.07.2013 Noticias de virus: www.antiviruslab.com _______________________________________________ ceph-users mailing list ceph-users@xxxxxxxxxxxxxx http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com