> Can't you set the ACL on the object when you put it? I could create two tenants. One tenant DATASETADMIN for read/write access, and a tenant DATASETUSERS for readonly access. When I load the dataset into the object store, I need a "s3cmd put" operation and a "s3cmd setacl" operation for each object. It is slow but we do this only once. Giving read access will mean adding the user to the DATASETUSERS tenant, without touching again the ACLs. Still this is a workaround. We create ad-hoc tenants with read-only permissions, and let the users in or out of these tenants. If we want to use the original user's tenant in the ACL, it does not scale for large number of objects AFAIK. :( Saverio _______________________________________________ ceph-users mailing list ceph-users@xxxxxxxxxxxxxx http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com