Skip to content

ACLs

You can set ACL on your containers to share some objects with other projects, users or set them public.

By default all containers are private.

Note

Contrary to Compute Service, Access Rules based on METHOD (GET/POST/...) and PATH (/mycontainer_path) isn't supported by the Object Storage yet. s3.pub1.infomaniak.cloud doesn't support S3 Bucket policy.

Public access (read)

To set a container available without authentication (public) you need to add read acls:

taylor@laptop:~ (pub1|taylor)$ swift post -r '.r:*,.rlistings' public

We can verify acls with stat command:

taylor@laptop:~ (pub1|taylor)$ swift stat --lh public
                  Account: AUTH_f3bf1cfd60fd405dae6a4392c8a91746
                Container: public
                  Objects: 1
                    Bytes: 8.7M
                 Read ACL: .r:*,.rlistings
                Write ACL:

You can now access to your objects without authentication, and also list files into your container:

$ curl "https://s3.pub1.infomaniak.cloud/object/v1/AUTH_f3bf1cfd60fd405dae6a4392c8a91746/public/"
eBooks/Cuisine/Les Crêpes du Monde.pdf

Sharing a container with another user (read)

User1 wants to share a container with User2:

User1 creates a container mycontainer and upload myobject

taylor@laptop:~$ swift post mycontainer
taylor@laptop:~$ swift upload mycontainer myobject

There's no Read/Write ACLs yet :

taylor@laptop:~$ swift stat mycontainer
                  Account: AUTH_d1440aa24a65411fb9bac2b842c8defa
                Container: mycontainer
                  Objects: 0
                    Bytes: 0
                 Read ACL:
                Write ACL:
                  Sync To:
                 Sync Key:
             Content-Type: text/plain; charset=utf-8
              X-Timestamp: 1700554155.93823
            Last-Modified: Tue, 21 Nov 2023 08:09:16 GMT
            Accept-Ranges: bytes
         X-Storage-Policy: Policy-0
                     Vary: Accept
               X-Trans-Id: txb375f43bb39647c6afb0d-00655c65b6
   X-Openstack-Request-Id: txb375f43bb39647c6afb0d-00655c65b6
Strict-Transport-Security: max-age=63072000

User1 allows User2 to list mycontainer using User2 ID:

swift post --read-acl "*:d15d0aa132ae4493b0dc69803fe011d2" mycontainer

There ar now ACLs:

taylor@laptop:~$ swift stat mycontainer
                  Account: AUTH_4398a851e0ce43c0955990d801901942
                Container: mycontainer
                  Objects: 0
                    Bytes: 0
                 Read ACL: *:d15d0aa132ae4493b0dc69803fe011d2
                Write ACL:
                  Sync To:
                 Sync Key:
             Content-Type: text/plain; charset=utf-8
              X-Timestamp: 1700555495.69946
            Last-Modified: Tue, 21 Nov 2023 08:32:44 GMT
            Accept-Ranges: bytes
         X-Storage-Policy: Policy-0
                     Vary: Accept
               X-Trans-Id: tx0ee5c133104747d0832cf-00655c6b2d
   X-Openstack-Request-Id: tx0ee5c133104747d0832cf-00655c6b2d
Strict-Transport-Security: max-age=63072000

User2 can now list mycontainer content using User1 Storage URL (can be retrieved with the command swift auth):

swift --os-storage-url=https://s3.pub1.infomaniak.cloud/object/v1/AUTH_d1440aa24a65411fb9bac2b842c8defa list mycontainer
myobject

To remove the access:

swift post --read-acl "" mycontainer