Access Control Lists (ACLs)
Normally to create, read and modify containers and objects, you must have the appropriate roles on the project associated with the account, i.e., you must be the owner of the account. However, an owner can grant access to other users by using an Access Control List (ACL).
You can have more information on the official Swift documentation
Warning
Contrary to Compute Service, Access Rules based on METHOD
(eg. GET
, POST
,...) and PATH (eg. /mycontainer_path
) are not
supported by the Object Storage yet.
s3.pub1.infomaniak.cloud doesn't support S3 Bucket policy.
Public access (read)
To make a container available without authentication (public) you need to add read ACLs:
swift post -r '.r:*,.rlistings' public
We can verify ACLs with the stat command:
swift stat --lh public
Account: AUTH_f3bf1cfd60fd405dae6a4392c8a91746
Container: public
Objects: 1
Bytes: 8.7M
Read ACL: .r:*,.rlistings
Write ACL:
You can now access to your objects without authentication, and also list files into your container:
curl "https://s3.pub1.infomaniak.cloud/object/v1/AUTH_f3bf1cfd60fd405dae6a4392c8a91746/public/eBooks/Cuisine/Les Crêpes du Monde.pdf"
Sharing a container with another user (read)
User1 wants to share a container with User2:
User1 creates a container mycontainer
and upload myobject
swift post mycontainer
swift upload mycontainer myobject
There's no Read/Write ACLs yet :
swift stat mycontainer
Account: AUTH_d1440aa24a65411fb9bac2b842c8defa
Container: mycontainer
Objects: 0
Bytes: 0
Read ACL:
Write ACL:
Sync To:
Sync Key:
Content-Type: text/plain; charset=utf-8
X-Timestamp: 1700554155.93823
Last-Modified: Tue, 21 Nov 2023 08:09:16 GMT
Accept-Ranges: bytes
X-Storage-Policy: Policy-0
Vary: Accept
X-Trans-Id: txb375f43bb39647c6afb0d-00655c65b6
X-Openstack-Request-Id: txb375f43bb39647c6afb0d-00655c65b6
Strict-Transport-Security: max-age=63072000
User1 allows User2 to list mycontainer
using User2 ID:
swift post --read-acl "*:d15d0aa132ae4493b0dc69803fe011d2" mycontainer
There are now ACLs:
swift stat mycontainer
Account: AUTH_4398a851e0ce43c0955990d801901942
Container: mycontainer
Objects: 0
Bytes: 0
Read ACL: *:d15d0aa132ae4493b0dc69803fe011d2
Write ACL:
Sync To:
Sync Key:
Content-Type: text/plain; charset=utf-8
X-Timestamp: 1700555495.69946
Last-Modified: Tue, 21 Nov 2023 08:32:44 GMT
Accept-Ranges: bytes
X-Storage-Policy: Policy-0
Vary: Accept
X-Trans-Id: tx0ee5c133104747d0832cf-00655c6b2d
X-Openstack-Request-Id: tx0ee5c133104747d0832cf-00655c6b2d
Strict-Transport-Security: max-age=63072000
User2 can now list mycontainer
content using User1 Storage URL (can be
retrieved with the command swift auth
):
swift --os-storage-url=https://s3.pub1.infomaniak.cloud/object/v1/AUTH_d1440aa24a65411fb9bac2b842c8defa list mycontainer
myobject
To remove the access, you can do:
swift post --read-acl "" mycontainer