Skip to content

Access Control Lists (ACLs)

Normally to create, read and modify containers and objects, you must have the appropriate roles on the project associated with the account, i.e., you must be the owner of the account. However, an owner can grant access to other users by using an Access Control List (ACL).

You can have more information on the official Swift documentation

Warning

Contrary to Compute Service, Access Rules based on METHOD (eg. GET, POST,...) and PATH (eg. /mycontainer_path) are not supported by the Object Storage yet.

s3.pub1.infomaniak.cloud doesn't support S3 Bucket policy.

Public access (read)

To make a container available without authentication (public) you need to add read ACLs:

swift post -r '.r:*,.rlistings' public

We can verify ACLs with the stat command: 

swift stat --lh public

  Account: AUTH_f3bf1cfd60fd405dae6a4392c8a91746
Container: public
  Objects: 1
    Bytes: 8.7M
 Read ACL: .r:*,.rlistings
Write ACL:

You can now access to your objects without authentication, and also list files into your container:

curl "https://s3.pub1.infomaniak.cloud/object/v1/AUTH_f3bf1cfd60fd405dae6a4392c8a91746/public/eBooks/Cuisine/Les Crêpes du Monde.pdf"

Sharing a container with another user (read)

User1 wants to share a container with User2:

User1 creates a container mycontainer and upload myobject

swift post mycontainer
swift upload mycontainer myobject

There's no Read/Write ACLs yet : 

swift stat mycontainer

                  Account: AUTH_d1440aa24a65411fb9bac2b842c8defa
                Container: mycontainer
                  Objects: 0
                    Bytes: 0
                 Read ACL:
                Write ACL:
                  Sync To:
                 Sync Key:
             Content-Type: text/plain; charset=utf-8
              X-Timestamp: 1700554155.93823
            Last-Modified: Tue, 21 Nov 2023 08:09:16 GMT
            Accept-Ranges: bytes
         X-Storage-Policy: Policy-0
                     Vary: Accept
               X-Trans-Id: txb375f43bb39647c6afb0d-00655c65b6
   X-Openstack-Request-Id: txb375f43bb39647c6afb0d-00655c65b6
Strict-Transport-Security: max-age=63072000

User1 allows User2 to list mycontainer using User2 ID: 

swift post --read-acl "*:d15d0aa132ae4493b0dc69803fe011d2" mycontainer

There are now ACLs:

swift stat mycontainer

                  Account: AUTH_4398a851e0ce43c0955990d801901942
                Container: mycontainer
                  Objects: 0
                    Bytes: 0
                 Read ACL: *:d15d0aa132ae4493b0dc69803fe011d2
                Write ACL:
                  Sync To:
                 Sync Key:
             Content-Type: text/plain; charset=utf-8
              X-Timestamp: 1700555495.69946
            Last-Modified: Tue, 21 Nov 2023 08:32:44 GMT
            Accept-Ranges: bytes
         X-Storage-Policy: Policy-0
                     Vary: Accept
               X-Trans-Id: tx0ee5c133104747d0832cf-00655c6b2d
   X-Openstack-Request-Id: tx0ee5c133104747d0832cf-00655c6b2d
Strict-Transport-Security: max-age=63072000

User2 can now list mycontainer content using User1 Storage URL (can be retrieved with the command swift auth): 

swift --os-storage-url=https://s3.pub1.infomaniak.cloud/object/v1/AUTH_d1440aa24a65411fb9bac2b842c8defa list mycontainer

myobject

To remove the access, you can do: 

swift post --read-acl "" mycontainer