Set up Cloud Files and ACLs

  • Last updated on: 2019-02-08
  • Authored by: Rackspace Community

This tutorial teaches account owners how to use Access Control Lists (ACLs) with Cloud Files. A Cloud Files ACL enables account owners to specify read or write access to a particular container for a specific user.

Set up a new user

Use the following steps to set up a new Role-Based Access Control (RBAC) user:

  1. Log in to the Cloud Control Panel.
  2. Click on your username at the top right of the screen, then click User Management.
  3. Click Create User.
  4. Enter the user’s information and click Create User.
  5. On the User Details page that appears, assign the user roles. Under User Permissions, ensure that you leave the Cloud Files role set to No Access.
  6. In the Security Settings section, click Show to display your Rackspace API Key and make a note of it.

About container headers

You cannot create ACLs in the Cloud Control Panel. However, you can enable container-level access by using cURL and passing in the following headers:

  • X-Container-Read: This header holds a comma-delimited list of the users that can read the container. It allows the GET HTTP method for all of the objects in the container.
  • X-Container-Write: This header holds a comma-delimited list of users that can write to the container. It allows the PUT, POST, COPY and DELETE HTTP methods for all of the objects in the container.

You set these special headers only on containers. The headers apply to all of the objects in a container.

For example, if you create a user named RBAC_USER and have a container named ACL_Container in Cloud Files, you can give this user read access to ACL_Container by setting the X-Container-Read header to RBAC_USER. Similarly, you can give the user write access to ACL_Container by setting its X-Container-Write header to RBAC_USER.

You do not need to include yourself in either ACL because the account owner always has read and write access to everything in their Cloud Files account. If you create additional users, you can set the header values to RBAC_USER, RBAC_USER2, RBAC_USER3, where a space before or after a comma is acceptable.

Authenticate by using cURL

First, you need to authenticate with the Identity service by using your username and API key, as shown in the following example:

curl -s -XPOST https://identity.api.rackspacecloud.com/v2.0/tokens -d '{ "auth":{ "RAX-KSKEY:apiKeyCredentials":{ "username":"USERNAME_HERE", "apiKey":"API_KEY_HERE" } } }' -H "Content-type: application/json" |python -m json.tool

The response to this request includes a token, as shown in the following example:

"token": {
"RAX-AUTH:authenticatedBy": [
"APIKEY"
],
"expires": "2014-09-12T03:02:40.024Z",
"id": "TOKEN_HERE",
"tenant": {
"id": "ACCOUNT_ID",
"name": "ACCOUNT_ID"
}
},
.
.
.

Create a container

Next, create a container by using the token that you retrieved. You need to provide the following information in the request:

  • The token
  • The correct storage endpoint
  • The name of the container that you are creating

The following example creates the container ACL_Container by using cURL:

curl -XPUT -H 'X-Auth-Token: $token' https://storage101.iad3.clouddrive.com/v1/MossoCloudFS_0a0a000a-000a-000a-000a-00a00000a00a/ACL_Container

Alternatively, you can use the python-swiftclient, or swift, a Python-based tool that is primarily used to manage Rackspace Cloud Files.

The following example creates the same container by using swift:

swift -A https://auth.api.rackspacecloud.com/v1.0 -U USERNAME_HERE -K API_KEY_HERE post ACL_Container

Add ACLs to the container

After you have successfully added the container, you can add ACLs to the container by using a cURL command that is similar to the following example:

curl -XPOST -H 'X-Auth-Token: $token' https://storage101.iad3.clouddrive.com/v1/MossoCloudFS_0a0a000a-000a-000a-000a-00a00000a00a/ACL_Container -H 'x-container-read: RBAC_USER' -H 'x-container-write: RBAC_USER'

The following example shows how to add ACLs to the container by using swift:

swift -A https://auth.api.rackspacecloud.com/v1.0 -U ACCOUNT_USERNAME -K ACCOUNT_APIKEY post -r RBAC_USER ACL_Container
swift -A https://auth.api.rackspacecloud.com/v1.0 -U ACCOUNT_USERNAME -K ACCOUNT_APIKEY post -w RBAC_USER ACL_Container

Verify the new ACLs

Check the container headers to verify the ACLs by using the following cURL command:

curl -i -XHEAD -H 'X-Auth-Token: $token' https://storage101.iad3.clouddrive.com/v1/MossoCloudFS_0a0a000a-000a-000a-000a-00a00000a00a/ACL_Container
HTTP/1.1 204 No Content
Content-Length: 0
X-Container-Object-Count: 0
X-Container-Write: RBAC_USER
Accept-Ranges: bytes
X-Storage-Policy: Policy-0
X-Container-Read: RBAC_USER
X-Container-Bytes-Used: 0
X-Timestamp: 1410426988.44932
Content-Type: text/plain; charset=utf-8
X-Trans-Id: tx898647c0f1d5410aa4168-00541168bdord1
Date: Thu, 11 Sep 2014 09:17:49 GMT

The following example shows how to check the headers by using swift:

swift -A https://auth.api.rackspacecloud.com/v1.0 -U ACCOUNT_USERNAME -K ACCOUNT_APIKEY stat ACL_Container
Account: MossoCloudFS_0a0a000a-000a-000a-000a-00a00000a00a
Container: ACL_Container
Objects: 0
Bytes: 0
Read ACL: RBAC_USER
Write ACL: RBAC_USER
Sync To:
Sync Key:
Accept-Ranges: bytes
X-Storage-Policy: Policy-0
X-Timestamp: 1410425120.72477
X-Trans-Id: txc8a18e53f6d24796b5cd7-0054116635ord1
Content-Type: text/plain; charset=utf-8

ACL issue with swift

Swift is a helpful tool, but it has some limitations. The most significant issue occurs when an RBAC_USER who does not have access to Cloud Files and has only read/write access to the container that they specify attempts to upload a file by using a command like the following example:

swift -A https://auth.api.rackspacecloud.com/v1.0 -U RBAC_USER -K $API_KEY upload ACL_Container testfile

This example first attempts to create the container ACL_Container. However, because the restricted user does not have access to Cloud Files, this command returns a 403 Forbidden HTTP response and then attempts to upload the file testfile.

You can avoid this issue by using another tool for swift, swiftly. You can pass additional parameters with swiftly, which enables your restricted user to upload the file directly, without attempting to create the container. The swiftly command for performing this action looks like the following example:

swiftly -A https://identity.api.rackspacecloud.com/v2.0/ -U RBAC_USER -K $API_KEY put --input=testfile ACL_Container/testfile

This command returns a 201 Created HTTP response and uploads the file.

Conclusion

Because you gave No Access to RBAC_USER when you created this user, RBAC_USER cannot access the container from the Cloud Control Panel. After using the tools described in this article, RBAC_USER now has read and write access to the container ACL_Container and can only access the container and its objects by using the Cloud Files API.

ACL functionality enables account owners to set up fine-grained access control for their Cloud Files containers.

Helpful resources

You might find the following additional resources helpful:

Share this information: