swiftpolicy

Change::

    [pipeline:main]
    pipeline = catch_errors cache tempauth proxy-server

To::

    [pipeline:main]
    pipeline = catch_errors cache swiftpolicy tempauth proxy-server

Add to your proxy-server.conf the section for the SwiftPolicy WSGI filter::

Policy file is given using policy option

[filter:swift3]
use = egg:swiftpolicy#swiftpolicy
policy = %(here)s/default.json

We install along with this middleare a default policy file in /etc/swift/default.json, which make our middleware behaves the same way as keystoneauth (for compatibility reasons).

Policy file

The policy file will list all possible actions on swift proxy. Action's format is: <http verbe>_<swift entity> (example: "get_container", "put_object", etc).

...
"get_container": "rule:allowed_for_user",
"put_container": "rule:allowed_for_user",
"delete_container": "rule:allowed_for_user",
...

Policy file contains also two specific rules: "swift_owner" "reseller_request", they define when swift_owner and reseller_request headers are set to true, as those two value are part of the contract between the auth system and swift.

...
"swift_owner": "rule:swift_reseller or rule:swift_operator",
"reseller_request": "rule:swift_reseller",
...

Example

To deny creation of new containers: set put_container to '!':

  ...
  "get_container": "rule:allowed_for_user",
  "put_container": "!",
  ...

To restrict creation of new container to users with role "admin":

  ...
  "get_container": "rule:allowed_for_user",
  "put_container": "role:admin",
  ...

Limitations

swiftpolicy does not support dynamic reload of policies, and thus, swift proxy have to be restarted when policy file is updated.