Bug #22898
openrgw: (jewel) swift acls and cross-tenant access.
0%
Description
So this is a feature request for something we have in luminous, but it's come up a lot for jewel.
Keystone acl elements look like "project-id:user-id", where either of project-id or juser-id can be "*". Cross-tenant access allows users to access containers that are maintained by another set of people. With the "swift" command, one can get this by supplying a "OS_STORAGE_URL" environment variable that specifies the desired tenant -- and in ceph.conf, one has to have "rgw swift account in url = true".
So this all works in luminous, but in jewel - while it recognizes "rgw swift account in url" it throws away the tenant and always uses the tenant it gets from keystone. Not very useful. And the acl support totally fails to store keystone proj:user elements, let alone understand them.
The code in master/luminous that does this is very spiffy - and very not going into jewel. I looked at jewel, and I think I've coded up a simpler version of this logic that I think gets a useful subset of this logic functioning. This is in PR # 20257 , along with a few other fixes for some other blatantly weird jewel/swift/acl behavior.
No data to display