Swift API / AccessDenied on Public Bucket

dreamobjects

#1

I’ve been uploading objects to a public container using the Swift API. When I try to view an uploaded object (image) by visiting the URL, I will get “AccessDenied” because the object itself is still “private”. The only way I can change this is by manually toggling the image to “public” from the dreamhost cpanel.

So my question is, how can I make an object public when I upload it with the Swift API?

I know AWS has object-level ACL controls but I don’t think Swift has this, so its very frustrating that objects are uploaded with private permissions by default.


#2

This was posted a while back and may help:


#3

Yeah, thats AWS though, not OpenStack / Swift.


#4

I’m not a hardcore user of DreamObjects. What’s the difference? I believe DO uses OpenStack/Swift, so the instructions I linked to should be able to change permissions on DreamObjects. Correct?


#5

Well the instructions you linked uses Boto which is AWS so its a different API than Swift. I mean it would work but I’d prefer to do with Swift (if possible)

From my understanding DreamObjects uses a backend called Ceph which supports both Swift & the AWS API. The problem is that, either by default or configuration, all files are uploaded with the default permissions of “private”. This is an issue if you are using the Swift API and want to have public files because Swift doesn’t support object-level ACL permissions unlike the AWS API. Permissions with Swift are controlled at the container level.

Unless I’m missing something here and there’s a way to set these permissions with Swift which I haven’t found…


#6

You are correct that DreamObjects runs on Ceph and therefore supports both the Swift and the AWS S3 APIs.

The easiest solution to what you want to do is probably make make the container with the images “public”. A good way to do that is with the python-swift client. Chances are you already have the python-swift client installed but if you do not you can use python pip get set-up:

Then you can use swift post to update the container:

or for example:

Then test it by browsing to an image:

https://objects-us-west-1.dream.io/container-name/image-name.jpg

or using curl:

Hopefully that helps :slight_smile:


#7

You mean the bucket? (Yeah, I’m a bit new at this). If so, that doesn’t change permissions for what’s inside the bucket/container. Objects still start off as Private until their permission is changed.


#8

In the Ceph world they are referred to as containers but in S3 Amazonland they are buckets so folks will use the term interchangeably. Sorry for the confusion.

I’ve found that when you change the ACL with the python-swift client for the bucket/container, those same permissions are handed down to all objects contained within. That include objects that are uploaded later.

The panel may still show that a container/bucket is private and objects within as private. We are working to get this discrepancy resolved.


#9

Ah, that explains it. I assumed changing the container’s permission setting via the web interface would have the same behaviour as using the Swift CLI. It actually crossed my mind to give that a try but for whatever reason I didn’t. I’m connecting using a custom API because I needed async support so I didn’t have python-swift installed.

But this is good to know, thanks for your response!