Support: 1-800-961-4454
Sales Chat
1-800-961-2888

Create Cloud Files Container-Level Access Control Policies

Combining Rackspace Cloud’s RBAC with Cloud Files’ ACLs allows you to control read or write access to a particular container and for a particular user.

Recently, I talked to the leader of a marketing department for a global snacking company. She wanted to create a Cloud Files container for each brand in the company’s portfolio, and then she wanted to create a user for each brand manager, so each brand manager could access the files for only their brand. By combining a feature in Rackspace Cloud with a feature in Cloud Files, the marketing leader could create users with the right access controls.

Introduction to RBAC

Role-Based Access Control (RBAC) is a Rackspace Cloud feature that allows account owners to create users and assign them roles. RBAC has two levels of granularity:

  • Cloud-level granularity – This allows you to create users and assign users roles that apply to all Rackspace Cloud products. (Cloud Files and nearly all other Rackspace Cloud products work with RBAC. Check the list of participating products for more information.)
  • Product-level granularity – This allows you to create users and assign them roles that apply to only a particular Rackspace Cloud product. (Again, Cloud Files and many other participating products work. Check the list of participating products for full details.)

Introduction to Cloud Files ACLs

Rackspace Cloud Files Access Control List (ACL) is a Cloud Files feature that allows account owners to specify read or write access to a particular container and for a particular user. ACLs are great because they provide another level of granularity beyond what RBAC alone provides.

This blog post shows you how to set up a new user (with RBAC) and apply container-level access control (with Cloud Files ACLs).

Create a User with RBAC

RBAC is integrated in the Control Panel, so you can set up a new user by starting at https://mycloud.rackspace.com/. After you enter your username and password, you see your homepage. Look at the top right-hand area of your homepage for your username. Click your username and select User Management.

On the User Management page, click the Create User button. On the next page, fill out the Login Details section for your new user. Then in the Product Access section, choose the Custom (Per Product Access) radio button. All the product access roles are defaulted to No Access. Leave the Files product role at No Access. Finally, fill out the Contact Information section. Your screen should look similar to this:

Finally, click the Create User button at the bottom of the page. At this point, you created a user within your account and gave them No Access to the Cloud Files product.

Create Container-Level Policies with ACLs

Unfortunately, you cannot set up Cloud Files ACLs in the Control Panel yet, so first this blog post explains what you want to do, and second it provides examples using curl, a Linux utility that you can use to hit the Cloud Files REST API. Alternatively, you can use a Rackspace SDK if you want to connect to Cloud Files using popular languages, such as Java, .NET, node.js, PHP, Python and Ruby.

Cloud Files ACLs provide the following headers that you can use for container-level access policies:

  • X-Container-Read – This container header can contain a comma-delimited list of users that can read the container (allows the GET method for all objects in the container).
  • X-Container-Write – This container header can contain a comma-delimited list of users that can write to the container (allows PUT, POST, COPY and DELETE methods for all objects in the container).

You can set these special headers only on containers, and they apply to all objects within the container. The values for these container headers can have zero to many users.

For example, let’s suppose that you have a container importantContainer within Cloud Files. Let’s also suppose that you created a user importantUser1. You can provide this user with read access to importantContainer by setting its X-Container-Read header to importantUser1. Likewise, you can provide this user with write access to importantContainer by setting its X-Container-Write header to importantUser1.

The account owner does not need to be included in either ACL because the account owner always has read and write access to everything in their Cloud Files account. If you created three important users, you can set the header values to importantUser1, importantUser2, importantUser3, where space before or after a comma is acceptable.

Now, let’s see these ideas in action by using curl.

Authenticate using curl

First, you need to authenticate with the Rackspace Cloud Identity service using your username and apiKey.

curl -X POST https://identity.api.rackspacecloud.com/v2.0/tokens -d '{ "auth":{ "RAX-KSKEY:apiKeyCredentials":{ "username":"theUserName", "apiKey":"00a00000a000a0000000a000a00aaa0a" } } }' -H "Content-type: application/json"

The response from the Identity service is a JSON-formatted string that contains a token ID and the Cloud Files endpoints, for both public URLs and internal URLs. (Tip: Use an internal URL if your server and your target Cloud Files endpoint are in the same data center.)

Set the container headers using curl

Using the token ID as the X-Auth-Token and the proper URL, you can create a new container and provide your user with the right access. To use these commands, you’ll have to replace the X-Auth-Token and the URL with your information from the Identity Service. (You can combine the PUT and POST commands by appending the two headers from the POST to the PUT command.)

curl -i -X PUT -H 'X-Auth-Token: 00a00000a000a0000000a000a00aaa0a' https://storage101.iad3.clouddrive.com/v1/MossoCloudFS_0a0a000a-000a-000a-000a-00a00000a00a/importantContainer

curl -i -X POST -H 'X-Auth-Token: 00a00000a000a0000000a000a00aaa0a' https://storage101.iad3.clouddrive.com/v1/MossoCloudFS_0a0a000a-000a-000a-000a-00a00000a00a/importantContainer -H 'x-container-read: importantUser1' -H 'x-container-write: importantUser1'

Check the container headers using curl

Finally, you can confirm that the container headers are set correctly by performing a HEAD on the container.

curl -i -X HEAD -H 'X-Auth-Token: 00a00000a000a0000000a000a00aaa0a' https://storage101.iad3.clouddrive.com/v1/MossoCloudFS_0a0a000a-000a-000a-000a-00a00000a00a/importantContainer

Now the user importantUser1 has read and write access to only importantContainer.

Note: The user importantUser1 must use the Cloud Files API to access the container. Because importantUser1 was given No Access to Cloud Files during the user set up, the Control Panel does not allow the user to click the Files tab. Instead, if you don’t mind whether the user can read all objects in your account, but you want the user to write to only specific containers, you can change the Files role from No Access to Observer.

Conclusion

Combining Rackspace Cloud RBAC with Cloud Files ACLs provides fine-grained access control for your Cloud Files containers. Together, they allow you to specify read and write access for your users.

Additional Resources

 

About the Author

This is a post written and contributed by Nicholas Wagner.

Nicholas Wagner is the Product Manager for Cloud Files, Rackspace’s cloud object storage. He has been a Racker since 2011 and loves discovering ways to make the cloud easier to use and more valuable for customers. Before Rackspace, Nicholas Wagner was a software developer. He has a Bachelor of Science in Computer Science from The University of North Texas and an MBA from The Wharton School.


More

Leave a New Comment

(Required)


Racker Powered
©2014 Rackspace, US Inc.