Comment 15 for bug 1299146

Revision history for this message
Alistair Coles (alistair-coles) wrote :

Much of the thinking I outlined above (#10) is motivated by attempting to maintain the name based ACLs that Swift has supported to date, and providing backwards compatibility with those when an existing system migrates to v3 keystone.

As Jamie points out (#12) , restricting identification to id's (not name's) in the swift ACLs will fix the immediate issue. I've taken that approach in this patch https://review.openstack.org/86430. The change in behavior will only occur when tokens are validated using a v3 keystone API.

This obviously reduces usability w.r.t. v2 for swift clients accustomed to citing tenant/user names - that could be addressed by introducing some new ACL syntax (keystone specific) in further patches. And there is the issue of how we deal with existing ACLs using names when migrating a system from v2 to v3.