Authentication

The owner of an Object Storage account controls access to that account and its containers and objects. An owner is the user who has the admin role for that tenant. The tenant is also known as the project or account. As the account owner, you can modify account metadata and create, modify, and delete containers and objects.

To identify yourself as the account owner, include an authentication token in the X-Auth-Token header in the API request.

Depending on the token value in the X-Auth-Token header, one of the following actions occur:

  • X-Auth-Token contains the token for the account owner.

    The request is permitted and has full access to make changes to the account.

  • The X-Auth-Token header is omitted or it contains a token for a non-owner or a token that is not valid.

    The request fails with a 401 Unauthorized or 403 Forbidden response.

    You have no access to accounts or containers, unless an access control list (ACL) explicitly grants access.

    The account owner can grant account and container access to users through access control lists (ACLs). For more information about ACLs, see the section called “Container ACLs”.

The following table describes the authentication services that you can use with Object Storage:

Authentication service Description

OpenStack Identity Service (Keystone)

The Object Storage account is synonymous with the project or tenant ID.

For information about the Identity Service, see the section called “Authenticate with the Identity Service”.

Tempauth middleware

Object Storage includes this middleware. User and account management is performed in the Object Storage system itself.

For information about Tempauth, see the section called “Authenticate with Tempauth”.

swauth (in GitHub) or other custom middleware

This custom middleware is modeled on Tempauth, so usage is typically similar to Tempauth.

Specifically, you use the X-Auth-Token header to pass an authentication token to an API request.

Authentication tokens expire after a time period that the authentication service defines. When a token expires, use of the token causes requests to fail with a 401 Unauthorized response. To continue, you must obtain a new token.

Questions? Discuss on ask.openstack.org
Found an error? Report a bug against this page

loading table of contents...