The owner of an Object
Storage account controls access to that account and its
containers and objects. An owner is the user who has the
admin
role for that tenant. The tenant
is also known as the project or account. As the account owner,
you can modify account metadata and create, modify, and delete
containers and objects.
To identify yourself as the account owner, include an
authentication token in the X-Auth-Token
header in the API request.
Depending on the token value in the
X-Auth-Token
header, one of the
following actions occur:
X-Auth-Token
contains the token for the account owner.The request is permitted and has full access to make changes to the account.
The
X-Auth-Token
header is omitted or it contains a token for a non-owner or a token that is not valid.The request fails with a 401 Unauthorized or 403 Forbidden response.
You have no access to accounts or containers, unless an access control list (ACL) explicitly grants access.
The account owner can grant account and container access to users through access control lists (ACLs). For more information about ACLs, see the section called “Container ACLs”.
The following table describes the authentication services that you can use with Object Storage:
Authentication service | Description |
---|---|
OpenStack Identity Service (Keystone) |
The Object Storage account is synonymous with the project or tenant ID. For information about the Identity Service, see the section called “Authenticate with the Identity Service”. |
Tempauth middleware |
Object Storage includes this middleware. User and account management is performed in the Object Storage system itself. For information about Tempauth, see the section called “Authenticate with Tempauth”. |
swauth (in GitHub) or other custom middleware |
This custom middleware is modeled on Tempauth, so usage is typically similar to Tempauth. Specifically, you use
the |
Authentication tokens expire after a time period that the authentication service defines. When a token expires, use of the token causes requests to fail with a 401 Unauthorized response. To continue, you must obtain a new token.