97 lines
4.3 KiB
XML
97 lines
4.3 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<section xmlns="http://docbook.org/ns/docbook"
|
|
xmlns:xi="http://www.w3.org/2001/XInclude"
|
|
xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0"
|
|
xml:id="authentication">
|
|
<title>Authentication</title>
|
|
<para>The <emphasis role="italic">owner</emphasis> of an Object
|
|
Storage account controls access to that account and its
|
|
containers and objects. An owner is the user who has the
|
|
<literal>admin</literal> role for that tenant. The tenant
|
|
is also known as the project or account. As the account owner,
|
|
you can modify account metadata and create, modify, and delete
|
|
containers and objects.</para>
|
|
<para>To identify yourself as the account owner, include an
|
|
authentication token in the <literal>X-Auth-Token</literal>
|
|
header in the API request.</para>
|
|
<para>Depending on the token value in the
|
|
<literal>X-Auth-Token</literal> header, one of the
|
|
following actions occur:</para>
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para><literal>X-Auth-Token</literal> contains the token
|
|
for the account owner.</para>
|
|
<para>The request is permitted and has full access to make
|
|
changes to the account.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>The <literal>X-Auth-Token</literal> header is
|
|
omitted or it contains a token for a non-owner or a
|
|
token that is not valid.</para>
|
|
<para>The request fails with a <errorcode>401</errorcode>
|
|
<errortext>Unauthorized</errortext> or
|
|
<errorcode>403</errorcode>
|
|
<errortext>Forbidden</errortext> response.</para>
|
|
<para>You have no access to accounts or containers, unless
|
|
an access control list (ACL) explicitly grants
|
|
access.</para>
|
|
<para>The account owner can grant account and container
|
|
access to users through access control lists (ACLs).
|
|
For more information about ACLs, see <xref
|
|
linkend="acls"/>.</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
<para>The following table describes the authentication services
|
|
that you can use with Object Storage:</para>
|
|
<informaltable rules="all">
|
|
<thead>
|
|
<tr>
|
|
<th>Authentication service</th>
|
|
<th>Description</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody>
|
|
<tr>
|
|
<td>
|
|
<para>OpenStack Identity Service
|
|
(Keystone)</para></td>
|
|
<td><para>The Object Storage account is synonymous
|
|
with the project or tenant ID.</para>
|
|
<para>For information about the Identity Service,
|
|
see <xref linkend="get_auth_token_keystone"
|
|
/>.</para>
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<para>Tempauth middleware</para></td>
|
|
<td><para>Object Storage includes this middleware.
|
|
User and account management is performed in
|
|
the Object Storage system itself.</para>
|
|
<para>For information about Tempauth, see <xref
|
|
linkend="get_auth_token_tempauth"
|
|
/>.</para>
|
|
</td>
|
|
</tr>
|
|
<tr>
|
|
<td>
|
|
<para>swauth (in GitHub) or other custom
|
|
middleware</para></td>
|
|
<td><para>This custom middleware is modeled on
|
|
Tempauth, so usage is typically similar to
|
|
Tempauth.</para><para>Specifically, you use
|
|
the <literal>X-Auth-Token</literal> header to
|
|
pass an authentication token to an API
|
|
request.</para>
|
|
</td>
|
|
</tr>
|
|
</tbody>
|
|
</informaltable>
|
|
<para>Authentication tokens expire after a time period that the
|
|
authentication service defines. When a token expires, use of
|
|
the token causes requests to fail with a
|
|
<errorcode>401</errorcode>
|
|
<errortext>Unauthorized</errortext> response. To continue, you
|
|
must obtain a new token.</para>
|
|
</section>
|