Delegating access

Rationale

At this moment, there is no way for object store customers to create new users for their project, or change passwords (The latter is possible when using a CUA account). However, in combination with the multi-user buckets using ACLs, institutes or IT-personnel might like to have some degree of control.

For this usecase we advise using S3 credentials, as these can be generated by any Swift user.

Looking at the example given on the multi-user buckets page, the following strategy is a good option:

  • SURF provides a number of Swift accounts and assigns the ‘swiftoperator’ or ‘user’ role.
  • SURF provides the Swift credentials for these accounts.
  • Staff of the institute uses the Swift credentials to generate S3 credentials for these accounts.
  • Staff of the institute can revoke the S3 credentials when so desired.
  • Staff of the institute can use the Swift credentials to set ACLs on buckets.

In this way a reasonable amount of control is possible.

We are looking into the possibilities to extend this functionality in the future.