Acls disable acls and public sharing

ISSUE TYPE

Bug Report
Feature Idea
Documentation Report

COMPONENT NAME

Feature Idea
Bug report
Question

SDS VERSION

openio 7.2.0

CONFIGURATION

My proxy-server.conf ->

# OpenIO managed
[DEFAULT]
use_stderr = False
bind_ip = ip
bind_port = port
workers = 72
max_clients = 1024
user = openio
log_facility = /dev/log
log_header = true
log_level = INFO
log_name = OIO,OPENIO,oioswift,0
eventlet_debug = false

sds_namespace = OPENIO
sds_proxy_url = http://ip:port
sds_default_account = openio

sds_connection_timeout = 5
sds_read_timeout = 35
sds_write_timeout = 35

sds_pool_connections = 500
sds_pool_maxsize = 500
sds_max_retries = 0

sds_tls = False

[pipeline:main]

pipeline = catch_errors  gatekeeper healthcheck proxy-logging cache bulk proxy-logging authtoken keystoneauth proxy-logging copy container-quotas account-quotas slo dlo versioned_writes proxy-logging proxy-server

[filter:catch_errors]
use = egg:swift#catch_errors

[filter:gatekeeper]
use = egg:swift#gatekeeper

[filter:healthcheck]
use = egg:oioswift#healthcheck

[filter:proxy-logging]
use = egg:swift#proxy_logging
access_log_headers = false
access_log_headers_only =  

[filter:cache]
use = egg:swift#memcache
memcache_servers = ip:port
memcache_max_connections = 10
oio_cache = False
oio_cache_ttl = 0

[filter:bulk]
use = egg:swift#bulk

#[filter:tempurl]
#use = egg:swift#tempurl

#[filter:swift3]
#use = egg:swift3#swift3
#force_swift_request_proxy_log = True
#s3_acl = True
#check_bucket_owner = True
#location = us-east-1
#max_bucket_listing = 1000
#max_multi_delete_objects = 1000
#max_upload_part_num = 10000
#log_s3api_command = False
#bucket_db_enabled = True
#bucket_db_prefix = s3bucket:
#storage_domain = s3.openio.io
#bucket_db_master_name = OPENIO-master-1
#bucket_db_sentinel_hosts = ip:port

#[filter:tempauth]
#use = egg:oioswift#tempauth
#user_demo_demo = DEMO_PASS .admin

[filter:copy]
use = egg:oioswift#copy
object_post_as_copy = False

[filter:container-quotas]
use = egg:swift#container_quotas

[filter:account-quotas]
use = egg:swift#account_quotas

[filter:slo]
use = egg:oioswift#slo
max_manifest_segments = 10000
concurrency = 10

[filter:dlo]
use = egg:swift#dlo

[filter:versioned_writes]
use = egg:oioswift#versioned_writes
allow_versioned_writes = True

[app:proxy-server]
use = egg:oioswift#main
object_post_as_copy = False
allow_account_management = True
account_autocreate = True
sds_chunk_checksum_algo = 
deny_host_headers = x-container-sync-key, x-container-sync-to, x-account-meta-temp-url-key, x-account-meta-temp-url-key-2, x-container-meta-temp-url-key, x-container-meta-temp-url-key-2, x-account-access-control

[filter:authtoken]
auth_type = password
#username = swift
username = user
project_name = user
region_name = region
user_domain_id = domain
memcache_secret_key = memcache_secret_key
paste.filter_factory = keystonemiddleware.auth_token:filter_factory
insecure = True
cache = swift.cache
delay_auth_decision = True
token_cache_time = 300
auth_url = http://ip:port
include_service_catalog = False
www_authenticate_uri = http://ip:port
memcached_servers = ip:port
password = password
revocation_cache_time = 60
memcache_security_strategy = ENCRYPT
project_domain_id = dommain

[filter:keystoneauth]
use = egg:swift#keystoneauth
operator_roles = role
reseller_admin_role = role

OS / ENVIRONMENT

NAME="CentOS Linux"
VERSION="7 (Core)"
ID="centos"
ID_LIKE="rhel fedora"
VERSION_ID="7"
PRETTY_NAME="CentOS Linux 7 (Core)"

SUMMARY

I have an OpenIO with Keystone (queens) auth cluster.

By default any swift user can configure his own acls and public share url.

1 user = 1 keystone project.

I woulk like to restrict user to only use read/write container/object and do not use acls or public url sharing (on their own containers/objects) -> disable acls and public sharing.

I didn't find any "super admin" acls.

I tried to deny request header with X-Container-Write/Read -> not very effective -> no king of this attributes in headers

Any idea ?

open-io / oio-sds