Giuseppe Paterno’ shares tip for getting basic Swift reports.

openstack_project_swift_verticalIt’s no secret that I love OpenStack Swift. While it is not always a two-way relationship, I use Swift as much as I can: mostly for long-term backups, to serve static websites and even streaming.

While the functionalities are awesome, it’s also important to get the accounting/usage information of the platform. Out of the box, Swift does not allow even an administrator to access accounting information from a given account. The “standard” approach is to use the Telemetry feature of OpenStack (aka Ceilometer), but I’m not a fan of that project either. In my opinion, telemetry is  pumping so much data that in most cases is overkill; I prefer a simpler approach.

To create a report of Swift usage, we need to use the Reseller Admin concept in Swift to query account statistics from a single admin-level user.  The reseller role (named “ResellerAdmin” by default) can operate on any Swift account.

While getting the concept is a bit tricky (and undocumented as well), the truth is that is quite straightforward to enable it. Create a “ResellerAdmin” role on OpenStack with the command openstack role create ResellerAdmin and grant the role to the user that need to access the containers, ex: the user admin.

Edit the  Swift proxy-server.conf (filter:keystone section) and add the lines highlighted in bold.

[filter:keystone]
use = egg:swift#keystoneauth
operator_roles = admin, SwiftOperator
reseller_admin_role = ResellerAdmin
reseller_prefix = AUTH_
is_admin = true
cache = swift.cache

Now the admin user can enumerate the projects and get statistics of all the projects and containers. It’s now easy enough to cycle through all the projects and get the used bytes, as shown below:

$ swift stat --os-project-name myproject
      Account: AUTH_c9f567ce0c7f484e918ac8fc798f988f
      Containers: 4
      Objects: 325   
      Bytes: 101947377850 
      Containers in policy "policy-0": 4
      Objects in policy "policy-0": 325
      Bytes in policy "policy-0": 101947377850
      X-Account-Project-Domain-Id: default
      X-Timestamp: 1487950953.36228
      X-Trans-Id: tx49e7b3d4e1a24f529fbc6-00594fb813
      Content-Type: text/plain; charset=utf-8
      Accept-Ranges: bytes

Giuseppe Paterno’ is a an IT architect and security expert. This post first appeared on Paterno’s blog.

Superuser is always interested in community content, get in touch: editorATsuperuser.org

Cover Photo // CC BY NC

  • George

    You didn’t mention the project(s) for which you have to grant the role though.

  • Giuseppe Paterno’

    You usually grant a role to a given user, which will be able to access to all swift containers/projects.

    I strongly suggest you to rely on a user that is in the default domain, so that you can avoid LDAP/external user lookups.

    In small environments, you usually give this grant to the admin user, in larger you might wish to have a separate “report” user.