Object Storage Access Control

Overview

Container ACLs control which users and projects can read from or write to a container. By default, containers are private — only the owning project has access. ACLs are set as container metadata headers and can grant access to specific users, entire projects, or the public.

Prerequisites

An active Xloud account with appropriate permissions
Access to the Xloud Dashboard (https://connect.<your-domain>) or CLI configured with credentials
API credentials sourced (source admin-openrc.sh)

ACL Format Reference

Value	Meaning
`<project-id>:<user-id>`	Specific user in a specific project
`<project-id>:*`	All users in a specific project
`.r:*`	Public anonymous read access
`.r:*,.rlistings`	Public read AND directory listing

Configure ACLs

Dashboard
CLI

Navigate to the container and click the Edit icon. In the Access Control section:

Read ACL: Comma-separated list of <project-id>:<user-id> pairs, or .r:* for public read access
Write ACL: Comma-separated list of <project-id>:<user-id> pairs controlling write access

ACL values of .r:* or .r:*,.rlistings grant public anonymous read access. Verify this is intentional before saving — objects in publicly accessible containers are reachable by anyone with the URL.

openstack container set \
  --property "X-Container-Read=<project-id>:<user-id>" \
  app-backups

View Current ACLs

Show container ACLs

openstack container show app-backups | grep -i "read\|write"

Account-Level Access Control

The object store account (project) supports an additional read ACL at the account level:

Show account metadata including ACLs

openstack object store account show

Set account-level read ACL

openstack object store account set \
  --property X-Account-Meta-Access-Control-Allow-Origin="https://app.example.com"

Best Practices

Principle of least privilege

Grant the minimum required access — prefer <project-id>:<user-id> over <project-id>:*
Only use .r:* for containers explicitly intended for public access
Use .rlistings only when directory browsing is intentionally public

Regular ACL audit

Review containers with non-empty read or write ACLs quarterly. Revoke access for decommissioned projects and users immediately:

Check all container ACLs in your project

for c in $(openstack container list -f value -c Name); do
  echo "=== $c ==="; openstack container show "$c" | grep -i "read\|write"
done

Next Steps

Upload Objects

Upload objects to your access-controlled container

Versioning

Enable version retention for objects in the container

Troubleshooting

Resolve 403 access errors on containers

Object Storage Admin Guide

Platform-wide security and ACL governance

Core Services

Other Services

Object Storage Access Control

Overview

ACL Format Reference

Configure ACLs

View Current ACLs

Account-Level Access Control

Best Practices

Next Steps

Upload Objects

Versioning

Troubleshooting

Object Storage Admin Guide

Core Services

Other Services

​Overview

​ACL Format Reference

​Configure ACLs

​View Current ACLs

​Account-Level Access Control

​Best Practices

​Next Steps

Upload Objects

Versioning

Troubleshooting

Object Storage Admin Guide

Overview

ACL Format Reference

Configure ACLs

View Current ACLs

Account-Level Access Control

Best Practices

Next Steps