Create Cloud Files Container-Level Access Control Policies

Combining Rackspace Cloud’s RBAC with Cloud Files’ ACLs allows you to control read or write access to a particular container and for a particular user.

Recently, I talked to the leader of a marketing department for a global snacking company. She wanted to create a Cloud Files container for each brand in the company’s portfolio, and then she wanted to create a user for each brand manager, so each brand manager could access the files for only their brand. By combining a feature in Rackspace Cloud with a feature in Cloud Files, the marketing leader could create users with the right access controls.

Introduction to RBAC

Role-Based Access Control (RBAC) is a Rackspace Cloud feature that allows account owners to create users and assign them roles. RBAC has two levels of granularity:

  • Cloud-level granularity – This allows you to create users and assign users roles that apply to all Rackspace Cloud products. (Cloud Files and nearly all other Rackspace Cloud products work with RBAC. Check the list of participating products for more information.)
  • Product-level granularity – This allows you to create users and assign them roles that apply to only a particular Rackspace Cloud product. (Again, Cloud Files and many other participating products work. Check the list of participating products for full details.)

Introduction to Cloud Files ACLs

Rackspace Cloud Files Access Control List (ACL) is a Cloud Files feature that allows account owners to specify read or write access to a particular container and for a particular user. ACLs are great because they provide another level of granularity beyond what RBAC alone provides.

This blog post shows you how to set up a new user (with RBAC) and apply container-level access control (with Cloud Files ACLs).

Create a User with RBAC

RBAC is integrated in the Control Panel, so you can set up a new user by starting at After you enter your username and password, you see your homepage. Look at the top right-hand area of your homepage for your username. Click your username and select User Management.

On the User Management page, click the Create User button. On the next page, fill out the Login Details section for your new user. Then in the Product Access section, choose the Custom (Per Product Access) radio button. All the product access roles are defaulted to No Access. Leave the Files product role at No Access. Finally, fill out the Contact Information section. Your screen should look similar to this:

Finally, click the Create User button at the bottom of the page. At this point, you created a user within your account and gave them No Access to the Cloud Files product.

Create Container-Level Policies with ACLs

Unfortunately, you cannot set up Cloud Files ACLs in the Control Panel yet, so first this blog post explains what you want to do, and second it provides examples using curl, a Linux utility that you can use to hit the Cloud Files REST API. Alternatively, you can use a Rackspace SDK if you want to connect to Cloud Files using popular languages, such as Java, .NET, node.js, PHP, Python and Ruby.

Cloud Files ACLs provide the following headers that you can use for container-level access policies:

  • X-Container-Read – This container header can contain a comma-delimited list of users that can read the container (allows the GET method for all objects in the container).
  • X-Container-Write – This container header can contain a comma-delimited list of users that can write to the container (allows PUT, POST, COPY and DELETE methods for all objects in the container).

You can set these special headers only on containers, and they apply to all objects within the container. The values for these container headers can have zero to many users.

For example, let’s suppose that you have a container importantContainer within Cloud Files. Let’s also suppose that you created a user importantUser1. You can provide this user with read access to importantContainer by setting its X-Container-Read header to importantUser1. Likewise, you can provide this user with write access to importantContainer by setting its X-Container-Write header to importantUser1.

The account owner does not need to be included in either ACL because the account owner always has read and write access to everything in their Cloud Files account. If you created three important users, you can set the header values to importantUser1, importantUser2, importantUser3, where space before or after a comma is acceptable.

Now, let’s see these ideas in action by using curl.

Authenticate using curl

First, you need to authenticate with the Rackspace Cloud Identity service using your username and apiKey.

curl -X POST -d '{ "auth":{ "RAX-KSKEY:apiKeyCredentials":{ "username":"theUserName", "apiKey":"00a00000a000a0000000a000a00aaa0a" } } }' -H "Content-type: application/json"

The response from the Identity service is a JSON-formatted string that contains a token ID and the Cloud Files endpoints, for both public URLs and internal URLs. (Tip: Use an internal URL if your server and your target Cloud Files endpoint are in the same data center.)

Set the container headers using curl

Using the token ID as the X-Auth-Token and the proper URL, you can create a new container and provide your user with the right access. To use these commands, you’ll have to replace the X-Auth-Token and the URL with your information from the Identity Service. (You can combine the PUT and POST commands by appending the two headers from the POST to the PUT command.)

curl -i -X PUT -H 'X-Auth-Token: 00a00000a000a0000000a000a00aaa0a'

curl -i -X POST -H 'X-Auth-Token: 00a00000a000a0000000a000a00aaa0a' -H 'x-container-read: importantUser1' -H 'x-container-write: importantUser1'

Check the container headers using curl

Finally, you can confirm that the container headers are set correctly by performing a HEAD on the container.

curl -i -X HEAD -H 'X-Auth-Token: 00a00000a000a0000000a000a00aaa0a'

Now the user importantUser1 has read and write access to only importantContainer.

Note: The user importantUser1 must use the Cloud Files API to access the container. Because importantUser1 was given No Access to Cloud Files during the user set up, the Control Panel does not allow the user to click the Files tab. Instead, if you don’t mind whether the user can read all objects in your account, but you want the user to write to only specific containers, you can change the Files role from No Access to Observer.


Combining Rackspace Cloud RBAC with Cloud Files ACLs provides fine-grained access control for your Cloud Files containers. Together, they allow you to specify read and write access for your users.

Additional Resources


Rack Blogger is our catchall blog byline, subbed in when a Racker author moves on, or used when we publish a guest post. You can email Rack Blogger at


  1. Do you plan to setup limits per Cloud Files Container ? it would be great for us to setup a File Container for each our client and add limit for total disk usage and CDN monthly GB traffic so we shall be able to resell your service at a fair value for them. Also if Cloud Files ACL is available per user via web control panel and per container basis so they to not see the rest containers, then we would need to be able to display statistics of usage to our clients in a case they hit the limits

  2. An important thing i noticed while following this guide, if you are using CyberDuck. Once everything is setup, you will have to mention your container name in the path otherwise it would give 403 forbidden error.

  3. Undeniably believe that which you stated. Your favourite reason appeared
    to be on the internet the simplest factor to take into accout of.

    I say to you, I definitely get annoyed even as other
    people consider concerns that they plainly don’t recognize about.
    You controlled to hit the nail upon the top as
    smartly as outlined out the entire thing with no need side effect
    , people could take a signal. Will likely be again to get more.
    Thank you

  4. Hmm it appears like your site ate my first comment (it was super long) so I
    guess I’ll just sum it up what I had written and say, I’m thoroughly enjoying
    your blog. I as well am an aspiring blog writer but I’m still new to everything.
    Do you have any helpful hints for beginner blog writers?
    I’d definitely appreciate it.

  5. hi!,I love your writing very a lot! share we be in contact more about your post on AOL?
    I require a specialist in this area to unravel my problem.
    Maybe that is you! Looking ahead to peer you.


Please enter your comment!
Please enter your name here