Since Swift is the single most-used storage for OpenStack and chances are you'll deploy it too, let's dive into how to secure OpenStack Swift. Also, similar suggestions can be used for the majority of other backends.
A good design is necessary for storage security. A typical design for Swift is as follows:
If you have followed the suggestion given in the preceding section on Security, you should be running OpenStack Swift as a non-root user. Let's suppose you are running Swift using the user swift in the group called swift for the sake of the example.
Since Swift (as well as the 99.99 percent of programs in Linux) does not need to modify its own config file, you can perform the following operations to ensure that the Swift user will be able to read its configurations but will not be able to change them.
To do so, you can assign to the /etc/swift
folder (and all subfolders and files) the user root (as it should already be) and group swift.
chown -R root...