How can each OpenStack Swift object-storage container be set up with a different password/key in a standard way?

Question

I'd like to have many storage buckets, each with its own password or key for read & write access for use by end users.

Some options I've discovered:

1. ACLs: These work on a per-OpenStack-user basis. I don't think it makes sense to create a new OpenStack user for each end user.
2. Application credentials: These can't be set on a per-container basis, but rather on a class of operations. So you can restrict to containers, but that's for all containers, not a specific one.

Cloud-A announced Container Specific API Keys (documented elsewhere), but this appears to be non-standard. I'd like something that will be compatible with upstream OpenStack.

Answer 1

After further research, it seems as though this isn't possible currently. However, there are plans to fix this eventually:

• Add Fine Grained Restrictions to Application Credentials (the specs)
• Identity (keystone): White List Extension for Application Credentials (the blueprints)