From doc, the ACL should look like <project-id>:<user-id>
.
But does <project-id>:<user-name>
also work?
According to the NOTE
in the link to the doc you provided:
Keystone project (tenant) or user names (i.e., project-name:user-name) must no longer be used because with the introduction of domains in Keystone, names are not globally unique. You should use user and project ids instead.
For backwards compatibility, ACLs using names will be granted by keystoneauth when it can be established that the grantee project, the grantee user and the project being accessed are either not yet in a domain (e.g. the X-Auth-Token has been obtained via the Keystone V2 API) or are all in the default domain to which legacy accounts would have been migrated.
Using <project-id>:<user-name>
would work if the X-Auth-Token
has been obtained using the Keystone v2 API or all three grantee user, grantee project and project belong to the default domain.
However, given that Keystone v2 will be deprecated soon in the future and after the introduction of domains in Keystone, I think that's why the swift docs are explicitely trying to forbid further use of the <user-name>
in ACLs.