The Auth System — Swift 2.36.0.dev38 documentation (original) (raw)

The Auth System

Overview

Swift supports a number of auth systems that share the following common characteristics:

The token can be passed into Swift using the X-Auth-Token or the X-Storage-Token header. Both have the same format: just a simple string representing the token. Some auth systems use UUID tokens, some an MD5 hash of something unique, some use “something else” but the salient point is that the token is a string which can be sent as-is back to the auth system for validation.

Swift will make calls to the auth system, giving the auth token to be validated. For a valid token, the auth system responds with an overall expiration time in seconds from now. To avoid the overhead in validating the same token over and over again, Swift will cache the token for a configurable time, but no longer than the expiration time.

The Swift project includes two auth systems:

It is also possible to write your own auth system as described inExtending Auth.

TempAuth

TempAuth is used primarily in Swift’s functional test environment and can be used in other test environments (such as SAIO (Swift All In One)). It is not recommended to use TempAuth in a production system. However, TempAuth is fully functional and can be used as a model to develop your own auth system.

TempAuth has the concept of admin and non-admin users within an account. Admin users can do anything within the account. Non-admin users can only perform read operations. However, some privileged metadata such as X-Container-Sync-Key is not accessible to non-admin users.

Users with the special group .reseller_admin can operate on any account. For an example usage please see swift.common.middleware.tempauth. If a request is coming from a reseller the auth system sets the request environ reseller_request to True. This can be used by other middlewares.

Other users may be granted the ability to perform operations on an account or container via ACLs. TempAuth supports two types of ACL:

TempAuth will now allow OPTIONS requests to go through without a token.

The TempAuth middleware is responsible for creating its own tokens. A user makes a request containing their username and password and TempAuth responds with a token. This token is then used to perform subsequent requests on the user’s account, containers and objects.

Keystone Auth

Swift is able to authenticate against OpenStack Keystone. In this environment, Keystone is responsible for creating and validating tokens. The KeystoneAuth middleware is responsible for implementing the auth system within Swift as described here.

The KeystoneAuth middleware supports per container based ACLs on the container’s X-Container-Read and X-Container-Write metadata. For more information see Container ACLs.

The account-level ACL is not supported by Keystone auth.

In order to use the keystoneauth middleware the auth_tokenmiddleware from KeystoneMiddleware will need to be configured.

The authtoken middleware performs the authentication token validation and retrieves actual user authentication information. It can be found in the KeystoneMiddleware distribution.

The KeystoneAuth middleware performs authorization and mapping the Keystone roles to Swift’s ACLs.

Configuring Swift to use Keystone

Configuring Swift to use Keystoneis relatively straightforward. The first step is to ensure that you have the auth_token middleware installed. It can either be dropped in your python path or installed via the KeystoneMiddlewarepackage.

You need at first make sure you have a service endpoint of typeobject-store in Keystone pointing to your Swift proxy. For example having this in your /etc/keystone/default_catalog.templates

catalog.RegionOne.object_store.name = Swift Service catalog.RegionOne.object_store.publicURL = http://swiftproxy:8080/v1/AUTH_$(tenant_id)s catalog.RegionOne.object_store.adminURL = http://swiftproxy:8080/ catalog.RegionOne.object_store.internalURL = http://swiftproxy:8080/v1/AUTH_$(tenant_id)s

On your Swift proxy server you will want to adjust your main pipeline and add auth_token and keystoneauth in your/etc/swift/proxy-server.conf like this

[pipeline:main] pipeline = [....] authtoken keystoneauth proxy-logging proxy-server

add the configuration for the authtoken middleware:

[filter:authtoken] paste.filter_factory = keystonemiddleware.auth_token:filter_factory www_authenticate_uri = http://keystonehost:5000/ auth_url = http://keystonehost:5000/ auth_plugin = password project_domain_id = default user_domain_id = default project_name = service username = swift password = password cache = swift.cache include_service_catalog = False delay_auth_decision = True

The actual values for these variables will need to be set depending on your situation, but in short:

Note

The authtoken config variable delay_auth_decision must be set toTrue. The default is False, but that breaks public access,StaticWeb, FormPost, TempURL, and authenticated capabilities requests (using Discoverability).

and you can finally add the keystoneauth configuration. Here is a simple configuration:

[filter:keystoneauth] use = egg:swift#keystoneauth operator_roles = admin, swiftoperator

Use an appropriate list of roles in operator_roles. For example, in some systems, the role _member_ or Member is used to indicate that the user is allowed to operate on project resources.

OpenStack Service Using Composite Tokens

Some OpenStack services such as Cinder and Glance may use a “service account”. In this mode, you configure a separate account where the service stores project data that it manages. This account is not used directly by the end-user. Instead, all access is done through the service.

To access the “service” account, the service must present two tokens: one from the end-user and another from its own service user. Only when both tokens are present can the account be accessed. This section describes how to set the configuration options to correctly control access to both the “normal” and “service” accounts.

In this example, end users use the AUTH_ prefix in account names, whereas services use the SERVICE_ prefix:

[filter:keystoneauth] use = egg:swift#keystoneauth reseller_prefix = AUTH, SERVICE operator_roles = admin, swiftoperator SERVICE_service_roles = service

The actual values for these variable will need to be set depending on your situation as follows:

This configuration works as follows:

In the above example, all services share the same account. You can separate each service into its own account. For example, the following provides a dedicated account for each of the Glance and Cinder services. In addition, you must assign the glance_service and cinder_service to the appropriate service users:

[filter:keystoneauth] use = egg:swift#keystoneauth reseller_prefix = AUTH, IMAGE, VOLUME operator_roles = admin, swiftoperator IMAGE_service_roles = glance_service VOLUME_service_roles = cinder_service

Access control using keystoneauth

By default the only users able to perform operations (e.g. create a container) on an account are those having a Keystone role for the corresponding Keystone project that matches one of the roles specified in the operator_rolesoption.

Users who have one of the operator_roles will be able to set container ACLs to grant other users permission to read and/or write objects in specific containers, using X-Container-Read and X-Container-Write headers respectively. In addition to the ACL formats describedhere, keystoneauth supports ACLs using the format:

other_project_id:other_user_id.

where other_project_id is the UUID of a Keystone project andother_user_id is the UUID of a Keystone user. This will allow the other user to access a container provided their token is scoped on the other project. Both other_project_id and other_user_id may be replaced with the wildcard character * which will match any project or user respectively.

Be sure to use Keystone UUIDs rather than names in container ACLs.

Note

For backwards compatibility, keystoneauth will by default grant container ACLs expressed as other_project_name:other_user_name (i.e. using Keystone names rather than UUIDs) in the special case when both the other project and the other user are in Keystone’s default domain and the project being accessed is also in the default domain.

For further information see KeystoneAuth

Users with the Keystone role defined in reseller_admin_role(ResellerAdmin by default) can operate on any account. The auth system sets the request environ reseller_request to True if a request is coming from a user with this role. This can be used by other middlewares.

Troubleshooting tips for keystoneauth deployment

Some common mistakes can result in API requests failing when first deploying keystone with Swift:

Extending Auth

TempAuth is written as wsgi middleware, so implementing your own auth is as easy as writing new wsgi middleware, and plugging it in to the proxy server.

See Auth Server and Middleware for detailed information on extending the auth system.