diff --git a/bin/swauth-add-account b/bin/swauth-add-account new file mode 100755 index 0000000000..740dcddcb8 --- /dev/null +++ b/bin/swauth-add-account @@ -0,0 +1,62 @@ +#!/usr/bin/python +# Copyright (c) 2010 OpenStack, LLC. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +from optparse import OptionParser +from os.path import basename +from sys import argv, exit +from urlparse import urlparse + +from swift.common.bufferedhttp import http_connect_raw as http_connect + + +if __name__ == '__main__': + parser = OptionParser(usage='Usage: %prog [options] ') + parser.add_option('-s', '--suffix', dest='suffix', + default='', help='The suffix to use as the storage account name ' + '(default: )') + parser.add_option('-A', '--admin-url', dest='admin_url', + default='http://127.0.0.1:8080/auth/', help='The URL to the auth ' + 'subsystem (default: http://127.0.0.1:8080/auth/)') + parser.add_option('-U', '--admin-user', dest='admin_user', + default='.super_admin', help='The user with admin rights to add users ' + '(default: .super_admin).') + parser.add_option('-K', '--admin-key', dest='admin_key', + help='The key for the user with admin rights to add users.') + args = argv[1:] + if not args: + args.append('-h') + (options, args) = parser.parse_args(args) + if len(args) != 1: + parser.parse_args(['-h']) + account = args[0] + parsed = urlparse(options.admin_url) + if parsed.scheme not in ('http', 'https'): + raise Exception('Cannot handle protocol scheme %s for url %s' % + (parsed.scheme, repr(options.admin_url))) + if not parsed.path: + parsed.path = '/' + elif parsed.path[-1] != '/': + parsed.path += '/' + path = '%sv2/%s' % (parsed.path, account) + headers = {'X-Auth-Admin-User': options.admin_user, + 'X-Auth-Admin-Key': options.admin_key} + if options.suffix: + headers['X-Account-Suffix'] = options.suffix + conn = http_connect(parsed.hostname, parsed.port, 'PUT', path, headers, + ssl=(parsed.scheme == 'https')) + resp = conn.getresponse() + if resp.status // 100 != 2: + print 'Account creation failed: %s %s' % (resp.status, resp.reason) diff --git a/bin/swauth-add-user b/bin/swauth-add-user new file mode 100755 index 0000000000..9bf27bbd7a --- /dev/null +++ b/bin/swauth-add-user @@ -0,0 +1,87 @@ +#!/usr/bin/python +# Copyright (c) 2010 OpenStack, LLC. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +from optparse import OptionParser +from os.path import basename +from sys import argv, exit +from urlparse import urlparse + +from swift.common.bufferedhttp import http_connect_raw as http_connect + + +if __name__ == '__main__': + parser = OptionParser( + usage='Usage: %prog [options] ') + parser.add_option('-a', '--admin', dest='admin', action='store_true', + default=False, help='Give the user administrator access; otherwise ' + 'the user will only have access to containers specifically allowed ' + 'with ACLs.') + parser.add_option('-r', '--reseller-admin', dest='reseller_admin', + action='store_true', default=False, help='Give the user full reseller ' + 'administrator access, giving them full access to all accounts within ' + 'the reseller, including the ability to create new accounts. Creating ' + 'a new reseller admin requires super_admin rights.') + parser.add_option('-s', '--suffix', dest='suffix', + default='', help='The suffix to use as the storage account name ' + '(default: )') + parser.add_option('-A', '--admin-url', dest='admin_url', + default='http://127.0.0.1:8080/auth/', help='The URL to the auth ' + 'subsystem (default: http://127.0.0.1:8080/auth/') + parser.add_option('-U', '--admin-user', dest='admin_user', + default='.super_admin', help='The user with admin rights to add users ' + '(default: .super_admin).') + parser.add_option('-K', '--admin-key', dest='admin_key', + help='The key for the user with admin rights to add users.') + args = argv[1:] + if not args: + args.append('-h') + (options, args) = parser.parse_args(args) + if len(args) != 3: + parser.parse_args(['-h']) + account, user, password = args + parsed = urlparse(options.admin_url) + if parsed.scheme not in ('http', 'https'): + raise Exception('Cannot handle protocol scheme %s for url %s' % + (parsed.scheme, repr(options.admin_url))) + if not parsed.path: + parsed.path = '/' + elif parsed.path[-1] != '/': + parsed.path += '/' + # Ensure the account exists + path = '%sv2/%s' % (parsed.path, account) + headers = {'X-Auth-Admin-User': options.admin_user, + 'X-Auth-Admin-Key': options.admin_key} + if options.suffix: + headers['X-Account-Suffix'] = options.suffix + conn = http_connect(parsed.hostname, parsed.port, 'PUT', path, headers, + ssl=(parsed.scheme == 'https')) + resp = conn.getresponse() + if resp.status // 100 != 2: + print 'Account creation failed: %s %s' % (resp.status, resp.reason) + # Add the user + path = '%sv2/%s/%s' % (parsed.path, account, user) + headers = {'X-Auth-Admin-User': options.admin_user, + 'X-Auth-Admin-Key': options.admin_key, + 'X-Auth-User-Key': password} + if options.admin: + headers['X-Auth-User-Admin'] = 'true' + if options.reseller_admin: + headers['X-Auth-User-Reseller-Admin'] = 'true' + conn = http_connect(parsed.hostname, parsed.port, 'PUT', path, headers, + ssl=(parsed.scheme == 'https')) + resp = conn.getresponse() + if resp.status // 100 != 2: + print 'User creation failed: %s %s' % (resp.status, resp.reason) diff --git a/bin/swauth-delete-account b/bin/swauth-delete-account new file mode 100755 index 0000000000..22e6523d0e --- /dev/null +++ b/bin/swauth-delete-account @@ -0,0 +1,57 @@ +#!/usr/bin/python +# Copyright (c) 2010 OpenStack, LLC. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +from optparse import OptionParser +from os.path import basename +from sys import argv, exit +from urlparse import urlparse + +from swift.common.bufferedhttp import http_connect_raw as http_connect + + +if __name__ == '__main__': + parser = OptionParser(usage='Usage: %prog [options] ') + parser.add_option('-A', '--admin-url', dest='admin_url', + default='http://127.0.0.1:8080/auth/', help='The URL to the auth ' + 'subsystem (default: http://127.0.0.1:8080/auth/') + parser.add_option('-U', '--admin-user', dest='admin_user', + default='.super_admin', help='The user with admin rights to add users ' + '(default: .super_admin).') + parser.add_option('-K', '--admin-key', dest='admin_key', + help='The key for the user with admin rights to add users.') + args = argv[1:] + if not args: + args.append('-h') + (options, args) = parser.parse_args(args) + if len(args) != 1: + parser.parse_args(['-h']) + account = args[0] + parsed = urlparse(options.admin_url) + if parsed.scheme not in ('http', 'https'): + raise Exception('Cannot handle protocol scheme %s for url %s' % + (parsed.scheme, repr(options.admin_url))) + if not parsed.path: + parsed.path = '/' + elif parsed.path[-1] != '/': + parsed.path += '/' + path = '%sv2/%s' % (parsed.path, account) + headers = {'X-Auth-Admin-User': options.admin_user, + 'X-Auth-Admin-Key': options.admin_key} + conn = http_connect(parsed.hostname, parsed.port, 'DELETE', path, headers, + ssl=(parsed.scheme == 'https')) + resp = conn.getresponse() + if resp.status // 100 != 2: + print 'Account deletion failed: %s %s' % (resp.status, resp.reason) diff --git a/bin/swauth-delete-user b/bin/swauth-delete-user new file mode 100755 index 0000000000..b018031982 --- /dev/null +++ b/bin/swauth-delete-user @@ -0,0 +1,57 @@ +#!/usr/bin/python +# Copyright (c) 2010 OpenStack, LLC. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +from optparse import OptionParser +from os.path import basename +from sys import argv, exit +from urlparse import urlparse + +from swift.common.bufferedhttp import http_connect_raw as http_connect + + +if __name__ == '__main__': + parser = OptionParser(usage='Usage: %prog [options] ') + parser.add_option('-A', '--admin-url', dest='admin_url', + default='http://127.0.0.1:8080/auth/', help='The URL to the auth ' + 'subsystem (default: http://127.0.0.1:8080/auth/') + parser.add_option('-U', '--admin-user', dest='admin_user', + default='.super_admin', help='The user with admin rights to add users ' + '(default: .super_admin).') + parser.add_option('-K', '--admin-key', dest='admin_key', + help='The key for the user with admin rights to add users.') + args = argv[1:] + if not args: + args.append('-h') + (options, args) = parser.parse_args(args) + if len(args) != 2: + parser.parse_args(['-h']) + account, user = args + parsed = urlparse(options.admin_url) + if parsed.scheme not in ('http', 'https'): + raise Exception('Cannot handle protocol scheme %s for url %s' % + (parsed.scheme, repr(options.admin_url))) + if not parsed.path: + parsed.path = '/' + elif parsed.path[-1] != '/': + parsed.path += '/' + path = '%sv2/%s/%s' % (parsed.path, account, user) + headers = {'X-Auth-Admin-User': options.admin_user, + 'X-Auth-Admin-Key': options.admin_key} + conn = http_connect(parsed.hostname, parsed.port, 'DELETE', path, headers, + ssl=(parsed.scheme == 'https')) + resp = conn.getresponse() + if resp.status // 100 != 2: + print 'User deletion failed: %s %s' % (resp.status, resp.reason) diff --git a/bin/swauth-list b/bin/swauth-list new file mode 100755 index 0000000000..d681b1c38e --- /dev/null +++ b/bin/swauth-list @@ -0,0 +1,65 @@ +#!/usr/bin/python +# Copyright (c) 2010 OpenStack, LLC. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +try: + import simplejson as json +except ImportError: + import json +from optparse import OptionParser +from os.path import basename +from sys import argv, exit +from urlparse import urlparse + +from swift.common.bufferedhttp import http_connect_raw as http_connect + + +if __name__ == '__main__': + parser = OptionParser(usage='Usage: %prog [options] [account] [user]') + parser.add_option('-A', '--admin-url', dest='admin_url', + default='http://127.0.0.1:8080/auth/', help='The URL to the auth ' + 'subsystem (default: http://127.0.0.1:8080/auth/') + parser.add_option('-U', '--admin-user', dest='admin_user', + default='.super_admin', help='The user with admin rights to add users ' + '(default: .super_admin).') + parser.add_option('-K', '--admin-key', dest='admin_key', + help='The key for the user with admin rights to add users.') + args = argv[1:] + if not args: + args.append('-h') + (options, args) = parser.parse_args(args) + if len(args) > 2: + parser.parse_args(['-h']) + parsed = urlparse(options.admin_url) + if parsed.scheme not in ('http', 'https'): + raise Exception('Cannot handle protocol scheme %s for url %s' % + (parsed.scheme, repr(options.admin_url))) + if not parsed.path: + parsed.path = '/' + elif parsed.path[-1] != '/': + parsed.path += '/' + path = '%sv2/%s' % (parsed.path, '/'.join(args)) + headers = {'X-Auth-Admin-User': options.admin_user, + 'X-Auth-Admin-Key': options.admin_key} + conn = http_connect(parsed.hostname, parsed.port, 'GET', path, headers, + ssl=(parsed.scheme == 'https')) + resp = conn.getresponse() + if resp.status // 100 != 2: + print 'List failed: %s %s' % (resp.status, resp.reason) + if len(args) == 2 and args[1] != '.groups': + print resp.read() + else: + for item in json.loads(resp.read()): + print item['name'] diff --git a/bin/swauth-prep b/bin/swauth-prep new file mode 100755 index 0000000000..cef2addba2 --- /dev/null +++ b/bin/swauth-prep @@ -0,0 +1,56 @@ +#!/usr/bin/python +# Copyright (c) 2010 OpenStack, LLC. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +from optparse import OptionParser +from os.path import basename +from sys import argv, exit +from urlparse import urlparse + +from swift.common.bufferedhttp import http_connect_raw as http_connect + + +if __name__ == '__main__': + parser = OptionParser(usage='Usage: %prog [options]') + parser.add_option('-A', '--admin-url', dest='admin_url', + default='http://127.0.0.1:8080/auth/', help='The URL to the auth ' + 'subsystem (default: http://127.0.0.1:8080/auth/') + parser.add_option('-U', '--admin-user', dest='admin_user', + default='.super_admin', help='The user with admin rights to add users ' + '(default: .super_admin).') + parser.add_option('-K', '--admin-key', dest='admin_key', + help='The key for the user with admin rights to add users.') + args = argv[1:] + if not args: + args.append('-h') + (options, args) = parser.parse_args(args) + if args: + parser.parse_args(['-h']) + parsed = urlparse(options.admin_url) + if parsed.scheme not in ('http', 'https'): + raise Exception('Cannot handle protocol scheme %s for url %s' % + (parsed.scheme, repr(options.admin_url))) + if not parsed.path: + parsed.path = '/' + elif parsed.path[-1] != '/': + parsed.path += '/' + path = '%sv2/.prep' % parsed.path + headers = {'X-Auth-Admin-User': options.admin_user, + 'X-Auth-Admin-Key': options.admin_key} + conn = http_connect(parsed.hostname, parsed.port, 'POST', path, headers, + ssl=(parsed.scheme == 'https')) + resp = conn.getresponse() + if resp.status // 100 != 2: + print 'Auth subsystem prep failed: %s %s' % (resp.status, resp.reason) diff --git a/bin/swift-auth-to-swauth b/bin/swift-auth-to-swauth new file mode 100755 index 0000000000..b8867c1f59 --- /dev/null +++ b/bin/swift-auth-to-swauth @@ -0,0 +1,44 @@ +#!/usr/bin/python +# Copyright (c) 2010 OpenStack, LLC. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +from subprocess import call +from sys import argv, exit + +import sqlite3 + + +if __name__ == '__main__': + if len(argv) != 4 or argv[1] != '-K': + exit('Syntax: %s -K ' % argv[0]) + _, _, super_admin_key, auth_db = argv + call(['swauth-prep', '-K', super_admin_key]) + conn = sqlite3.connect(auth_db) + for account, cfaccount, user, password, admin, reseller_admin in \ + conn.execute('SELECT account, cfaccount, user, password, admin, ' + 'reseller_admin FROM account'): + cmd = ['swauth-add-user', '-K', super_admin_key, '-s', + cfaccount.split('_', 1)[1]] + if admin == 't': + cmd.append('-a') + if reseller_admin == 't': + cmd.append('-r') + cmd.extend([account, user, password]) + print ' '.join(cmd) + call(cmd) + print '----------------------------------------------------------------' + print ' Assuming the above worked perfectly, you should copy and paste ' + print ' those lines into your ~/bin/recreateaccounts script.' + print '----------------------------------------------------------------' diff --git a/doc/source/admin_guide.rst b/doc/source/admin_guide.rst index 31c5f17123..65ad7d0ca4 100644 --- a/doc/source/admin_guide.rst +++ b/doc/source/admin_guide.rst @@ -164,7 +164,10 @@ swift-stats-populate and swift-stats-report use the same configuration file, /etc/swift/stats.conf. Example conf file:: [stats] + # For DevAuth: auth_url = http://saio:11000/v1.0 + # For Swauth: + # auth_url = http://saio:11000/auth/v1.0 auth_user = test:tester auth_key = testing diff --git a/doc/source/deployment_guide.rst b/doc/source/deployment_guide.rst index 68f8c9b5c8..7d5bfc466b 100644 --- a/doc/source/deployment_guide.rst +++ b/doc/source/deployment_guide.rst @@ -484,6 +484,43 @@ ssl False If True, use SSL to node_timeout 10 Request timeout ============ =================================== ======================== +[swauth] + +===================== =============================== ======================= +Option Default Description +--------------------- ------------------------------- ----------------------- +use Entry point for + paste.deploy to use for + auth. To use the swauth + set to: + `egg:swift#swauth` +log_name auth-server Label used when logging +log_facility LOG_LOCAL0 Syslog log facility +log_level INFO Log level +log_headers True If True, log headers in + each request +reseller_prefix AUTH The naming scope for the + auth service. Swift + storage accounts and + auth tokens will begin + with this prefix. +auth_prefix /auth/ The HTTP request path + prefix for the auth + service. Swift itself + reserves anything + beginning with the + letter `v`. +default_swift_cluster local:http://127.0.0.1:8080/v1 The default Swift + cluster to place newly + created accounts on. +token_life 86400 The number of seconds a + token is valid. +node_timeout 10 Request timeout +super_admin_key None The key for the + .super_admin account. +===================== =============================== ======================= + + ------------------------ Memcached Considerations ------------------------ diff --git a/doc/source/development_auth.rst b/doc/source/development_auth.rst index 2ac1bdf261..0f28750bd3 100644 --- a/doc/source/development_auth.rst +++ b/doc/source/development_auth.rst @@ -8,7 +8,7 @@ Creating Your Own Auth Server and Middleware The included swift/auth/server.py and swift/common/middleware/auth.py are good minimal examples of how to create an external auth server and proxy server auth -middleware. Also, see the `Swauth `_ project for +middleware. Also, see swift/common/middleware/swauth.py for a more complete implementation. The main points are that the auth middleware can reject requests up front, before they ever get to the Swift Proxy application, and afterwards when the proxy issues callbacks to verify @@ -356,6 +356,7 @@ repoze.what:: self.auth_port = int(conf.get('port', 11000)) self.ssl = \ conf.get('ssl', 'false').lower() in ('true', 'on', '1', 'yes') + self.auth_prefix = conf.get('prefix', '/') self.timeout = int(conf.get('node_timeout', 10)) def authenticate(self, env, identity): @@ -371,7 +372,7 @@ repoze.what:: return user with Timeout(self.timeout): conn = http_connect(self.auth_host, self.auth_port, 'GET', - '/token/%s' % token, ssl=self.ssl) + '%stoken/%s' % (self.auth_prefix, token), ssl=self.ssl) resp = conn.getresponse() resp.read() conn.close() diff --git a/doc/source/development_saio.rst b/doc/source/development_saio.rst index 999d338fbf..072db9b327 100644 --- a/doc/source/development_saio.rst +++ b/doc/source/development_saio.rst @@ -216,7 +216,9 @@ Configuring each node Sample configuration files are provided with all defaults in line-by-line comments. - #. Create `/etc/swift/auth-server.conf`:: + #. If your going to use the DevAuth (the default swift-auth-server), create + `/etc/swift/auth-server.conf` (you can skip this if you're going to use + Swauth):: [DEFAULT] user = @@ -237,15 +239,25 @@ Sample configuration files are provided with all defaults in line-by-line commen user = [pipeline:main] + # For DevAuth: pipeline = healthcheck cache auth proxy-server + # For Swauth: + # pipeline = healthcheck cache swauth proxy-server [app:proxy-server] use = egg:swift#proxy allow_account_management = true + # Only needed for DevAuth [filter:auth] use = egg:swift#auth + # Only needed for Swauth + [filter:swauth] + use = egg:swift#swauth + # Highly recommended to change this. + super_admin_key = swauthkey + [filter:healthcheck] use = egg:swift#healthcheck @@ -562,18 +574,32 @@ Setting up scripts for running Swift #!/bin/bash + # The auth-server line is only needed for DevAuth: swift-init auth-server start swift-init proxy-server start swift-init account-server start swift-init container-server start swift-init object-server start + #. For Swauth (not needed for DevAuth), create `~/bin/recreateaccounts`:: + + #!/bin/bash + + # Replace devauth with whatever your super_admin key is (recorded in + # /etc/swift/proxy-server.conf). + swauth-prep -K swauthkey + swauth-add-user -K swauthkey -a test tester testing + swauth-add-user -K swauthkey -a test2 tester2 testing2 + swauth-add-user -K swauthkey test tester3 testing3 + swauth-add-user -K swauthkey -a -r reseller reseller reseller + #. Create `~/bin/startrest`:: #!/bin/bash # Replace devauth with whatever your super_admin key is (recorded in - # /etc/swift/auth-server.conf). + # /etc/swift/auth-server.conf). This swift-auth-recreate-accounts line + # is only needed for DevAuth: swift-auth-recreate-accounts -K devauth swift-init object-updater start swift-init container-updater start @@ -589,13 +615,14 @@ Setting up scripts for running Swift #. `remakerings` #. `cd ~/swift/trunk; ./.unittests` #. `startmain` (The ``Unable to increase file descriptor limit. Running as non-root?`` warnings are expected and ok.) - #. `swift-auth-add-user -K devauth -a test tester testing` # Replace ``devauth`` with whatever your super_admin key is (recorded in /etc/swift/auth-server.conf). - #. Get an `X-Storage-Url` and `X-Auth-Token`: ``curl -v -H 'X-Storage-User: test:tester' -H 'X-Storage-Pass: testing' http://127.0.0.1:11000/v1.0`` + #. For Swauth: `recreateaccounts` + #. For DevAuth: `swift-auth-add-user -K devauth -a test tester testing` # Replace ``devauth`` with whatever your super_admin key is (recorded in /etc/swift/auth-server.conf). + #. Get an `X-Storage-Url` and `X-Auth-Token`: ``curl -v -H 'X-Storage-User: test:tester' -H 'X-Storage-Pass: testing' http://127.0.0.1:11000/v1.0`` # For Swauth, make the last URL `http://127.0.0.1:8080/auth/v1.0` #. Check that you can GET account: ``curl -v -H 'X-Auth-Token: ' `` - #. Check that `st` works: `st -A http://127.0.0.1:11000/v1.0 -U test:tester -K testing stat` - #. `swift-auth-add-user -K devauth -a test2 tester2 testing2` # Replace ``devauth`` with whatever your super_admin key is (recorded in /etc/swift/auth-server.conf). - #. `swift-auth-add-user -K devauth test tester3 testing3` # Replace ``devauth`` with whatever your super_admin key is (recorded in /etc/swift/auth-server.conf). - #. `cp ~/swift/trunk/test/functional/sample.conf /etc/swift/func_test.conf` + #. Check that `st` works: `st -A http://127.0.0.1:11000/v1.0 -U test:tester -K testing stat` # For Swauth, make the URL `http://127.0.0.1:8080/auth/v1.0` + #. For DevAuth: `swift-auth-add-user -K devauth -a test2 tester2 testing2` # Replace ``devauth`` with whatever your super_admin key is (recorded in /etc/swift/auth-server.conf). + #. For DevAuth: `swift-auth-add-user -K devauth test tester3 testing3` # Replace ``devauth`` with whatever your super_admin key is (recorded in /etc/swift/auth-server.conf). + #. `cp ~/swift/trunk/test/functional/sample.conf /etc/swift/func_test.conf` # For Swauth, add auth_prefix = /auth/ and change auth_port = 8080. #. `cd ~/swift/trunk; ./.functests` (Note: functional tests will first delete everything in the configured accounts.) #. `cd ~/swift/trunk; ./.probetests` (Note: probe tests will reset your diff --git a/doc/source/howto_cyberduck.rst b/doc/source/howto_cyberduck.rst index 6af2f0e630..e9de135ff3 100644 --- a/doc/source/howto_cyberduck.rst +++ b/doc/source/howto_cyberduck.rst @@ -8,7 +8,9 @@ Talking to Swift with Cyberduck #. Install Swift, or have credentials for an existing Swift installation. If you plan to install Swift on your own server, follow the general guidelines - in the section following this one. + in the section following this one. (This documentation assumes the use of + the DevAuth auth server; if you're using Swauth, you should change all auth + URLs /v1.0 to /auth/v1.0) #. Verify you can connect using the standard Swift Tool `st` from your "public" URL (yes I know this resolves privately inside EC2):: diff --git a/doc/source/howto_installmultinode.rst b/doc/source/howto_installmultinode.rst index 82a3a88099..b16cfbbb14 100644 --- a/doc/source/howto_installmultinode.rst +++ b/doc/source/howto_installmultinode.rst @@ -13,8 +13,8 @@ Prerequisites Basic architecture and terms ---------------------------- - *node* - a host machine running one or more Swift services -- *Proxy node* - node that runs Proxy services -- *Auth node* - node that runs the Auth service +- *Proxy node* - node that runs Proxy services; can also run Swauth +- *Auth node* - node that runs the Auth service; only required for DevAuth - *Storage node* - node that runs Account, Container, and Object services - *ring* - a set of mappings of Swift data to physical devices @@ -23,13 +23,14 @@ This document shows a cluster using the following types of nodes: - one Proxy node - Runs the swift-proxy-server processes which proxy requests to the - appropriate Storage nodes. + appropriate Storage nodes. For Swauth, the proxy server will also contain + the Swauth service as WSGI middleware. - one Auth node - Runs the swift-auth-server which controls authentication and authorization for all requests. This can be on the same node as a - Proxy node. + Proxy node. This is only required for DevAuth. - five Storage nodes @@ -120,16 +121,27 @@ Configure the Proxy node user = swift [pipeline:main] + # For DevAuth: pipeline = healthcheck cache auth proxy-server + # For Swauth: + # pipeline = healthcheck cache swauth proxy-server [app:proxy-server] use = egg:swift#proxy allow_account_management = true + # Only needed for DevAuth [filter:auth] use = egg:swift#auth ssl = true + # Only needed for Swauth + [filter:swauth] + use = egg:swift#swauth + default_swift_cluster = https://:8080/v1 + # Highly recommended to change this key to something else! + super_admin_key = swauthkey + [filter:healthcheck] use = egg:swift#healthcheck @@ -194,6 +206,8 @@ Configure the Proxy node Configure the Auth node ----------------------- +.. note:: Only required for DevAuth; you can skip this section for Swauth. + #. If this node is not running on the same node as a proxy, create a self-signed cert as you did for the Proxy node @@ -358,13 +372,20 @@ Create Swift admin account and test You run these commands from the Auth node. +.. note:: For Swauth, replace the https://:11000/v1.0 with + https://:8080/auth/v1.0 + #. Create a user with administrative privileges (account = system, username = root, password = testpass). Make sure to replace - ``devauth`` with whatever super_admin key you assigned in the - auth-server.conf file above. *Note: None of the values of + ``devauth`` (or ``swauthkey``) with whatever super_admin key you assigned in + the auth-server.conf file (or proxy-server.conf file in the case of Swauth) + above. *Note: None of the values of account, username, or password are special - they can be anything.*:: + # For DevAuth: swift-auth-add-user -K devauth -a system root testpass + # For Swauth: + swauth-add-user -K swauthkey -a system root testpass #. Get an X-Storage-Url and X-Auth-Token:: @@ -404,15 +425,23 @@ See :ref:`config-proxy` for the initial setup, and then follow these additional use = egg:swift#memcache memcache_servers = :11211 -#. Change the default_cluster_url to point to the load balanced url, rather than the first proxy server you created in /etc/swift/auth-server.conf:: +#. Change the default_cluster_url to point to the load balanced url, rather than the first proxy server you created in /etc/swift/auth-server.conf (for DevAuth) or in /etc/swift/proxy-server.conf (for Swauth):: + # For DevAuth, in /etc/swift/auth-server.conf [app:auth-server] use = egg:swift#auth default_cluster_url = https:///v1 # Highly recommended to change this key to something else! super_admin_key = devauth -#. After you change the default_cluster_url setting, you have to delete the auth database and recreate the Swift users, or manually update the auth database with the correct URL for each account. + # For Swauth, in /etc/swift/proxy-server.conf + [filter:swauth] + use = egg:swift#swauth + default_swift_cluster = local:http:///v1 + # Highly recommended to change this key to something else! + super_admin_key = swauthkey + +#. For DevAuth, after you change the default_cluster_url setting, you have to delete the auth database and recreate the Swift users, or manually update the auth database with the correct URL for each account. For Swauth, changing the cluster URLs for the accounts is not yet supported (you'd have to hack the .cluster objects manually; not recommended). #. Next, copy all the ring information to all the nodes, including your new proxy nodes, and ensure the ring info gets to all the storage nodes as well. diff --git a/doc/source/index.rst b/doc/source/index.rst index 9b20293921..3c5f5bb3b9 100644 --- a/doc/source/index.rst +++ b/doc/source/index.rst @@ -87,6 +87,7 @@ Source Documentation db object auth + swauth misc diff --git a/doc/source/misc.rst b/doc/source/misc.rst index a0311cbf5e..eaea545a0f 100644 --- a/doc/source/misc.rst +++ b/doc/source/misc.rst @@ -42,6 +42,15 @@ Auth :members: :show-inheritance: +.. _common_swauth: + +Swauth +====== + +.. automodule:: swift.common.middleware.swauth + :members: + :show-inheritance: + .. _acls: ACLs diff --git a/doc/source/overview_auth.rst b/doc/source/overview_auth.rst index 364a6928dc..604aed266e 100644 --- a/doc/source/overview_auth.rst +++ b/doc/source/overview_auth.rst @@ -48,9 +48,129 @@ implementing your own auth. Also, see :doc:`development_auth`. ------------------- -History and Future ------------------- -What's established in Swift for authentication/authorization has history from -before Swift, so that won't be recorded here. +------ +Swauth +------ + +The Swauth system is an optional DevAuth replacement included at +swift/common/middleware/swauth.py is a scalable authentication and +authorization system that uses Swift itself as its backing store. This section +will describe how it stores its data. + +At the topmost level, the auth system has its own Swift account it stores its +own account information within. This Swift account is known as +self.auth_account in the code and its name is in the format +self.reseller_prefix + ".auth". In this text, we'll refer to this account as +. + +The containers whose names do not begin with a period represent the accounts +within the auth service. For example, the /test container would +represent the "test" account. + +The objects within each container represent the users for that auth service +account. For example, the /test/bob object would represent the +user "bob" within the auth service account of "test". Each of these user +objects contain a JSON dictionary of the format:: + + {"auth": ":", "groups": } + +The `` can only be `plaintext` at this time, and the `` +is the plain text password itself. + +The `` contains at least two group names. The first is a unique +group name identifying that user and is of the format `:`. The +second group is the `` itself. Additional groups of `.admin` for +account administrators and `.reseller_admin` for reseller administrators may +exist. Here's an example user JSON dictionary:: + + {"auth": "plaintext:testing", "groups": ["test:tester", "test", ".admin"]} + +To map an auth service account to a Swift storage account, the Service Account +Id string is stored in the `X-Container-Meta-Account-Id` header for the +/ container. To map back the other way, an +/.account_id/ object is created with the contents of +the corresponding auth service's account name. + +Also, to support a future where the auth service will support multiple Swift +clusters for the same auth service account, an +//.clusters object is created with its contents having a +JSON dictionary of the format:: + + {"storage": {"default": "local", "local": }} + +The "default" is always "local" right now, and "local" is always the single +Swift cluster URL; but in the future there can be more than one cluster with +various names instead of just "local", and the "default" key's value will +contain the primary cluster to use for that account. Also, there may be more +services in addition to the current "storage" service right now. + +Here's an example .clusters dictionary at the moment:: + + {"storage": + {"default": "local", + "local": "http://127.0.0.1:8080/v1/AUTH_8980f74b1cda41e483cbe0a925f448a9"}} + +But, here's an example of what the dictionary may look like in the future:: + + {"storage": + {"default": "dfw", + "dfw": "http://dfw.storage.com:8080/v1/AUTH_8980f74b1cda41e483cbe0a925f448a9", + "ord": "http://ord.storage.com:8080/v1/AUTH_8980f74b1cda41e483cbe0a925f448a9", + "sat": "http://ord.storage.com:8080/v1/AUTH_8980f74b1cda41e483cbe0a925f448a9"}, + "servers": + {"default": "dfw", + "dfw": "http://dfw.servers.com:8080/v1/AUTH_8980f74b1cda41e483cbe0a925f448a9", + "ord": "http://ord.servers.com:8080/v1/AUTH_8980f74b1cda41e483cbe0a925f448a9", + "sat": "http://ord.servers.com:8080/v1/AUTH_8980f74b1cda41e483cbe0a925f448a9"}} + +Lastly, the tokens themselves are stored as objects in the +/.token container. The names of the objects are the token strings +themselves, such as `AUTH_tked86bbd01864458aa2bd746879438d5a`. The contents of +the token objects are JSON dictionaries of the format:: + + {"account": , + "user": , + "account_id": , + "groups": , + "expires": } + +The `` is the auth service account's name for that token. The `` +is the user within the account for that token. The `` is the +same as the `X-Container-Meta-Account-Id` for the auth service's account, +as described above. The `` is the user's groups, as described +above with the user object. The "expires" value indicates when the token is no +longer valid, as compared to Python's time.time() value. + +Here's an example token object's JSON dictionary:: + + {"account": "test", + "user": "tester", + "account_id": "AUTH_8980f74b1cda41e483cbe0a925f448a9", + "groups": ["test:tester", "test", ".admin"], + "expires": 1291273147.1624689} + +To easily map a user to an already issued token, the token name is stored in +the user object's `X-Object-Meta-Auth-Token` header. + +Here is an example full listing of an :: + + .account_id + AUTH_4a4e6655-4c8e-4bcb-b73e-0ff1104c4fef + AUTH_5162ec51-f792-4db3-8a35-b3439a1bf6fd + AUTH_8efbea51-9339-42f8-8ac5-f26e1da67eed + .token + AUTH_tk03d8571f735a4ec9abccc704df941c6e + AUTH_tk27cf3f2029b64ec8b56c5d638807b3de + AUTH_tk7594203449754c22a34ac7d910521c2e + AUTH_tk8f2ee54605dd42a8913d244de544d19e + reseller + .clusters + reseller + test + .clusters + tester + tester3 + test2 + .clusters + tester2 diff --git a/etc/auth-server.conf-sample b/etc/auth-server.conf-sample index 1309726985..27b6cf3e14 100644 --- a/etc/auth-server.conf-sample +++ b/etc/auth-server.conf-sample @@ -1,3 +1,4 @@ +# Only needed for DevAuth; Swauth is within the proxy-server.conf [DEFAULT] # bind_ip = 0.0.0.0 # bind_port = 11000 diff --git a/etc/proxy-server.conf-sample b/etc/proxy-server.conf-sample index 220f003ba0..c8cb20bc87 100644 --- a/etc/proxy-server.conf-sample +++ b/etc/proxy-server.conf-sample @@ -9,7 +9,10 @@ # key_file = /etc/swift/proxy.key [pipeline:main] +# For DevAuth: pipeline = catch_errors healthcheck cache ratelimit auth proxy-server +# For Swauth: +# pipeline = catch_errors healthcheck cache ratelimit swauth proxy-server [app:proxy-server] use = egg:swift#proxy @@ -33,6 +36,7 @@ use = egg:swift#proxy # 'false' no one, even authorized, can. # allow_account_management = false +# Only needed for DevAuth [filter:auth] use = egg:swift#auth # The reseller prefix will verify a token begins with this prefix before even @@ -44,8 +48,32 @@ use = egg:swift#auth # ip = 127.0.0.1 # port = 11000 # ssl = false +# prefix = / # node_timeout = 10 +# Only needed for Swauth +[filter:swauth] +use = egg:swift#swauth +# log_name = auth-server +# log_facility = LOG_LOCAL0 +# log_level = INFO +# log_headers = False +# The reseller prefix will verify a token begins with this prefix before even +# attempting to validate it. Also, with authorization, only Swift storage +# accounts with this prefix will be authorized by this middleware. Useful if +# multiple auth systems are in use for one Swift cluster. +# reseller_prefix = AUTH +# The auth prefix will cause requests beginning with this prefix to be routed +# to the auth subsystem, for granting tokens, creating accounts, users, etc. +# auth_prefix = /auth/ +# Cluster strings are of the format name:url where name is a short name for the +# Swift cluster and url is the url to the proxy server(s) for the cluster. +# default_swift_cluster = local:http://127.0.0.1:8080/v1 +# token_life = 86400 +# node_timeout = 10 +# Highly recommended to change this. +super_admin_key = swauthkey + [filter:healthcheck] use = egg:swift#healthcheck diff --git a/etc/stats.conf-sample b/etc/stats.conf-sample index 8ec18d4968..f89cb77d6d 100644 --- a/etc/stats.conf-sample +++ b/etc/stats.conf-sample @@ -1,5 +1,8 @@ [stats] +# For DevAuth: auth_url = http://saio:11000/auth +# For Swauth: +# auth_url = http://saio:8080/auth/v1.0 auth_user = test:tester auth_key = testing # swift_dir = /etc/swift diff --git a/setup.py b/setup.py index f72517f0de..6736a3b6a9 100644 --- a/setup.py +++ b/setup.py @@ -79,6 +79,9 @@ setup( 'bin/swift-log-uploader', 'bin/swift-log-stats-collector', 'bin/swift-account-stats-logger', + 'bin/swauth-add-account', 'bin/swauth-add-user', + 'bin/swauth-delete-account', 'bin/swauth-delete-user', + 'bin/swauth-list', 'bin/swauth-prep', 'bin/swift-auth-to-swauth', ], entry_points={ 'paste.app_factory': [ @@ -90,6 +93,7 @@ setup( ], 'paste.filter_factory': [ 'auth=swift.common.middleware.auth:filter_factory', + 'swauth=swift.common.middleware.swauth:filter_factory', 'healthcheck=swift.common.middleware.healthcheck:filter_factory', 'memcache=swift.common.middleware.memcache:filter_factory', 'ratelimit=swift.common.middleware.ratelimit:filter_factory', diff --git a/swift/common/middleware/auth.py b/swift/common/middleware/auth.py index 1278a4a67a..3382cb88f9 100644 --- a/swift/common/middleware/auth.py +++ b/swift/common/middleware/auth.py @@ -35,6 +35,7 @@ class DevAuth(object): self.auth_host = conf.get('ip', '127.0.0.1') self.auth_port = int(conf.get('port', 11000)) self.ssl = conf.get('ssl', 'false').lower() in TRUE_VALUES + self.auth_prefix = conf.get('prefix', '/') self.timeout = int(conf.get('node_timeout', 10)) def __call__(self, env, start_response): @@ -131,7 +132,7 @@ class DevAuth(object): if not groups: with Timeout(self.timeout): conn = http_connect(self.auth_host, self.auth_port, 'GET', - '/token/%s' % token, ssl=self.ssl) + '%stoken/%s' % (self.auth_prefix, token), ssl=self.ssl) resp = conn.getresponse() resp.read() conn.close() diff --git a/swift/common/middleware/swauth.py b/swift/common/middleware/swauth.py new file mode 100644 index 0000000000..3838e3e6f2 --- /dev/null +++ b/swift/common/middleware/swauth.py @@ -0,0 +1,1120 @@ +# Copyright (c) 2010 OpenStack, LLC. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +try: + import simplejson as json +except ImportError: + import json +from httplib import HTTPConnection, HTTPSConnection +from time import gmtime, strftime, time +from traceback import format_exc +from urllib import quote, unquote +from urlparse import urlparse +from uuid import uuid4 + +from eventlet.timeout import Timeout +from webob import Response, Request +from webob.exc import HTTPAccepted, HTTPBadRequest, HTTPConflict, \ + HTTPCreated, HTTPForbidden, HTTPNoContent, HTTPNotFound, \ + HTTPServiceUnavailable, HTTPUnauthorized + +from swift.common.bufferedhttp import http_connect_raw as http_connect +from swift.common.middleware.acl import clean_acl, parse_acl, referrer_allowed +from swift.common.utils import cache_from_env, get_logger, split_path + + +class Swauth(object): + """ + Scalable authentication and authorization system that uses Swift as its + backing store. + + :param app: The next WSGI app in the pipeline + :param conf: The dict of configuration values + """ + + def __init__(self, app, conf): + self.app = app + self.conf = conf + self.logger = get_logger(conf) + self.log_headers = conf.get('log_headers') == 'True' + self.reseller_prefix = conf.get('reseller_prefix', 'AUTH').strip() + if self.reseller_prefix and self.reseller_prefix[-1] != '_': + self.reseller_prefix += '_' + self.auth_prefix = conf.get('auth_prefix', '/auth/') + if not self.auth_prefix: + self.auth_prefix = '/auth/' + if self.auth_prefix[0] != '/': + self.auth_prefix = '/' + self.auth_prefix + if self.auth_prefix[-1] != '/': + self.auth_prefix += '/' + self.auth_account = '%s.auth' % self.reseller_prefix + self.default_swift_cluster = conf.get('default_swift_cluster', + 'local:http://127.0.0.1:8080/v1').rstrip('/') + self.dsc_name, self.dsc_url = self.default_swift_cluster.split(':', 1) + self.dsc_parsed = urlparse(self.dsc_url) + if self.dsc_parsed.scheme not in ('http', 'https'): + raise Exception('Cannot handle protocol scheme %s for url %s' % + (self.dsc_parsed.scheme, repr(self.dsc_url))) + self.super_admin_key = conf.get('super_admin_key') + if not self.super_admin_key: + msg = 'No super_admin_key set in conf file! Exiting.' + try: + self.logger.critical(msg) + except: + pass + raise ValueError(msg) + self.token_life = int(conf.get('token_life', 86400)) + self.timeout = int(conf.get('node_timeout', 10)) + self.itoken = None + self.itoken_expires = None + + def __call__(self, env, start_response): + """ + Accepts a standard WSGI application call, authenticating the request + and installing callback hooks for authorization and ACL header + validation. For an authenticated request, REMOTE_USER will be set to a + comma separated list of the user's groups. + + With a non-empty reseller prefix, acts as the definitive auth service + for just tokens and accounts that begin with that prefix, but will deny + requests outside this prefix if no other auth middleware overrides it. + + With an empty reseller prefix, acts as the definitive auth service only + for tokens that validate to a non-empty set of groups. For all other + requests, acts as the fallback auth service when no other auth + middleware overrides it. + + Alternatively, if the request matches the self.auth_prefix, the request + will be routed through the internal auth request handler (self.handle). + This is to handle creating users, accounts, granting tokens, etc. + """ + if 'HTTP_X_CF_TRANS_ID' not in env: + env['HTTP_X_CF_TRANS_ID'] = 'tx' + str(uuid4()) + if env.get('PATH_INFO', '').startswith(self.auth_prefix): + return self.handle(env, start_response) + token = env.get('HTTP_X_AUTH_TOKEN', env.get('HTTP_X_STORAGE_TOKEN')) + if token and token.startswith(self.reseller_prefix): + # Note: Empty reseller_prefix will match all tokens. + groups = self.get_groups(env, token) + if groups: + env['REMOTE_USER'] = groups + user = groups and groups.split(',', 1)[0] or '' + # We know the proxy logs the token, so we augment it just a bit + # to also log the authenticated user. + env['HTTP_X_AUTH_TOKEN'] = '%s,%s' % (user, token) + env['swift.authorize'] = self.authorize + env['swift.clean_acl'] = clean_acl + else: + # Unauthorized token + if self.reseller_prefix: + # Because I know I'm the definitive auth for this token, I + # can deny it outright. + return HTTPUnauthorized()(env, start_response) + # Because I'm not certain if I'm the definitive auth for empty + # reseller_prefixed tokens, I won't overwrite swift.authorize. + elif 'swift.authorize' not in env: + env['swift.authorize'] = self.denied_response + else: + if self.reseller_prefix: + # With a non-empty reseller_prefix, I would like to be called + # back for anonymous access to accounts I know I'm the + # definitive auth for. + try: + version, rest = split_path(env.get('PATH_INFO', ''), + 1, 2, True) + except ValueError: + return HTTPNotFound()(env, start_response) + if rest and rest.startswith(self.reseller_prefix): + # Handle anonymous access to accounts I'm the definitive + # auth for. + env['swift.authorize'] = self.authorize + env['swift.clean_acl'] = clean_acl + # Not my token, not my account, I can't authorize this request, + # deny all is a good idea if not already set... + elif 'swift.authorize' not in env: + env['swift.authorize'] = self.denied_response + # Because I'm not certain if I'm the definitive auth for empty + # reseller_prefixed accounts, I won't overwrite swift.authorize. + elif 'swift.authorize' not in env: + env['swift.authorize'] = self.authorize + env['swift.clean_acl'] = clean_acl + return self.app(env, start_response) + + def get_groups(self, env, token): + """ + Get groups for the given token. + + :param env: The current WSGI environment dictionary. + :param token: Token to validate and return a group string for. + + :returns: None if the token is invalid or a string containing a comma + separated list of groups the authenticated user is a member + of. The first group in the list is also considered a unique + identifier for that user. + """ + groups = None + memcache_client = cache_from_env(env) + if memcache_client: + memcache_key = '%s/auth/%s' % (self.reseller_prefix, token) + cached_auth_data = memcache_client.get(memcache_key) + if cached_auth_data: + expires, groups = cached_auth_data + if expires < time(): + groups = None + if not groups: + path = quote('/v1/%s/.token/%s' % (self.auth_account, token)) + resp = self.make_request(env, 'GET', path).get_response(self.app) + if resp.status_int // 100 != 2: + return None + detail = json.loads(resp.body) + if detail['expires'] < time(): + return None + groups = detail['groups'] + if '.admin' in groups: + groups.remove('.admin') + groups.append(detail['account_id']) + groups = ','.join(groups) + if memcache_client: + memcache_client.set(memcache_key, (detail['expires'], groups), + timeout=float(detail['expires'] - time())) + return groups + + def authorize(self, req): + """ + Returns None if the request is authorized to continue or a standard + WSGI response callable if not. + """ + try: + version, account, container, obj = split_path(req.path, 1, 4, True) + except ValueError: + return HTTPNotFound(request=req) + if not account or not account.startswith(self.reseller_prefix): + return self.denied_response(req) + user_groups = (req.remote_user or '').split(',') + if '.reseller_admin' in user_groups: + return None + if account in user_groups and (req.method != 'PUT' or container): + # If the user is admin for the account and is not trying to do an + # account PUT... + return None + referrers, groups = parse_acl(getattr(req, 'acl', None)) + if referrer_allowed(req.referer, referrers): + return None + if not req.remote_user: + return self.denied_response(req) + for user_group in user_groups: + if user_group in groups: + return None + return self.denied_response(req) + + def denied_response(self, req): + """ + Returns a standard WSGI response callable with the status of 403 or 401 + depending on whether the REMOTE_USER is set or not. + """ + if req.remote_user: + return HTTPForbidden(request=req) + else: + return HTTPUnauthorized(request=req) + + def handle(self, env, start_response): + """ + WSGI entry point for auth requests (ones that match the + self.auth_prefix). + Wraps env in webob.Request object and passes it down. + + :param env: WSGI environment dictionary + :param start_response: WSGI callable + """ + try: + req = Request(env) + if self.auth_prefix: + req.path_info_pop() + req.bytes_transferred = '-' + req.client_disconnect = False + if 'x-storage-token' in req.headers and \ + 'x-auth-token' not in req.headers: + req.headers['x-auth-token'] = req.headers['x-storage-token'] + if 'eventlet.posthooks' in env: + env['eventlet.posthooks'].append( + (self.posthooklogger, (req,), {})) + return self.handle_request(req)(env, start_response) + else: + # Lack of posthook support means that we have to log on the + # start of the response, rather than after all the data has + # been sent. This prevents logging client disconnects + # differently than full transmissions. + response = self.handle_request(req)(env, start_response) + self.posthooklogger(env, req) + return response + except: + print "EXCEPTION IN handle: %s: %s" % (format_exc(), env) + start_response('500 Server Error', + [('Content-Type', 'text/plain')]) + return ['Internal server error.\n'] + + def handle_request(self, req): + """ + Entry point for auth requests (ones that match the self.auth_prefix). + Should return a WSGI-style callable (such as webob.Response). + + :param req: webob.Request object + """ + req.start_time = time() + handler = None + version, account, user, _ = split_path(req.path_info, minsegs=1, + maxsegs=4, rest_with_last=True) + if version in ('v1', 'v1.0', 'auth'): + if req.method == 'GET': + handler = self.handle_get_token + elif version == 'v2': + req.path_info_pop() + if req.method == 'GET': + if not account and not user: + handler = self.handle_get_accounts + elif account: + if not user: + handler = self.handle_get_account + elif account == '.token': + req.path_info_pop() + handler = self.handle_validate_token + else: + handler = self.handle_get_user + elif req.method == 'PUT': + if not user: + handler = self.handle_put_account + else: + handler = self.handle_put_user + elif req.method == 'DELETE': + if not user: + handler = self.handle_delete_account + else: + handler = self.handle_delete_user + elif req.method == 'POST': + if account == '.prep': + handler = self.handle_prep + if not handler: + req.response = HTTPBadRequest(request=req) + else: + req.response = handler(req) + return req.response + + def handle_prep(self, req): + """ + Handles the POST v2/.prep call for preparing the backing store Swift + cluster for use with the auth subsystem. Can only be called by + .super_admin. + + :param req: The webob.Request to process. + :returns: webob.Response, 204 on success + """ + if not self.is_super_admin(req): + return HTTPForbidden(request=req) + path = quote('/v1/%s' % self.auth_account) + resp = self.make_request(req.environ, 'PUT', + path).get_response(self.app) + if resp.status_int // 100 != 2: + raise Exception('Could not create the main auth account: %s %s' % + (path, resp.status)) + for container in ('.token', '.account_id'): + path = quote('/v1/%s/%s' % (self.auth_account, container)) + resp = self.make_request(req.environ, 'PUT', + path).get_response(self.app) + if resp.status_int // 100 != 2: + raise Exception('Could not create container: %s %s' % + (path, resp.status)) + return HTTPNoContent(request=req) + + def handle_get_accounts(self, req): + """ + Handles the GET v2 call for listing the accounts handled by this auth + system. Can only be called by a .reseller_admin. + + On success, a JSON list of dicts will be returned. Each dict represents + an account and currently only contains the single key `name`. + + :param req: The webob.Request to process. + :returns: webob.Response, 2xx on success with a JSON list of the + accounts as explained above. + """ + if not self.is_reseller_admin(req): + return HTTPForbidden(request=req) + listing = [] + marker = '' + while True: + path = '/v1/%s?format=json&marker=%s' % (quote(self.auth_account), + quote(marker)) + resp = self.make_request(req.environ, 'GET', + path).get_response(self.app) + if resp.status_int // 100 != 2: + raise Exception('Could not list main auth account: %s %s' % + (path, resp.status)) + sublisting = json.loads(resp.body) + if not sublisting: + break + for container in sublisting: + if container['name'][0] != '.': + listing.append({'name': container['name']}) + marker = sublisting[-1]['name'] + return Response(body=json.dumps(listing)) + + def handle_get_account(self, req): + """ + Handles the GET v2/ call for listing the users in an account. + Can only be called by an account .admin. + + On success, a JSON list of dicts will be returned. Each dict represents + a user and currently only contains the single key `name`. + + :param req: The webob.Request to process. + :returns: webob.Response, 2xx on success with a JSON list of the users + in the account as explained above. + """ + account = req.path_info_pop() + if req.path_info: + return HTTPBadRequest(request=req) + if not self.is_account_admin(req, account): + return HTTPForbidden(request=req) + listing = [] + marker = '' + while True: + path = '/v1/%s?format=json&marker=%s' % (quote('%s/%s' % + (self.auth_account, account)), quote(marker)) + resp = self.make_request(req.environ, 'GET', + path).get_response(self.app) + if resp.status_int == 404: + return HTTPNotFound(request=req) + if resp.status_int // 100 != 2: + raise Exception('Could not list in main auth account: %s %s' % + (path, resp.status)) + sublisting = json.loads(resp.body) + if not sublisting: + break + for obj in sublisting: + if obj['name'][0] != '.': + listing.append({'name': obj['name']}) + marker = sublisting[-1]['name'] + return Response(body=json.dumps(listing)) + + def handle_put_account(self, req): + """ + Handles the PUT v2/ call for adding an account to the auth + system. Can only be called by a .reseller_admin. + + By default, a newly created UUID4 will be used with the reseller prefix + as the account id used when creating corresponding service accounts. + However, you can provide an X-Account-Suffix header to replace the + UUID4 part. + + :param req: The webob.Request to process. + :returns: webob.Response, 2xx on success. + """ + if not self.is_reseller_admin(req): + return HTTPForbidden(request=req) + account = req.path_info_pop() + if req.path_info or not account.isalnum(): + return HTTPBadRequest(request=req) + # Ensure the container in the main auth account exists (this + # container represents the new account) + path = quote('/v1/%s/%s' % (self.auth_account, account)) + resp = self.make_request(req.environ, 'HEAD', + path).get_response(self.app) + if resp.status_int == 404: + resp = self.make_request(req.environ, 'PUT', + path).get_response(self.app) + if resp.status_int // 100 != 2: + raise Exception('Could not create account within main auth ' + 'account: %s %s' % (path, resp.status)) + elif resp.status_int // 100 == 2: + if 'x-container-meta-account-id' in resp.headers: + # Account was already created + return HTTPAccepted(request=req) + else: + raise Exception('Could not verify account within main auth ' + 'account: %s %s' % (path, resp.status)) + account_suffix = req.headers.get('x-account-suffix') + if not account_suffix: + account_suffix = str(uuid4()) + conn = self.get_conn() + # Create the new account in the Swift cluster + path = quote('%s/%s%s' % (self.dsc_parsed.path, self.reseller_prefix, + account_suffix)) + conn.request('PUT', path, + headers={'X-Auth-Token': self.get_itoken(req.environ)}) + resp = conn.getresponse() + resp.read() + if resp.status // 100 != 2: + raise Exception('Could not create account on the Swift cluster: ' + '%s %s %s' % (path, resp.status, resp.reason)) + # Record the mapping from account id back to account name + path = quote('/v1/%s/.account_id/%s%s' % + (self.auth_account, self.reseller_prefix, account_suffix)) + resp = self.make_request(req.environ, 'PUT', path, + account).get_response(self.app) + if resp.status_int // 100 != 2: + raise Exception('Could not create account id mapping: %s %s' % + (path, resp.status)) + # Record the cluster url(s) for the account + path = quote('/v1/%s/%s/.clusters' % (self.auth_account, account)) + clusters = {'storage': {}} + clusters['storage'][self.dsc_name] = '%s/%s%s' % (self.dsc_url, + self.reseller_prefix, account_suffix) + clusters['storage']['default'] = self.dsc_name + resp = self.make_request(req.environ, 'PUT', path, + json.dumps(clusters)).get_response(self.app) + if resp.status_int // 100 != 2: + raise Exception('Could not create .clusters object: %s %s' % + (path, resp.status)) + # Record the mapping from account name to the account id + path = quote('/v1/%s/%s' % (self.auth_account, account)) + resp = self.make_request(req.environ, 'POST', path, + headers={'X-Container-Meta-Account-Id': '%s%s' % + (self.reseller_prefix, account_suffix)}).get_response(self.app) + if resp.status_int // 100 != 2: + raise Exception('Could not record the account id on the account: ' + '%s %s' % (path, resp.status)) + return HTTPCreated(request=req) + + def handle_delete_account(self, req): + """ + Handles the DELETE v2/ call for removing an account from the + auth system. Can only be called by a .reseller_admin. + + :param req: The webob.Request to process. + :returns: webob.Response, 2xx on success. + """ + if not self.is_reseller_admin(req): + return HTTPForbidden(request=req) + account = req.path_info_pop() + if req.path_info or not account.isalnum(): + return HTTPBadRequest(request=req) + # Make sure the account has no users. + marker = '' + while True: + path = '/v1/%s?format=json&marker=%s' % (quote('%s/%s' % + (self.auth_account, account)), quote(marker)) + resp = self.make_request(req.environ, 'GET', + path).get_response(self.app) + if resp.status_int == 404: + break + if resp.status_int // 100 != 2: + raise Exception('Could not list in main auth account: %s %s' % + (path, resp.status)) + sublisting = json.loads(resp.body) + if not sublisting: + break + for obj in sublisting: + if obj['name'][0] != '.': + return HTTPConflict(request=req) + marker = sublisting[-1]['name'] + # Obtain the listing of clusters the account is on. + path = quote('/v1/%s/%s/.clusters' % (self.auth_account, account)) + resp = self.make_request(req.environ, 'GET', + path).get_response(self.app) + if resp.status_int == 404: + return HTTPNoContent(request=req) + elif resp.status_int // 100 == 2: + clusters = json.loads(resp.body) + # Delete the account on each cluster it is on. + for name, url in clusters['storage'].iteritems(): + if name != 'default': + parsed = urlparse(url) + if parsed.scheme == 'http': + conn = HTTPConnection(parsed.netloc) + else: + conn = HTTPSConnection(parsed.netloc) + conn.request('DELETE', parsed.path, + headers={'X-Auth-Token': self.get_itoken(req.environ)}) + resp = conn.getresponse() + resp.read() + if resp.status // 100 != 2: + raise Exception('Could not delete account on the ' + 'Swift cluster: %s %s %s' % + (url, resp.status, resp.reason)) + # Delete the .clusters object itself. + path = quote('/v1/%s/%s/.clusters' % + (self.auth_account, account)) + resp = self.make_request(req.environ, 'DELETE', + path).get_response(self.app) + # Obtain the account id mapping for the account. + path = quote('/v1/%s/%s' % (self.auth_account, account)) + resp = self.make_request(req.environ, 'HEAD', + path).get_response(self.app) + if resp.status_int == 404: + return HTTPNoContent(request=req) + elif 'x-container-meta-account-id' in resp.headers: + account_id = resp.headers['x-container-meta-account-id'] + # Delete the account id mapping for the account. + path = quote('/v1/%s/.account_id/%s' % + (self.auth_account, account_id)) + resp = self.make_request(req.environ, 'DELETE', + path).get_response(self.app) + if resp.status_int // 100 != 2: + self.logger.error('Could not delete account id ' + 'mapping: %s %s' % (path, resp.status)) + # Delete the account marker itself. + path = quote('/v1/%s/%s' % (self.auth_account, account)) + resp = self.make_request(req.environ, 'DELETE', + path).get_response(self.app) + if resp.status_int // 100 != 2: + self.logger.error('Could not delete account marked: ' + '%s %s' % (path, resp.status)) + else: + raise Exception('Could not verify account within main auth ' + 'account: %s %s' % (path, resp.status)) + + def handle_get_user(self, req): + """ + Handles the GET v2// call for retrieving the user's JSON + dict. Can only be called by an account .admin. + + On success, a JSON dict will be returned as described:: + + {"groups": [ # List of groups the user is a member of + ":", # The first group is a unique user identifier + "", # The second group is the auth account name + ""... + # There may be additional groups, .admin being a special group + # indicating an account admin and .reseller_admin indicating a + # reseller admin. + ], + "auth": "plaintext:" + # The auth-type and key for the user; currently only plaintext is + # implemented. + } + + If the in the request is the special user `.groups`, a JSON list + of dicts will be returned instead, each dict representing a group in + the account currently with just the single key `name`. + + :param req: The webob.Request to process. + :returns: webob.Response, 2xx on success with data set as explained + above. + """ + account = req.path_info_pop() + user = req.path_info_pop() + if req.path_info or not account.isalnum() or \ + (not user.isalnum() and user != '.groups'): + return HTTPBadRequest(request=req) + if not self.is_account_admin(req, account): + return HTTPForbidden(request=req) + if user == '.groups': + # TODO: This could be very slow for accounts with a really large + # number of users. Speed could be improved by concurrently + # requesting user group information. Then again, I don't *know* + # it's slow for `normal` use cases, so testing should be done. + groups = set() + marker = '' + while True: + path = '/v1/%s?format=json&marker=%s' % (quote('%s/%s' % + (self.auth_account, account)), quote(marker)) + resp = self.make_request(req.environ, 'GET', + path).get_response(self.app) + if resp.status_int == 404: + return HTTPNotFound(request=req) + if resp.status_int // 100 != 2: + raise Exception('Could not list in main auth account: ' + '%s %s' % (path, resp.status)) + sublisting = json.loads(resp.body) + if not sublisting: + break + for obj in sublisting: + if obj['name'][0] != '.': + path = quote('/v1/%s/%s/%s' % (self.auth_account, + account, obj['name'])) + resp = self.make_request(req.environ, 'GET', + path).get_response(self.app) + if resp.status_int == 404: + return HTTPNotFound(request=req) + if resp.status_int // 100 != 2: + raise Exception('Could not retrieve user object: ' + '%s %s' % (path, resp.status)) + groups.update(json.loads(resp.body)['groups']) + marker = sublisting[-1]['name'] + body = json.dumps(list({'name': g} for g in sorted(groups))) + else: + path = quote('/v1/%s/%s/%s' % (self.auth_account, account, user)) + resp = self.make_request(req.environ, 'GET', + path).get_response(self.app) + if resp.status_int // 100 != 2: + raise Exception('Could not retrieve user object: %s %s' % + (path, resp.status)) + body = resp.body + return Response(body=body) + + def handle_put_user(self, req): + """ + Handles the PUT v2// call for adding a user to an + account. + + X-Auth-User-Key represents the user's key, X-Auth-User-Admin may be set + to `true` to create an account .admin, and X-Auth-User-Reseller-Admin + may be set to `true` to create a .reseller_admin. + + Can only be called by an account .admin unless the user is to be a + .reseller_admin, in which case the request must be by .super_admin. + + :param req: The webob.Request to process. + :returns: webob.Response, 2xx on success. + """ + # Validate path info + account = req.path_info_pop() + user = req.path_info_pop() + key = req.headers.get('x-auth-user-key') + admin = req.headers.get('x-auth-user-admin') == 'true' + reseller_admin = \ + req.headers.get('x-auth-user-reseller-admin') == 'true' + if reseller_admin: + admin = True + if req.path_info or not account.isalnum() or not user.isalnum() or \ + not key: + return HTTPBadRequest(request=req) + if reseller_admin: + if not self.is_super_admin(req): + return HTTPForbidden(request=req) + elif not self.is_account_admin(req, account): + return HTTPForbidden(request=req) + # Create the object in the main auth account (this object represents + # the user) + path = quote('/v1/%s/%s/%s' % (self.auth_account, account, user)) + groups = ['%s:%s' % (account, user), account] + if admin: + groups.append('.admin') + if reseller_admin: + groups.append('.reseller_admin') + resp = self.make_request(req.environ, 'PUT', path, json.dumps({'auth': + 'plaintext:%s' % key, 'groups': groups})).get_response(self.app) + if resp.status_int // 100 != 2: + raise Exception('Could not create user object: %s %s' % + (path, resp.status)) + return HTTPCreated(request=req) + + def handle_delete_user(self, req): + """ + Handles the DELETE v2// call for deleting a user from an + account. + + Can only be called by an account .admin. + + :param req: The webob.Request to process. + :returns: webob.Response, 2xx on success. + """ + # Validate path info + account = req.path_info_pop() + user = req.path_info_pop() + if req.path_info or not account.isalnum() or not user.isalnum(): + return HTTPBadRequest(request=req) + if not self.is_account_admin(req, account): + return HTTPForbidden(request=req) + # Delete the user's existing token, if any. + path = quote('/v1/%s/%s/%s' % (self.auth_account, account, user)) + resp = self.make_request(req.environ, 'HEAD', + path).get_response(self.app) + if resp.status_int == 404: + return HTTPNotFound(request=req) + elif resp.status_int // 100 != 2: + raise Exception('Could not obtain user details: %s %s' % + (path, resp.status)) + candidate_token = resp.headers.get('x-object-meta-auth-token') + if candidate_token: + path = quote('/v1/%s/.token/%s' % (self.auth_account, + candidate_token)) + resp = self.make_request(req.environ, 'DELETE', + path).get_response(self.app) + if resp.status_int // 100 != 2 and resp.status_int != 404: + raise Exception('Could not delete possibly existing token: ' + '%s %s' % (path, resp.status)) + # Delete the user entry itself. + path = quote('/v1/%s/%s/%s' % (self.auth_account, account, user)) + resp = self.make_request(req.environ, 'DELETE', + path).get_response(self.app) + if resp.status_int // 100 != 2 and resp.status_int != 404: + raise Exception('Could not delete the user object: %s %s' % + (path, resp.status)) + return HTTPNoContent(request=req) + + def handle_get_token(self, req): + """ + Handles the various `request for token and service end point(s)` calls. + There are various formats to support the various auth servers in the + past. Examples:: + + GET /v1//auth + X-Auth-User: : or X-Storage-User: + X-Auth-Key: or X-Storage-Pass: + GET /auth + X-Auth-User: : or X-Storage-User: : + X-Auth-Key: or X-Storage-Pass: + GET /v1.0 + X-Auth-User: : or X-Storage-User: : + X-Auth-Key: or X-Storage-Pass: + + On successful authentication, the response will have X-Auth-Token and + X-Storage-Token set to the token to use with Swift and X-Storage-URL + set to the URL to the default Swift cluster to use. + + The response body will be set to the account's clusters JSON object as + described here:: + + {"storage": { # Represents the Swift storage service end points + "default": "cluster1", # Indicates which cluster is the default + "cluster1": "", + # A Swift cluster that can be used with this account, + # "cluster1" is the name of the cluster which is usually a + # location indicator (like "dfw" for a datacenter region). + "cluster2": "" + # Another Swift cluster that can be used with this account, + # there will always be at least one Swift cluster to use or + # this whole "storage" dict won't be included at all. + }, + "servers": { # Represents the Nova server service end points + # Expected to be similar to the "storage" dict, but not + # implemented yet. + }, + # Possibly other service dicts, not implemented yet. + } + + :param req: The webob.Request to process. + :returns: webob.Response, 2xx on success with data set as explained + above. + """ + # Validate the request info + pathsegs = split_path(req.path_info, minsegs=1, maxsegs=3, + rest_with_last=True) + if pathsegs[0] == 'v1' and pathsegs[2] == 'auth': + account = pathsegs[1] + user = req.headers.get('x-storage-user') + if not user: + user = req.headers.get('x-auth-user') + if not user or ':' not in user: + return HTTPUnauthorized(request=req) + account2, user = user.split(':', 1) + if account != account2: + return HTTPUnauthorized(request=req) + key = req.headers.get('x-storage-pass') + if not key: + key = req.headers.get('x-auth-key') + elif pathsegs[0] in ('auth', 'v1.0'): + user = req.headers.get('x-auth-user') + if not user: + user = req.headers.get('x-storage-user') + if not user or ':' not in user: + return HTTPUnauthorized(request=req) + account, user = user.split(':', 1) + key = req.headers.get('x-auth-key') + if not key: + key = req.headers.get('x-storage-pass') + else: + return HTTPBadRequest(request=req) + if not all((account, user, key)): + return HTTPUnauthorized(request=req) + # Authenticate user + path = quote('/v1/%s/%s/%s' % (self.auth_account, account, user)) + resp = self.make_request(req.environ, 'GET', + path).get_response(self.app) + if resp.status_int == 404: + return HTTPUnauthorized(request=req) + if resp.status_int // 100 != 2: + raise Exception('Could not obtain user details: %s %s' % + (path, resp.status)) + user_detail = json.loads(resp.body) + if not self.credentials_match(user_detail, key): + return HTTPUnauthorized(request=req) + # See if a token already exists and hasn't expired + token = None + candidate_token = resp.headers.get('x-object-meta-auth-token') + if candidate_token: + path = quote('/v1/%s/.token/%s' % (self.auth_account, + candidate_token)) + resp = self.make_request(req.environ, 'GET', + path).get_response(self.app) + if resp.status_int // 100 == 2: + token_detail = json.loads(resp.body) + if token_detail['expires'] > time(): + token = candidate_token + elif resp.status_int != 404: + raise Exception('Could not detect whether a token already ' + 'exists: %s %s' % (path, resp.status)) + # Create a new token if one didn't exist + if not token: + # Retrieve account id, we'll save this in the token + path = quote('/v1/%s/%s' % (self.auth_account, account)) + resp = self.make_request(req.environ, 'HEAD', + path).get_response(self.app) + if resp.status_int // 100 != 2: + raise Exception('Could not retrieve account id value: ' + '%s %s' % (path, resp.status)) + account_id = \ + resp.headers['x-container-meta-account-id'] + # Generate new token + token = '%stk%s' % (self.reseller_prefix, uuid4().hex) + # Save token info + path = quote('/v1/%s/.token/%s' % (self.auth_account, token)) + resp = self.make_request(req.environ, 'PUT', path, + json.dumps({'account': account, 'user': user, + 'account_id': account_id, + 'groups': user_detail['groups'], + 'expires': time() + self.token_life})).get_response(self.app) + if resp.status_int // 100 != 2: + raise Exception('Could not create new token: %s %s' % + (path, resp.status)) + # Record the token with the user info for future use. + path = quote('/v1/%s/%s/%s' % (self.auth_account, account, user)) + resp = self.make_request(req.environ, 'POST', path, + headers={'X-Object-Meta-Auth-Token': token} + ).get_response(self.app) + if resp.status_int // 100 != 2: + raise Exception('Could not save new token: %s %s' % + (path, resp.status)) + # Get the cluster url information + path = quote('/v1/%s/%s/.clusters' % (self.auth_account, account)) + resp = self.make_request(req.environ, 'GET', + path).get_response(self.app) + if resp.status_int // 100 != 2: + raise Exception('Could not obtain clusters info: %s %s' % + (path, resp.status)) + detail = json.loads(resp.body) + url = detail['storage'][detail['storage']['default']] + return Response(request=req, body=resp.body, + headers={'x-auth-token': token, 'x-storage-token': token, + 'x-storage-url': url}) + + def handle_validate_token(self, req): + """ + Handles the GET v2/.token/ call for validating a token, usually + called by a service like Swift. + + On a successful validation, X-Auth-TTL will be set for how much longer + this token is valid and X-Auth-Groups will contain a comma separated + list of groups the user belongs to. + + The first group listed will be a unique identifier for the user the + token represents. + + .reseller_admin is a special group that indicates the user should be + allowed to do anything on any account. + + :param req: The webob.Request to process. + :returns: webob.Response, 2xx on success with data set as explained + above. + """ + token = req.path_info_pop() + if req.path_info or not token.startswith(self.reseller_prefix): + return HTTPBadRequest(request=req) + expires = groups = None + memcache_client = cache_from_env(req.environ) + if memcache_client: + memcache_key = '%s/auth/%s' % (self.reseller_prefix, token) + cached_auth_data = memcache_client.get(memcache_key) + if cached_auth_data: + expires, groups = cached_auth_data + if expires < time(): + groups = None + if not groups: + path = quote('/v1/%s/.token/%s' % (self.auth_account, token)) + resp = self.make_request(req.environ, 'GET', + path).get_response(self.app) + if resp.status_int // 100 != 2: + return HTTPUnauthorized(request=req) + detail = json.loads(resp.body) + expires = detail['expires'] + if expires < time(): + return HTTPUnauthorized(request=req) + groups = detail['groups'] + if '.admin' in groups: + groups.remove('.admin') + groups.append(detail['account_id']) + groups = ','.join(groups) + return HTTPNoContent(headers={'X-Auth-TTL': expires - time(), + 'X-Auth-Groups': groups}) + + def make_request(self, env, method, path, body=None, headers=None): + """ + Makes a new webob.Request based on the current env but with the + parameters specified. + + :param env: Current WSGI environment dictionary + :param method: HTTP method of new request + :param path: HTTP path of new request + :param body: HTTP body of new request; None by default + :param headers: Extra HTTP headers of new request; None by default + + :returns: webob.Request object + """ + newenv = {'REQUEST_METHOD': method} + for name in ('swift.cache', 'HTTP_X_CF_TRANS_ID'): + if name in env: + newenv[name] = env[name] + if not headers: + headers = {} + if body: + return Request.blank(path, environ=newenv, body=body, + headers=headers) + else: + return Request.blank(path, environ=newenv, headers=headers) + + def get_conn(self, url=None): + """ + Returns an HTTPConnection based on the given `url` or the default Swift + cluster URL's scheme. + """ + if self.dsc_parsed.scheme == 'http': + return HTTPConnection(self.dsc_parsed.netloc) + else: + return HTTPSConnection(self.dsc_parsed.netloc) + + def get_itoken(self, env): + """ + Returns the current internal token to use for the auth system's own + actions with other Swift clusters. Each process will create its own + itoken and the token will be deleted and recreated based on the + token_life configuration value. The itoken information is stored in + memcache because the auth process that is asked by Swift to validate + the token may not be the same as the auth process that created the + token. + """ + if not self.itoken or self.itoken_expires < time(): + self.itoken = '%sitk%s' % (self.reseller_prefix, uuid4().hex) + memcache_key = '%s/auth/%s' % (self.reseller_prefix, self.itoken) + self.itoken_expires = time() + self.token_life - 60 + cache_from_env(env).set(memcache_key, (self.itoken_expires, + '.auth,.reseller_admin'), timeout=self.token_life) + return self.itoken + + def get_admin_detail(self, req): + """ + Returns the dict for the user specified as the admin in the request + with the addition of an `account` key set to the admin user's account. + + :param req: The webob request to retrieve X-Auth-Admin-User and + X-Auth-Admin-Key from. + :returns: The dict for the admin user with the addition of the + `account` key. + """ + if ':' not in req.headers.get('x-auth-admin-user'): + return None + admin_account, admin_user = \ + req.headers.get('x-auth-admin-user').split(':', 1) + path = quote('/v1/%s/%s/%s' % (self.auth_account, admin_account, + admin_user)) + resp = self.make_request(req.env, 'GET', path).get_response(self.app) + if resp.status_int // 100 != 2: + raise Exception('Could not get admin user object: %s %s' % + (path, resp.status)) + admin_detail = json.loads(resp.body) + admin_detail['account'] = admin_account + return admin_detail + + def credentials_match(self, user_detail, key): + """ + Returns True if the key is valid for the user_detail. Currently, this + only supports plaintext key matching. + + :param user_detail: The dict for the user. + :param key: The key to validate for the user. + :returns: True if the key is valid for the user, False if not. + """ + return user_detail.get('auth') == 'plaintext:%s' % key + + def is_super_admin(self, req): + """ + Returns True if the admin specified in the request represents the + .super_admin. + + :param req: The webob.Request to check. + :param returns: True if .super_admin. + """ + return req.headers.get('x-auth-admin-user') == '.super_admin' and \ + req.headers.get('x-auth-admin-key') == self.super_admin_key + + def is_reseller_admin(self, req, admin_detail=None): + """ + Returns True if the admin specified in the request represents a + .reseller_admin. + + :param req: The webob.Request to check. + :param admin_detail: The previously retrieved dict from + :func:`get_admin_detail` or None for this function + to retrieve the admin_detail itself. + :param returns: True if .reseller_admin. + """ + if self.is_super_admin(req): + return True + if not admin_detail: + admin_detail = self.get_admin_detail(req) + if not self.credentials_match(admin_detail, + req.headers.get('x-auth-admin-key')): + return False + return '.reseller_admin' in admin_detail['groups'] + + def is_account_admin(self, req, account): + """ + Returns True if the admin specified in the request represents a .admin + for the account specified. + + :param req: The webob.Request to check. + :param account: The account to check for .admin against. + :param returns: True if .admin. + """ + if self.is_super_admin(req): + return True + admin_detail = self.get_admin_detail(req) + if self.is_reseller_admin(req, admin_detail=admin_detail): + return True + return admin_detail['account'] == account and \ + '.admin' in admin_detail['groups'] + + def posthooklogger(self, env, req): + response = getattr(req, 'response', None) + if not response: + return + trans_time = '%.4f' % (time() - req.start_time) + the_request = quote(unquote(req.path)) + if req.query_string: + the_request = the_request + '?' + req.query_string + # remote user for zeus + client = req.headers.get('x-cluster-client-ip') + if not client and 'x-forwarded-for' in req.headers: + # remote user for other lbs + client = req.headers['x-forwarded-for'].split(',')[0].strip() + logged_headers = None + if self.log_headers: + logged_headers = '\n'.join('%s: %s' % (k, v) + for k, v in req.headers.items()) + status_int = response.status_int + if getattr(req, 'client_disconnect', False) or \ + getattr(response, 'client_disconnect', False): + status_int = 499 + self.logger.info(' '.join(quote(str(x)) for x in (client or '-', + req.remote_addr or '-', strftime('%d/%b/%Y/%H/%M/%S', gmtime()), + req.method, the_request, req.environ['SERVER_PROTOCOL'], + status_int, req.referer or '-', req.user_agent or '-', + req.headers.get('x-auth-token', + req.headers.get('x-auth-admin-user', '-')), + getattr(req, 'bytes_transferred', 0) or '-', + getattr(response, 'bytes_transferred', 0) or '-', + req.headers.get('etag', '-'), + req.headers.get('x-cf-trans-id', '-'), logged_headers or '-', + trans_time))) + + +def filter_factory(global_conf, **local_conf): + """Returns a WSGI filter app for use with paste.deploy.""" + conf = global_conf.copy() + conf.update(local_conf) + + def auth_filter(app): + return Swauth(app, conf) + return auth_filter diff --git a/swift/proxy/server.py b/swift/proxy/server.py index e48052a398..b9589b2663 100644 --- a/swift/proxy/server.py +++ b/swift/proxy/server.py @@ -1385,7 +1385,8 @@ class BaseApplication(object): def update_request(self, req): req.bytes_transferred = '-' req.client_disconnect = False - req.headers['x-cf-trans-id'] = 'tx' + str(uuid.uuid4()) + if 'x-cf-trans-id' not in req.headers: + req.headers['x-cf-trans-id'] = 'tx' + str(uuid.uuid4()) if 'x-storage-token' in req.headers and \ 'x-auth-token' not in req.headers: req.headers['x-auth-token'] = req.headers['x-storage-token'] diff --git a/test/functional/sample.conf b/test/functional/sample.conf index 983f2cf768..4067269af2 100644 --- a/test/functional/sample.conf +++ b/test/functional/sample.conf @@ -1,7 +1,12 @@ # sample config auth_host = 127.0.0.1 +# For DevAuth: auth_port = 11000 +# For Swauth: +# auth_port = 8080 auth_ssl = no +# For Swauth: +# auth_prefix = /auth/ # Primary functional test account (needs admin access to the account) account = test diff --git a/test/functional/swift.py b/test/functional/swift.py index e134de502f..e3012dd6b3 100644 --- a/test/functional/swift.py +++ b/test/functional/swift.py @@ -82,6 +82,7 @@ class Connection(object): self.auth_host = config['auth_host'] self.auth_port = int(config['auth_port']) self.auth_ssl = config['auth_ssl'] in ('on', 'true', 'yes', '1') + self.auth_prefix = config.get('auth_prefix', '/') self.account = config['account'] self.username = config['username'] @@ -105,11 +106,11 @@ class Connection(object): return headers = { - 'x-storage-user': self.username, - 'x-storage-pass': self.password, + 'x-auth-user': '%s:%s' % (self.account, self.username), + 'x-auth-key': self.password, } - path = '/v1/%s/auth' % (self.account) + path = '%sv1.0' % (self.auth_prefix) if self.auth_ssl: connection = httplib.HTTPSConnection(self.auth_host, port=self.auth_port) diff --git a/test/functionalnosetests/swift_testing.py b/test/functionalnosetests/swift_testing.py index 8bd46b462b..69553494b3 100644 --- a/test/functionalnosetests/swift_testing.py +++ b/test/functionalnosetests/swift_testing.py @@ -31,7 +31,10 @@ if not all([swift_test_auth, swift_test_user[0], swift_test_key[0]]): swift_test_auth = 'http' if conf.get('auth_ssl', 'no').lower() in ('yes', 'true', 'on', '1'): swift_test_auth = 'https' - swift_test_auth += '://%(auth_host)s:%(auth_port)s/v1.0' % conf + if 'auth_prefix' not in conf: + conf['auth_prefix'] = '/' + swift_test_auth += \ + '://%(auth_host)s:%(auth_port)s%(auth_prefix)sv1.0' % conf swift_test_user[0] = '%(account)s:%(username)s' % conf swift_test_key[0] = conf['password'] try: diff --git a/test/probe/common.py b/test/probe/common.py index 0bb6f42a57..907210c739 100644 --- a/test/probe/common.py +++ b/test/probe/common.py @@ -24,13 +24,25 @@ from swift.common.client import get_auth from swift.common.ring import Ring +SUPER_ADMIN_KEY = None +AUTH_TYPE = None + +c = ConfigParser() AUTH_SERVER_CONF_FILE = environ.get('SWIFT_AUTH_SERVER_CONF_FILE', '/etc/swift/auth-server.conf') -c = ConfigParser() -if not c.read(AUTH_SERVER_CONF_FILE): - exit('Unable to read config file: %s' % AUTH_SERVER_CONF_FILE) -conf = dict(c.items('app:auth-server')) -SUPER_ADMIN_KEY = conf.get('super_admin_key', 'devauth') +if c.read(AUTH_SERVER_CONF_FILE): + conf = dict(c.items('app:auth-server')) + SUPER_ADMIN_KEY = conf.get('super_admin_key', 'devauth') + AUTH_TYPE = 'devauth' +else: + PROXY_SERVER_CONF_FILE = environ.get('SWIFT_PROXY_SERVER_CONF_FILE', + '/etc/swift/proxy-server.conf') + if c.read(PROXY_SERVER_CONF_FILE): + conf = dict(c.items('filter:swauth')) + SUPER_ADMIN_KEY = conf.get('super_admin_key', 'swauthkey') + AUTH_TYPE = 'swauth' + else: + exit('Unable to read config file: %s' % AUTH_SERVER_CONF_FILE) def kill_pids(pids): @@ -45,8 +57,9 @@ def reset_environment(): call(['resetswift']) pids = {} try: - pids['auth'] = Popen(['swift-auth-server', - '/etc/swift/auth-server.conf']).pid + if AUTH_TYPE == 'devauth': + pids['auth'] = Popen(['swift-auth-server', + '/etc/swift/auth-server.conf']).pid pids['proxy'] = Popen(['swift-proxy-server', '/etc/swift/proxy-server.conf']).pid port2server = {} @@ -60,14 +73,21 @@ def reset_environment(): container_ring = Ring('/etc/swift/container.ring.gz') object_ring = Ring('/etc/swift/object.ring.gz') sleep(5) - conn = http_connect('127.0.0.1', '11000', 'POST', '/recreate_accounts', - headers={'X-Auth-Admin-User': '.super_admin', - 'X-Auth-Admin-Key': SUPER_ADMIN_KEY}) - resp = conn.getresponse() - if resp.status != 200: - raise Exception('Recreating accounts failed. (%d)' % resp.status) - url, token = \ - get_auth('http://127.0.0.1:11000/auth', 'test:tester', 'testing') + if AUTH_TYPE == 'devauth': + conn = http_connect('127.0.0.1', '11000', 'POST', + '/recreate_accounts', + headers={'X-Auth-Admin-User': '.super_admin', + 'X-Auth-Admin-Key': SUPER_ADMIN_KEY}) + resp = conn.getresponse() + if resp.status != 200: + raise Exception('Recreating accounts failed. (%d)' % + resp.status) + url, token = get_auth('http://127.0.0.1:11000/auth', 'test:tester', + 'testing') + elif AUTH_TYPE == 'swauth': + call(['recreateaccounts']) + url, token = get_auth('http://127.0.0.1:8080/auth/v1.0', + 'test:tester', 'testing') account = url.split('/')[-1] except BaseException, err: kill_pids(pids) diff --git a/test/unit/common/middleware/test_swauth.py b/test/unit/common/middleware/test_swauth.py new file mode 100644 index 0000000000..20075e4ea2 --- /dev/null +++ b/test/unit/common/middleware/test_swauth.py @@ -0,0 +1,691 @@ +# Copyright (c) 2010 OpenStack, LLC. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +try: + import simplejson as json +except ImportError: + import json +import unittest +from contextlib import contextmanager +from time import time + +from webob import Request, Response + +from swift.common.middleware import swauth as auth + + +class FakeMemcache(object): + + def __init__(self): + self.store = {} + + def get(self, key): + return self.store.get(key) + + def set(self, key, value, timeout=0): + self.store[key] = value + return True + + def incr(self, key, timeout=0): + self.store[key] = self.store.setdefault(key, 0) + 1 + return self.store[key] + + @contextmanager + def soft_lock(self, key, timeout=0, retries=5): + yield True + + def delete(self, key): + try: + del self.store[key] + except: + pass + return True + + +class FakeApp(object): + + def __init__(self, status_headers_body_iter=None): + self.calls = 0 + self.status_headers_body_iter = status_headers_body_iter + if not self.status_headers_body_iter: + self.status_headers_body_iter = iter([('404 Not Found', {}, '')]) + + def __call__(self, env, start_response): + self.calls += 1 + req = Request.blank('', environ=env) + if 'swift.authorize' in env: + resp = env['swift.authorize'](req) + if resp: + return resp(env, start_response) + status, headers, body = self.status_headers_body_iter.next() + return Response(status=status, headers=headers, + body=body)(env, start_response) + + +class TestAuth(unittest.TestCase): + + def setUp(self): + self.test_auth = \ + auth.filter_factory({'super_admin_key': 'supertest'})(FakeApp()) + + def test_super_admin_key_required(self): + app = FakeApp() + exc = None + try: + auth.filter_factory({})(app) + except ValueError, err: + exc = err + self.assertEquals(str(exc), + 'No super_admin_key set in conf file! Exiting.') + auth.filter_factory({'super_admin_key': 'supertest'})(app) + + def test_reseller_prefix_init(self): + app = FakeApp() + ath = auth.filter_factory({'super_admin_key': 'supertest'})(app) + self.assertEquals(ath.reseller_prefix, 'AUTH_') + ath = auth.filter_factory({'super_admin_key': 'supertest', + 'reseller_prefix': 'TEST'})(app) + self.assertEquals(ath.reseller_prefix, 'TEST_') + ath = auth.filter_factory({'super_admin_key': 'supertest', + 'reseller_prefix': 'TEST_'})(app) + self.assertEquals(ath.reseller_prefix, 'TEST_') + + def test_auth_prefix_init(self): + app = FakeApp() + ath = auth.filter_factory({'super_admin_key': 'supertest'})(app) + self.assertEquals(ath.auth_prefix, '/auth/') + ath = auth.filter_factory({'super_admin_key': 'supertest', + 'auth_prefix': ''})(app) + self.assertEquals(ath.auth_prefix, '/auth/') + ath = auth.filter_factory({'super_admin_key': 'supertest', + 'auth_prefix': '/test/'})(app) + self.assertEquals(ath.auth_prefix, '/test/') + ath = auth.filter_factory({'super_admin_key': 'supertest', + 'auth_prefix': '/test'})(app) + self.assertEquals(ath.auth_prefix, '/test/') + ath = auth.filter_factory({'super_admin_key': 'supertest', + 'auth_prefix': 'test/'})(app) + self.assertEquals(ath.auth_prefix, '/test/') + ath = auth.filter_factory({'super_admin_key': 'supertest', + 'auth_prefix': 'test'})(app) + self.assertEquals(ath.auth_prefix, '/test/') + + def test_default_swift_cluster_init(self): + app = FakeApp() + self.assertRaises(Exception, auth.filter_factory({ + 'super_admin_key': 'supertest', + 'default_swift_cluster': 'local:badscheme://host/path'}), app) + ath = auth.filter_factory({'super_admin_key': 'supertest'})(app) + self.assertEquals(ath.default_swift_cluster, + 'local:http://127.0.0.1:8080/v1') + ath = auth.filter_factory({'super_admin_key': 'supertest', + 'default_swift_cluster': 'local:http://host/path'})(app) + self.assertEquals(ath.default_swift_cluster, + 'local:http://host/path') + ath = auth.filter_factory({'super_admin_key': 'supertest', + 'default_swift_cluster': 'local:http://host/path/'})(app) + self.assertEquals(ath.default_swift_cluster, + 'local:http://host/path') + + def test_auth_deny_non_reseller_prefix(self): + resp = Request.blank('/v1/BLAH_account', + headers={'X-Auth-Token': 'BLAH_t'}).get_response(self.test_auth) + self.assertEquals(resp.status_int, 401) + self.assertEquals(resp.environ['swift.authorize'], + self.test_auth.denied_response) + + def test_auth_deny_non_reseller_prefix_no_override(self): + fake_authorize = lambda x: Response(status='500 Fake') + resp = Request.blank('/v1/BLAH_account', + headers={'X-Auth-Token': 'BLAH_t'}, + environ={'swift.authorize': fake_authorize} + ).get_response(self.test_auth) + self.assertEquals(resp.status_int, 500) + self.assertEquals(resp.environ['swift.authorize'], fake_authorize) + + def test_auth_no_reseller_prefix_deny(self): + # Ensures that when we have no reseller prefix, we don't deny a request + # outright but set up a denial swift.authorize and pass the request on + # down the chain. + local_app = FakeApp() + local_auth = auth.filter_factory({'super_admin_key': 'supertest', + 'reseller_prefix': ''})(local_app) + resp = Request.blank('/v1/account', + headers={'X-Auth-Token': 't'}).get_response(local_auth) + self.assertEquals(resp.status_int, 401) + # one for checking auth, two for request passed along + self.assertEquals(local_app.calls, 2) + self.assertEquals(resp.environ['swift.authorize'], + local_auth.denied_response) + + def test_auth_no_reseller_prefix_allow(self): + # Ensures that when we have no reseller prefix, we can still allow + # access if our auth server accepts requests + local_app = FakeApp(iter([ + ('200 Ok', {}, + json.dumps({'account': 'act', 'user': 'act:usr', + 'account_id': 'AUTH_cfa', + 'groups': ['act:usr', 'act', '.admin'], + 'expires': time() + 60})), + ('204 No Content', {}, '')])) + local_auth = auth.filter_factory({'super_admin_key': 'supertest', + 'reseller_prefix': ''})(local_app) + resp = Request.blank('/v1/act', + headers={'X-Auth-Token': 't'}).get_response(local_auth) + self.assertEquals(resp.status_int, 204) + self.assertEquals(local_app.calls, 2) + self.assertEquals(resp.environ['swift.authorize'], + local_auth.authorize) + + def test_auth_no_reseller_prefix_no_token(self): + # Check that normally we set up a call back to our authorize. + local_auth = \ + auth.filter_factory({'super_admin_key': 'supertest', + 'reseller_prefix': ''})(FakeApp(iter([]))) + resp = Request.blank('/v1/account').get_response(local_auth) + self.assertEquals(resp.status_int, 401) + self.assertEquals(resp.environ['swift.authorize'], + local_auth.authorize) + # Now make sure we don't override an existing swift.authorize when we + # have no reseller prefix. + local_auth = \ + auth.filter_factory({'super_admin_key': 'supertest', + 'reseller_prefix': ''})(FakeApp()) + local_authorize = lambda req: Response('test') + resp = Request.blank('/v1/account', environ={'swift.authorize': + local_authorize}).get_response(local_auth) + self.assertEquals(resp.status_int, 200) + self.assertEquals(resp.environ['swift.authorize'], local_authorize) + + def test_auth_fail(self): + resp = Request.blank('/v1/AUTH_cfa', + headers={'X-Auth-Token': 'AUTH_t'}).get_response(self.test_auth) + self.assertEquals(resp.status_int, 401) + + def test_auth_success(self): + self.test_auth.app = FakeApp(iter([ + ('200 Ok', {}, + json.dumps({'account': 'act', 'user': 'act:usr', + 'account_id': 'AUTH_cfa', + 'groups': ['act:usr', 'act', '.admin'], + 'expires': time() + 60})), + ('204 No Content', {}, '')])) + resp = Request.blank('/v1/AUTH_cfa', + headers={'X-Auth-Token': 'AUTH_t'}).get_response(self.test_auth) + self.assertEquals(resp.status_int, 204) + + def test_auth_memcache(self): + # First run our test without memcache, showing we need to return the + # token contents twice. + self.test_auth.app = FakeApp(iter([ + ('200 Ok', {}, + json.dumps({'account': 'act', 'user': 'act:usr', + 'account_id': 'AUTH_cfa', + 'groups': ['act:usr', 'act', '.admin'], + 'expires': time() + 60})), + ('204 No Content', {}, ''), + ('200 Ok', {}, + json.dumps({'account': 'act', 'user': 'act:usr', + 'account_id': 'AUTH_cfa', + 'groups': ['act:usr', 'act', '.admin'], + 'expires': time() + 60})), + ('204 No Content', {}, '')])) + resp = Request.blank('/v1/AUTH_cfa', + headers={'X-Auth-Token': 'AUTH_t'}).get_response(self.test_auth) + self.assertEquals(resp.status_int, 204) + resp = Request.blank('/v1/AUTH_cfa', + headers={'X-Auth-Token': 'AUTH_t'}).get_response(self.test_auth) + self.assertEquals(resp.status_int, 204) + # Now run our test with memcache, showing we no longer need to return + # the token contents twice. + self.test_auth.app = FakeApp(iter([ + ('200 Ok', {}, + json.dumps({'account': 'act', 'user': 'act:usr', + 'account_id': 'AUTH_cfa', + 'groups': ['act:usr', 'act', '.admin'], + 'expires': time() + 60})), + ('204 No Content', {}, ''), + # Don't need a second token object returned if memcache is used + ('204 No Content', {}, '')])) + fake_memcache = FakeMemcache() + resp = Request.blank('/v1/AUTH_cfa', + headers={'X-Auth-Token': 'AUTH_t'}, + environ={'swift.cache': fake_memcache} + ).get_response(self.test_auth) + self.assertEquals(resp.status_int, 204) + resp = Request.blank('/v1/AUTH_cfa', + headers={'X-Auth-Token': 'AUTH_t'}, + environ={'swift.cache': fake_memcache} + ).get_response(self.test_auth) + self.assertEquals(resp.status_int, 204) + + def test_auth_just_expired(self): + self.test_auth.app = FakeApp(iter([ + ('200 Ok', {}, + json.dumps({'account': 'act', 'user': 'act:usr', + 'account_id': 'AUTH_cfa', + 'groups': ['act:usr', 'act', '.admin'], + 'expires': time() - 1}))])) + resp = Request.blank('/v1/AUTH_cfa', + headers={'X-Auth-Token': 'AUTH_t'}).get_response(self.test_auth) + self.assertEquals(resp.status_int, 401) + + def test_middleware_storage_token(self): + self.test_auth.app = FakeApp(iter([ + ('200 Ok', {}, + json.dumps({'account': 'act', 'user': 'act:usr', + 'account_id': 'AUTH_cfa', + 'groups': ['act:usr', 'act', '.admin'], + 'expires': time() + 60})), + ('204 No Content', {}, '')])) + resp = Request.blank('/v1/AUTH_cfa', + headers={'X-Storage-Token': 'AUTH_t'}).get_response(self.test_auth) + self.assertEquals(resp.status_int, 204) + + def test_authorize_bad_path(self): + req = Request.blank('/badpath') + resp = str(self.test_auth.authorize(req)) + self.assert_(resp.startswith('401'), resp) + req = Request.blank('/badpath') + req.remote_user = 'act:usr,act,AUTH_cfa' + resp = str(self.test_auth.authorize(req)) + self.assert_(resp.startswith('403'), resp) + + def test_authorize_account_access(self): + req = Request.blank('/v1/AUTH_cfa') + req.remote_user = 'act:usr,act,AUTH_cfa' + self.assertEquals(self.test_auth.authorize(req), None) + req = Request.blank('/v1/AUTH_cfa') + req.remote_user = 'act:usr,act' + resp = str(self.test_auth.authorize(req)) + self.assert_(resp.startswith('403'), resp) + + def test_authorize_acl_group_access(self): + req = Request.blank('/v1/AUTH_cfa') + req.remote_user = 'act:usr,act' + resp = str(self.test_auth.authorize(req)) + self.assert_(resp.startswith('403'), resp) + req = Request.blank('/v1/AUTH_cfa') + req.remote_user = 'act:usr,act' + req.acl = 'act' + self.assertEquals(self.test_auth.authorize(req), None) + req = Request.blank('/v1/AUTH_cfa') + req.remote_user = 'act:usr,act' + req.acl = 'act:usr' + self.assertEquals(self.test_auth.authorize(req), None) + req = Request.blank('/v1/AUTH_cfa') + req.remote_user = 'act:usr,act' + req.acl = 'act2' + resp = str(self.test_auth.authorize(req)) + self.assert_(resp.startswith('403'), resp) + req = Request.blank('/v1/AUTH_cfa') + req.remote_user = 'act:usr,act' + req.acl = 'act:usr2' + resp = str(self.test_auth.authorize(req)) + self.assert_(resp.startswith('403'), resp) + + def test_deny_cross_reseller(self): + # Tests that cross-reseller is denied, even if ACLs/group names match + req = Request.blank('/v1/OTHER_cfa') + req.remote_user = 'act:usr,act,AUTH_cfa' + req.acl = 'act' + resp = str(self.test_auth.authorize(req)) + self.assert_(resp.startswith('403'), resp) + + def test_authorize_acl_referrer_access(self): + req = Request.blank('/v1/AUTH_cfa') + req.remote_user = 'act:usr,act' + resp = str(self.test_auth.authorize(req)) + self.assert_(resp.startswith('403'), resp) + req = Request.blank('/v1/AUTH_cfa') + req.remote_user = 'act:usr,act' + req.acl = '.r:*' + self.assertEquals(self.test_auth.authorize(req), None) + req = Request.blank('/v1/AUTH_cfa') + req.remote_user = 'act:usr,act' + req.acl = '.r:.example.com' + resp = str(self.test_auth.authorize(req)) + self.assert_(resp.startswith('403'), resp) + req = Request.blank('/v1/AUTH_cfa') + req.remote_user = 'act:usr,act' + req.referer = 'http://www.example.com/index.html' + req.acl = '.r:.example.com' + self.assertEquals(self.test_auth.authorize(req), None) + req = Request.blank('/v1/AUTH_cfa') + resp = str(self.test_auth.authorize(req)) + self.assert_(resp.startswith('401'), resp) + req = Request.blank('/v1/AUTH_cfa') + req.acl = '.r:*' + self.assertEquals(self.test_auth.authorize(req), None) + req = Request.blank('/v1/AUTH_cfa') + req.acl = '.r:.example.com' + resp = str(self.test_auth.authorize(req)) + self.assert_(resp.startswith('401'), resp) + req = Request.blank('/v1/AUTH_cfa') + req.referer = 'http://www.example.com/index.html' + req.acl = '.r:.example.com' + self.assertEquals(self.test_auth.authorize(req), None) + + def test_account_put_permissions(self): + req = Request.blank('/v1/AUTH_new', environ={'REQUEST_METHOD': 'PUT'}) + req.remote_user = 'act:usr,act' + resp = str(self.test_auth.authorize(req)) + self.assert_(resp.startswith('403'), resp) + + req = Request.blank('/v1/AUTH_new', environ={'REQUEST_METHOD': 'PUT'}) + req.remote_user = 'act:usr,act,AUTH_other' + resp = str(self.test_auth.authorize(req)) + self.assert_(resp.startswith('403'), resp) + + # Even PUTs to your own account as account admin should fail + req = Request.blank('/v1/AUTH_old', environ={'REQUEST_METHOD': 'PUT'}) + req.remote_user = 'act:usr,act,AUTH_old' + resp = str(self.test_auth.authorize(req)) + self.assert_(resp.startswith('403'), resp) + + req = Request.blank('/v1/AUTH_new', environ={'REQUEST_METHOD': 'PUT'}) + req.remote_user = 'act:usr,act,.reseller_admin' + resp = self.test_auth.authorize(req) + self.assertEquals(resp, None) + + # .super_admin is not something the middleware should ever see or care + # about + req = Request.blank('/v1/AUTH_new', environ={'REQUEST_METHOD': 'PUT'}) + req.remote_user = 'act:usr,act,.super_admin' + resp = self.test_auth.authorize(req) + resp = str(self.test_auth.authorize(req)) + self.assert_(resp.startswith('403'), resp) + + def test_get_token_fail(self): + resp = Request.blank('/auth/v1.0').get_response(self.test_auth) + self.assertEquals(resp.status_int, 401) + resp = Request.blank('/auth/v1.0', + headers={'X-Auth-User': 'act:usr', + 'X-Auth-Key': 'key'}).get_response(self.test_auth) + self.assertEquals(resp.status_int, 401) + + def test_get_token_fail_invalid_key(self): + self.test_auth.app = FakeApp(iter([ + # GET of user object + ('200 Ok', {}, + json.dumps({"auth": "plaintext:key", + "groups": ["act:usr", "act", ".admin"]})), + # GET of account + ('204 Ok', {'X-Container-Meta-Account-Id': 'AUTH_cfa'}, ''), + # PUT of new token + ('201 Created', {}, ''), + # POST of token to user object + ('204 No Content', {}, ''), + # GET of clusters object + ('200 Ok', {}, json.dumps({"storage": {"default": "local", + "local": "http://127.0.0.1:8080/v1/AUTH_cfa"}}))])) + resp = Request.blank('/auth/v1.0', + headers={'X-Auth-User': 'act:usr', + 'X-Auth-Key': 'invalid'}).get_response(self.test_auth) + self.assertEquals(resp.status_int, 401) + + def test_get_token_fail_invalid_x_auth_user_format(self): + resp = Request.blank('/auth/v1/act/auth', + headers={'X-Auth-User': 'usr', + 'X-Auth-Key': 'key'}).get_response(self.test_auth) + self.assertEquals(resp.status_int, 401) + + def test_get_token_fail_non_matching_account_in_request(self): + resp = Request.blank('/auth/v1/act/auth', + headers={'X-Auth-User': 'act2:usr', + 'X-Auth-Key': 'key'}).get_response(self.test_auth) + self.assertEquals(resp.status_int, 401) + + def test_get_token_fail_bad_path(self): + resp = Request.blank('/auth/v1/act/auth/invalid', + headers={'X-Auth-User': 'act:usr', + 'X-Auth-Key': 'key'}).get_response(self.test_auth) + self.assertEquals(resp.status_int, 400) + + def test_get_token_fail_missing_key(self): + resp = Request.blank('/auth/v1/act/auth', + headers={'X-Auth-User': 'act:usr'}).get_response(self.test_auth) + self.assertEquals(resp.status_int, 401) + + def test_get_token_fail_get_user_details(self): + self.test_auth.app = FakeApp(iter([ + ('503 Service Unavailable', {}, '')])) + resp = Request.blank('/auth/v1.0', + headers={'X-Auth-User': 'act:usr', + 'X-Auth-Key': 'key'}).get_response(self.test_auth) + self.assertEquals(resp.status_int, 500) + + def test_get_token_fail_get_account(self): + self.test_auth.app = FakeApp(iter([ + # GET of user object + ('200 Ok', {}, + json.dumps({"auth": "plaintext:key", + "groups": ["act:usr", "act", ".admin"]})), + # GET of account + ('503 Service Unavailable', {}, '')])) + resp = Request.blank('/auth/v1.0', + headers={'X-Auth-User': 'act:usr', + 'X-Auth-Key': 'key'}).get_response(self.test_auth) + self.assertEquals(resp.status_int, 500) + + def test_get_token_fail_put_new_token(self): + self.test_auth.app = FakeApp(iter([ + # GET of user object + ('200 Ok', {}, + json.dumps({"auth": "plaintext:key", + "groups": ["act:usr", "act", ".admin"]})), + # GET of account + ('204 Ok', {'X-Container-Meta-Account-Id': 'AUTH_cfa'}, ''), + # PUT of new token + ('503 Service Unavailable', {}, '')])) + resp = Request.blank('/auth/v1.0', + headers={'X-Auth-User': 'act:usr', + 'X-Auth-Key': 'key'}).get_response(self.test_auth) + self.assertEquals(resp.status_int, 500) + + def test_get_token_fail_post_to_user(self): + self.test_auth.app = FakeApp(iter([ + # GET of user object + ('200 Ok', {}, + json.dumps({"auth": "plaintext:key", + "groups": ["act:usr", "act", ".admin"]})), + # GET of account + ('204 Ok', {'X-Container-Meta-Account-Id': 'AUTH_cfa'}, ''), + # PUT of new token + ('201 Created', {}, ''), + # POST of token to user object + ('503 Service Unavailable', {}, '')])) + resp = Request.blank('/auth/v1.0', + headers={'X-Auth-User': 'act:usr', + 'X-Auth-Key': 'key'}).get_response(self.test_auth) + self.assertEquals(resp.status_int, 500) + + def test_get_token_fail_get_clusters(self): + self.test_auth.app = FakeApp(iter([ + # GET of user object + ('200 Ok', {}, + json.dumps({"auth": "plaintext:key", + "groups": ["act:usr", "act", ".admin"]})), + # GET of account + ('204 Ok', {'X-Container-Meta-Account-Id': 'AUTH_cfa'}, ''), + # PUT of new token + ('201 Created', {}, ''), + # POST of token to user object + ('204 No Content', {}, ''), + # GET of clusters object + ('503 Service Unavailable', {}, '')])) + resp = Request.blank('/auth/v1.0', + headers={'X-Auth-User': 'act:usr', + 'X-Auth-Key': 'key'}).get_response(self.test_auth) + self.assertEquals(resp.status_int, 500) + + def test_get_token_fail_get_existing_token(self): + self.test_auth.app = FakeApp(iter([ + # GET of user object + ('200 Ok', {'X-Object-Meta-Auth-Token': 'AUTH_tktest'}, + json.dumps({"auth": "plaintext:key", + "groups": ["act:usr", "act", ".admin"]})), + # GET of token + ('503 Service Unavailable', {}, '')])) + resp = Request.blank('/auth/v1.0', + headers={'X-Auth-User': 'act:usr', + 'X-Auth-Key': 'key'}).get_response(self.test_auth) + self.assertEquals(resp.status_int, 500) + + def test_get_token_success_v1_0(self): + self.test_auth.app = FakeApp(iter([ + # GET of user object + ('200 Ok', {}, + json.dumps({"auth": "plaintext:key", + "groups": ["act:usr", "act", ".admin"]})), + # GET of account + ('204 Ok', {'X-Container-Meta-Account-Id': 'AUTH_cfa'}, ''), + # PUT of new token + ('201 Created', {}, ''), + # POST of token to user object + ('204 No Content', {}, ''), + # GET of clusters object + ('200 Ok', {}, json.dumps({"storage": {"default": "local", + "local": "http://127.0.0.1:8080/v1/AUTH_cfa"}}))])) + resp = Request.blank('/auth/v1.0', + headers={'X-Auth-User': 'act:usr', + 'X-Auth-Key': 'key'}).get_response(self.test_auth) + self.assertEquals(resp.status_int, 200) + self.assert_(resp.headers.get('x-auth-token', + '').startswith('AUTH_tk'), resp.headers.get('x-auth-token')) + self.assertEquals(resp.headers.get('x-auth-token'), + resp.headers.get('x-storage-token')) + self.assertEquals(resp.headers.get('x-storage-url'), + 'http://127.0.0.1:8080/v1/AUTH_cfa') + self.assertEquals(json.loads(resp.body), + {"storage": {"default": "local", + "local": "http://127.0.0.1:8080/v1/AUTH_cfa"}}) + + def test_get_token_success_v1_act_auth(self): + self.test_auth.app = FakeApp(iter([ + # GET of user object + ('200 Ok', {}, + json.dumps({"auth": "plaintext:key", + "groups": ["act:usr", "act", ".admin"]})), + # GET of account + ('204 Ok', {'X-Container-Meta-Account-Id': 'AUTH_cfa'}, ''), + # PUT of new token + ('201 Created', {}, ''), + # POST of token to user object + ('204 No Content', {}, ''), + # GET of clusters object + ('200 Ok', {}, json.dumps({"storage": {"default": "local", + "local": "http://127.0.0.1:8080/v1/AUTH_cfa"}}))])) + resp = Request.blank('/auth/v1/act/auth', + headers={'X-Storage-User': 'usr', + 'X-Storage-Pass': 'key'}).get_response(self.test_auth) + self.assertEquals(resp.status_int, 200) + self.assert_(resp.headers.get('x-auth-token', + '').startswith('AUTH_tk'), resp.headers.get('x-auth-token')) + self.assertEquals(resp.headers.get('x-auth-token'), + resp.headers.get('x-storage-token')) + self.assertEquals(resp.headers.get('x-storage-url'), + 'http://127.0.0.1:8080/v1/AUTH_cfa') + self.assertEquals(json.loads(resp.body), + {"storage": {"default": "local", + "local": "http://127.0.0.1:8080/v1/AUTH_cfa"}}) + + def test_get_token_success_storage_instead_of_auth(self): + self.test_auth.app = FakeApp(iter([ + # GET of user object + ('200 Ok', {}, + json.dumps({"auth": "plaintext:key", + "groups": ["act:usr", "act", ".admin"]})), + # GET of account + ('204 Ok', {'X-Container-Meta-Account-Id': 'AUTH_cfa'}, ''), + # PUT of new token + ('201 Created', {}, ''), + # POST of token to user object + ('204 No Content', {}, ''), + # GET of clusters object + ('200 Ok', {}, json.dumps({"storage": {"default": "local", + "local": "http://127.0.0.1:8080/v1/AUTH_cfa"}}))])) + resp = Request.blank('/auth/v1.0', + headers={'X-Storage-User': 'act:usr', + 'X-Storage-Pass': 'key'}).get_response(self.test_auth) + self.assertEquals(resp.status_int, 200) + self.assert_(resp.headers.get('x-auth-token', + '').startswith('AUTH_tk'), resp.headers.get('x-auth-token')) + self.assertEquals(resp.headers.get('x-auth-token'), + resp.headers.get('x-storage-token')) + self.assertEquals(resp.headers.get('x-storage-url'), + 'http://127.0.0.1:8080/v1/AUTH_cfa') + self.assertEquals(json.loads(resp.body), + {"storage": {"default": "local", + "local": "http://127.0.0.1:8080/v1/AUTH_cfa"}}) + + def test_get_token_success_v1_act_auth_auth_instead_of_storage(self): + self.test_auth.app = FakeApp(iter([ + # GET of user object + ('200 Ok', {}, + json.dumps({"auth": "plaintext:key", + "groups": ["act:usr", "act", ".admin"]})), + # GET of account + ('204 Ok', {'X-Container-Meta-Account-Id': 'AUTH_cfa'}, ''), + # PUT of new token + ('201 Created', {}, ''), + # POST of token to user object + ('204 No Content', {}, ''), + # GET of clusters object + ('200 Ok', {}, json.dumps({"storage": {"default": "local", + "local": "http://127.0.0.1:8080/v1/AUTH_cfa"}}))])) + resp = Request.blank('/auth/v1/act/auth', + headers={'X-Auth-User': 'act:usr', + 'X-Auth-Key': 'key'}).get_response(self.test_auth) + self.assertEquals(resp.status_int, 200) + self.assert_(resp.headers.get('x-auth-token', + '').startswith('AUTH_tk'), resp.headers.get('x-auth-token')) + self.assertEquals(resp.headers.get('x-auth-token'), + resp.headers.get('x-storage-token')) + self.assertEquals(resp.headers.get('x-storage-url'), + 'http://127.0.0.1:8080/v1/AUTH_cfa') + self.assertEquals(json.loads(resp.body), + {"storage": {"default": "local", + "local": "http://127.0.0.1:8080/v1/AUTH_cfa"}}) + + def test_get_token_success_existing_token(self): + self.test_auth.app = FakeApp(iter([ + # GET of user object + ('200 Ok', {'X-Object-Meta-Auth-Token': 'AUTH_tktest'}, + json.dumps({"auth": "plaintext:key", + "groups": ["act:usr", "act", ".admin"]})), + # GET of token + ('200 Ok', {}, json.dumps({"account": "act", "user": "usr", + "account_id": "AUTH_cfa", "groups": ["act:usr", "key", ".admin"], + "expires": 9999999999.9999999})), + # GET of clusters object + ('200 Ok', {}, json.dumps({"storage": {"default": "local", + "local": "http://127.0.0.1:8080/v1/AUTH_cfa"}}))])) + resp = Request.blank('/auth/v1.0', + headers={'X-Auth-User': 'act:usr', + 'X-Auth-Key': 'key'}).get_response(self.test_auth) + self.assertEquals(resp.status_int, 200) + self.assertEquals(resp.headers.get('x-auth-token'), 'AUTH_tktest') + self.assertEquals(resp.headers.get('x-auth-token'), + resp.headers.get('x-storage-token')) + self.assertEquals(resp.headers.get('x-storage-url'), + 'http://127.0.0.1:8080/v1/AUTH_cfa') + self.assertEquals(json.loads(resp.body), + {"storage": {"default": "local", + "local": "http://127.0.0.1:8080/v1/AUTH_cfa"}}) + + +if __name__ == '__main__': + unittest.main()