Merge "Add undocumented options to keystoneauth sample config"

2015-01-07 17:48:39 +00:00 · 2015-01-07 17:48:39 +00:00 · 4cdb51418c
commit 4cdb51418c
parent 0bfeb93597 fd8eb6b280
2 changed files with 31 additions and 3 deletions
--- a/etc/proxy-server.conf-sample
+++ b/etc/proxy-server.conf-sample
@ -283,8 +283,22 @@ user_test_tester3 = testing3
 # Operator roles is the role which user would be allowed to manage a
 # tenant and be able to create container or give ACL to others.
 # operator_roles = admin, swiftoperator
+#
 # The reseller admin role has the ability to create and delete accounts
 # reseller_admin_role = ResellerAdmin
+#
+# This allows middleware higher in the WSGI pipeline to override auth
+# processing, useful for middleware such as tempurl and formpost. If you know
+# you're not going to use such middleware and you want a bit of extra security,
+# you can set this to false.
+# allow_overrides = true
+#
+# If is_admin is true, a user whose username is the same as the project name
+# and who has any role on the project will have access rights elevated to be
+# the same as if the user had an operator role. Note that the condition
+# compares names rather than UUIDs. This option is deprecated.
+# is_admin = false
+#
 # For backwards compatibility, keystoneauth will match names in cross-tenant
 # access control lists (ACLs) when both the requesting user and the tenant
 # are in the default domain i.e the domain to which existing tenants are
--- a/swift/common/middleware/keystoneauth.py
+++ b/swift/common/middleware/keystoneauth.py
@ -42,10 +42,10 @@ class KeystoneAuth(object):
    The authtoken middleware will take care of validating the user and
    keystoneauth will authorize access.

-    The authtoken middleware is shipped directly with keystone it
-    does not have any other dependences than itself so you can either
+    The authtoken middleware is shipped with keystonemiddleware - it
+    does not have any other dependencies than itself so you can either
    install it by copying the file directly in your python path or by
-    installing keystone.
+    installing keystonemiddleware.

    If support is required for unvalidated users (as with anonymous
    access) or for formpost/staticweb/tempurl middleware, authtoken will
@ -72,6 +72,12 @@ class KeystoneAuth(object):
    setting which by default includes the admin and the swiftoperator
    roles.

+    If the ``is_admin`` option is ``true``, a user whose username is the same
+    as the project name and who has any role on the project will have access
+    rights elevated to be the same as if the user had one of the
+    ``operator_roles``. Note that the condition compares names rather than
+    UUIDs. This option is deprecated. It is ``false`` by default.
+
    If you need to have a different reseller_prefix to be able to
    mix different auth servers you can configure the option
    ``reseller_prefix`` in your keystoneauth entry like this::
@ -114,6 +120,14 @@ class KeystoneAuth(object):
    keystoneauth will assume that the tenant may not be in the default domain
    and therefore not match names in ACLs for that account.

+    By default, middleware higher in the WSGI pipeline may override auth
+    processing, useful for middleware such as tempurl and formpost. If you know
+    you're not going to use such middleware and you want a bit of extra
+    security you can disable this behaviour by setting the ``allow_overrides``
+    option to ``false``::
+
+        allow_overrides = false
+
    :param app: The next WSGI app in the pipeline
    :param conf: The dict of configuration values
    """