Merge "Add undocumented options to keystoneauth sample config"

etc/proxy-server.conf-sample

@@ -283,8 +283,22 @@ user_test_tester3 = testing3
 # Operator roles is the role which user would be allowed to manage a
 # tenant and be able to create container or give ACL to others.
 # operator_roles = admin, swiftoperator
+#
 # The reseller admin role has the ability to create and delete accounts
 # reseller_admin_role = ResellerAdmin
+#
+# This allows middleware higher in the WSGI pipeline to override auth
+# processing, useful for middleware such as tempurl and formpost. If you know
+# you're not going to use such middleware and you want a bit of extra security,
+# you can set this to false.
+# allow_overrides = true
+#
+# If is_admin is true, a user whose username is the same as the project name
+# and who has any role on the project will have access rights elevated to be
+# the same as if the user had an operator role. Note that the condition
+# compares names rather than UUIDs. This option is deprecated.
+# is_admin = false
+#
 # For backwards compatibility, keystoneauth will match names in cross-tenant
 # access control lists (ACLs) when both the requesting user and the tenant
 # are in the default domain i.e the domain to which existing tenants are

swift/common/middleware/keystoneauth.py

@@ -42,10 +42,10 @@ class KeystoneAuth(object):
     The authtoken middleware will take care of validating the user and
     keystoneauth will authorize access.
 
-    The authtoken middleware is shipped directly with keystone it
+    The authtoken middleware is shipped with keystonemiddleware - it
-    does not have any other dependences than itself so you can either
+    does not have any other dependencies than itself so you can either
     install it by copying the file directly in your python path or by
-    installing keystone.
+    installing keystonemiddleware.
 
     If support is required for unvalidated users (as with anonymous
     access) or for formpost/staticweb/tempurl middleware, authtoken will
@@ -72,6 +72,12 @@ class KeystoneAuth(object):
     setting which by default includes the admin and the swiftoperator
     roles.
 
+    If the ``is_admin`` option is ``true``, a user whose username is the same
+    as the project name and who has any role on the project will have access
+    rights elevated to be the same as if the user had one of the
+    ``operator_roles``. Note that the condition compares names rather than
+    UUIDs. This option is deprecated. It is ``false`` by default.
+
     If you need to have a different reseller_prefix to be able to
     mix different auth servers you can configure the option
     ``reseller_prefix`` in your keystoneauth entry like this::
@@ -114,6 +120,14 @@ class KeystoneAuth(object):
     keystoneauth will assume that the tenant may not be in the default domain
     and therefore not match names in ACLs for that account.
 
+    By default, middleware higher in the WSGI pipeline may override auth
+    processing, useful for middleware such as tempurl and formpost. If you know
+    you're not going to use such middleware and you want a bit of extra
+    security you can disable this behaviour by setting the ``allow_overrides``
+    option to ``false``::
+
+        allow_overrides = false
+
     :param app: The next WSGI app in the pipeline
     :param conf: The dict of configuration values
     """