From fd8eb6b280ca15c0cfc9723c056cdac8548b34fd Mon Sep 17 00:00:00 2001 From: Alistair Coles Date: Tue, 6 Jan 2015 16:57:17 +0000 Subject: [PATCH] Add undocumented options to keystoneauth sample config Adds is_admin and allow_overrides to the keystoneauth section of proxy-server.conf.sample and also adds related comments to the keystoneauth docstring. DocImpact Change-Id: I7c751880cb6742db7347f31c4d32b523e33da75b --- etc/proxy-server.conf-sample | 14 ++++++++++++++ swift/common/middleware/keystoneauth.py | 20 +++++++++++++++++--- 2 files changed, 31 insertions(+), 3 deletions(-) diff --git a/etc/proxy-server.conf-sample b/etc/proxy-server.conf-sample index 78ab42b5b7..8eff0c8709 100644 --- a/etc/proxy-server.conf-sample +++ b/etc/proxy-server.conf-sample @@ -283,8 +283,22 @@ user_test_tester3 = testing3 # Operator roles is the role which user would be allowed to manage a # tenant and be able to create container or give ACL to others. # operator_roles = admin, swiftoperator +# # The reseller admin role has the ability to create and delete accounts # reseller_admin_role = ResellerAdmin +# +# This allows middleware higher in the WSGI pipeline to override auth +# processing, useful for middleware such as tempurl and formpost. If you know +# you're not going to use such middleware and you want a bit of extra security, +# you can set this to false. +# allow_overrides = true +# +# If is_admin is true, a user whose username is the same as the project name +# and who has any role on the project will have access rights elevated to be +# the same as if the user had an operator role. Note that the condition +# compares names rather than UUIDs. This option is deprecated. +# is_admin = false +# # For backwards compatibility, keystoneauth will match names in cross-tenant # access control lists (ACLs) when both the requesting user and the tenant # are in the default domain i.e the domain to which existing tenants are diff --git a/swift/common/middleware/keystoneauth.py b/swift/common/middleware/keystoneauth.py index 46a8367b53..6f8a4cef75 100644 --- a/swift/common/middleware/keystoneauth.py +++ b/swift/common/middleware/keystoneauth.py @@ -42,10 +42,10 @@ class KeystoneAuth(object): The authtoken middleware will take care of validating the user and keystoneauth will authorize access. - The authtoken middleware is shipped directly with keystone it - does not have any other dependences than itself so you can either + The authtoken middleware is shipped with keystonemiddleware - it + does not have any other dependencies than itself so you can either install it by copying the file directly in your python path or by - installing keystone. + installing keystonemiddleware. If support is required for unvalidated users (as with anonymous access) or for formpost/staticweb/tempurl middleware, authtoken will @@ -72,6 +72,12 @@ class KeystoneAuth(object): setting which by default includes the admin and the swiftoperator roles. + If the ``is_admin`` option is ``true``, a user whose username is the same + as the project name and who has any role on the project will have access + rights elevated to be the same as if the user had one of the + ``operator_roles``. Note that the condition compares names rather than + UUIDs. This option is deprecated. It is ``false`` by default. + If you need to have a different reseller_prefix to be able to mix different auth servers you can configure the option ``reseller_prefix`` in your keystoneauth entry like this:: @@ -114,6 +120,14 @@ class KeystoneAuth(object): keystoneauth will assume that the tenant may not be in the default domain and therefore not match names in ACLs for that account. + By default, middleware higher in the WSGI pipeline may override auth + processing, useful for middleware such as tempurl and formpost. If you know + you're not going to use such middleware and you want a bit of extra + security you can disable this behaviour by setting the ``allow_overrides`` + option to ``false``:: + + allow_overrides = false + :param app: The next WSGI app in the pipeline :param conf: The dict of configuration values """