swift/swift
Samuel Merritt 357b12dc2b Remove IP-based container-sync ACLs from auth middlewares.
The determination of the client IP looked at the X-Cluster-Client-Ip
and X-Forwarded-For headers in the incoming HTTP request. This is
trivially spoofable by a malicious client, so there's no security
gained by having the check there.

Worse, having the check there provides a false sense of security to
cluster operators. It sounds like it's based on the client IP, so an
attacker would have to do IP spoofing to defeat it. However, it's
really just a shared secret, and there's already a secret key set
up. Basically, it looks like 2-factor auth (IP+key), but it's really
1-factor (key).

Now, the one case where this might provide some security is where the
Swift cluster is behind an external load balancer that strips off the
X-Cluster-Client-Ip and X-Forwarded-For headers and substitutes its
own. I don't think it's worth the tradeoff, hence this commit.

Fixes bug 1068420 for very small values of "fixes".

DocImpact

Change-Id: I2bef64c2e1e4df8a612a5531a35721202deb6964
2012-11-16 18:47:06 -08:00
..
account statsd timing refactor 2012-11-06 15:39:25 -08:00
common Remove IP-based container-sync ACLs from auth middlewares. 2012-11-16 18:47:06 -08:00
container statsd timing refactor 2012-11-06 15:39:25 -08:00
obj Refactor DiskFile to hide temp file names and exts 2012-11-15 08:58:26 -05:00
proxy fix bug in deleting account memcache. 2012-11-14 14:10:00 +08:00
__init__.py 1.7.6 version bump 2012-11-06 19:38:26 -08:00