stackforge/swiftpolicy
Code Issues Proposed changes
swiftpolicy/README.md
Nassim Babaci 7183c086d8 update readme
2014-07-21 13:29:29 +02:00

2.6 KiB
Raw Blame History

SwiftPolicy Middleware.

SwiftPolicy Middleware for OpenStack Swift, allows to use json policy file format to handle swift authorizations.

SwiftPolicy is an adaptation of the keystoneauth middleware here: https://github.com/openstack/swift/blob/master/swift/common/middleware/keystoneauth.py

For compatibity reasons, with the shipped default.json file SwiftPolicy will behave exactly like keystoneauth. (except we removed the deprecated is_admin feature).

Install

  1. Install SwiftPolicy with sudo python setup.py install or sudo python setup.py develop.

  2. Alter your proxy-server.conf pipeline to have SwiftPolicy:

For example, you can use SwiftPolicy in place of keystoneauth middleware:

Change::

    [pipeline:main]
    pipeline = catch_errors cache tempauth proxy-server

To::

    [pipeline:main]
    pipeline = catch_errors cache swiftpolicy tempauth proxy-server
  1. Add to your proxy-server.conf the section for the SwiftPolicy WSGI filter::

Policy file is given using policy option

[filter:swift3]
use = egg:swiftpolicy#swiftpolicy
policy = %(here)s/default.json

We install along with this middleare a default policy file in /etc/swift/default.json, which make our middleware behaves the same way as keystoneauth (for compatibility reasons).

Policy file

The policy file will list all possible actions on swift proxy. Action's format is: "_" (example: "get_container", "put_object", etc).

...
"get_container": "rule:allowed_for_user",
"put_container": "rule:allowed_for_user",
"delete_container": "rule:allowed_for_user",
...

Policy file contains also two specific rules: "swift_owner" "reseller_request", they define when swift_owner and reseller_request headers are set to true, as those two value are part of the contract between the auth system and swift.

...
"swift_owner": "rule:swift_reseller or rule:swift_operator",
"reseller_request": "rule:swift_reseller",
...

 

Example

  • To deny creation of new containers: set put_container to '!':

      ...
  "get_container": "rule:allowed_for_user",
  "put_container": "!",
  ...

  • To restrict creation of new container to users with role "admin":

      ...
  "get_container": "rule:allowed_for_user",
  "put_container": "role:admin",
  ...

Limitations

  • swiftpolicy does not support dynamic laoding of the policy file, and thus, swift proxy have to be restarted when policy file is updated.