x/swiftonhpss
Code Issues Proposed changes
3796a1c757
swiftonhpss/doc/markdown/auth_guide.md
Thiago da Silva 1613077331 Update auth_guide.md 
adding first draft of gswauth section to authentication guide

Change-Id: I801c9f4add18a5e5f5c735e61cf99fc3a5b935c2
Signed-off-by: Thiago da Silva <thiago@redhat.com>
Reviewed-on: http://review.gluster.org/6222
Reviewed-by: Luis Pabon <lpabon@redhat.com>
Tested-by: Luis Pabon <lpabon@redhat.com>
2013-11-10 17:14:18 -08:00

2.7 KiB
Raw Blame History

Authentication Services Start Guide

Contents

## Keystone The Standard Openstack authentication service

TBD

 ## Swiftkerbauth Kerberos authentication filter for Swift

TBD

 ## GSwauth ### Overview An easily deployable GlusterFS aware authentication service based on [Swauth](http://gholt.github.com/swauth/). GSwauth is a WSGI Middleware that uses Swift itself as a backing store to maintain its metadata.

This model has the benefit of having the metadata available to all proxy servers and saving the data to a GlusterFS volume. To protect the metadata, the GlusterFS volume should only be able to be mounted by the systems running the proxy servers.

Currently, gluster-swift has a strict mapping of one account to a GlusterFS volume. Future releases, this will be enhanced to support multiple accounts per GlusterFS volume.

See http://gholt.github.com/swauth/ for more information on Swauth.

###Quick Install

  1. GSwauth is installed by default with Gluster for Swift.

  2. Create and start the gsmetadata gluster volume

    gluster volume create gsmetadata `hostname`:`brick`
gluster volume start gsmetadata

  3. run gluster-swift-gen-builders with all volumes that should be accessible by gluster-swift, including gsmetadata

    gluster-swift-gen-builders gsmetadata `other volumes`

  4. Change your proxy-server.conf pipeline to have gswauth instead of tempauth:

    Was:

    [pipeline:main]
pipeline = catch_errors cache tempauth proxy-server

    Change To:

    [pipeline:main]
pipeline = catch_errors cache gswauth proxy-server

  5. Add to your proxy-server.conf the section for the Swauth WSGI filter:

    [filter:gswauth]

    use = egg:gluster_swift#gswauth
    set log_name = gswauth
    super_admin_key = swauthkey
    metadata_volume = gsmetadata
    auth_type = sha1
    auth_type_salt = swauthsalt
  1. Restart your proxy server swift-init proxy reload
 ###How to use it 1. Initialize the GSwauth backing store in Gluster-Swift ``swauth-prep -K swauthkey``

  1. Add an account/user. The account name must match the Glusterfs volume name the user will be given access to. In this example we use the volume test swauth-add-user -A http://127.0.0.1:8080/auth/ -K swauthkey -a test user1 password1

  2. Ensure it works swift -A http://127.0.0.1:8080/auth/v1.0 -U test:user1 -K password stat