Rebase swiftkerbauth imported code with upstream

Few changes have been merged to upstream swiftkerbauth repo.
This commit brings it down to gluster-swift repo.
Bringing below changes to gluster-swift repo in one go.

http://review.gluster.org/#/c/6296/
http://review.gluster.org/#/c/6370/
http://review.gluster.org/#/c/6595/
http://review.gluster.org/#/c/6713/
http://review.gluster.org/#/c/6732/

Change-Id: I10dc12d75ec63fca313339fbc71e4f18071af552
Signed-off-by: Chetan Risbud <crisbud@redhat.com>
Reviewed-on: http://review.gluster.org/6764
Reviewed-by: Prashanth Pai <ppai@redhat.com>

3 files changed, 81 insertions, 1 deletions

diff --git a/doc/markdown/swiftkerbauth/AD_server.md b/doc/markdown/swiftkerbauth/AD_server.md
index c34f0f1..66d90f2 100644
--- a/doc/markdown/swiftkerbauth/AD_server.md
+++ b/doc/markdown/swiftkerbauth/AD_server.md
@@ -98,6 +98,18 @@ On client:
 <a name="users-groups" />
 ###Adding users and groups
 
+The following convention is to be followed in creating group names:
+
+    <reseller-prefix>\_<volume-name>
+
+    <reseller-prefix>\_<account-name>
+
+As of now, account=volume=group
+
+For example:
+
+    AUTH\_test
+
 Adding groups and users to the Windows domain is easy task.
 
     - Start -> Administrative Tools -> Active Directory Users & Computers
diff --git a/doc/markdown/swiftkerbauth/ipa_server.md b/doc/markdown/swiftkerbauth/ipa_server.md
index ef12b53..55e654e 100644
--- a/doc/markdown/swiftkerbauth/ipa_server.md
+++ b/doc/markdown/swiftkerbauth/ipa_server.md
@@ -107,6 +107,18 @@ Check if reverse resolution works :
 <a name="users-groups" />
 ## Adding users and groups
 
+The following convention is to be followed in creating group names:
+
+    <reseller-prefix>\_<volume-name>
+
+    <reseller-prefix>\_<account-name>
+
+As of now, account=volume=group
+
+For example:
+
+    AUTH\_test
+
 Create *auth_reseller_admin* user group
 > ipa group-add auth_reseller_admin --desc="Full access to all Swift accounts"
 
diff --git a/doc/markdown/swiftkerbauth/swiftkerbauth_guide.md b/doc/markdown/swiftkerbauth/swiftkerbauth_guide.md
index ef76ad0..12845a6 100644
--- a/doc/markdown/swiftkerbauth/swiftkerbauth_guide.md
+++ b/doc/markdown/swiftkerbauth/swiftkerbauth_guide.md
@@ -4,6 +4,7 @@
 * [Creating HTTP Service Principal on IPA server] (#http-principal)
 * [Installing and configuring swiftkerbauth on IPA client] (#install-swiftkerbauth)
 * [Using swiftkerbauth] (#use-swiftkerbauth)
+* [Configurable Parameters] (#config-swiftkerbauth)
 
 <a name="httpd-kerb-install" />
 ## Installing Kerberos module for Apache on IPA client
@@ -47,7 +48,8 @@ Copy keytab file to client:
 
 Add a HTTP Kerberos service principal:
 > c:\>ktpass.exe -princ HTTP/fcclient.winad.com@WINAD.COM -mapuser
-> auth_admin@WINAD.COM -pass Redhat*123 -out c:\HTTP.keytab
+> auth_admin@WINAD.COM -pass Redhat*123 -out c:\HTTP.keytab -crypto DES-CBC-CRC
+> -kvno 0
 
 Use winscp to copy HTTP.ketab file to /etc/httpd/conf/http.keytab
 
@@ -101,6 +103,7 @@ Edit */etc/swift/proxy-server.conf* and add a new filter section as follows:
     [filter:kerbauth]
     use = egg:swiftkerbauth#kerbauth
     ext_authentication_url = http://client.rhelbox.com/cgi-bin/swift-auth
+    auth_mode=passive
 
 Add kerbauth to pipeline
 
@@ -433,3 +436,56 @@ The --negotiate option is for curl to perform Kerberos authentication and
 --location-trusted is for curl to follow the redirect.
 
 [auth_kerb_module Configuration]: http://modauthkerb.sourceforge.net/configure.html
+
+
+#### Get an authentication token when auth_mode=passive:
+> curl -v -H 'X-Auth-User: test:auth_admin' -H 'X-Auth-Key: Redhat*123' http://127.0.0.1:8080/auth/v1.0
+
+**NOTE**: X-Storage-Url response header can be returned only in passive mode.
+
+<a name="config-swiftkerbauth" />
+##Configurable Parameters
+
+The kerbauth filter section in **/etc/swift/proxy-server.conf** looks something
+like this:
+
+    [filter:kerbauth]
+    use = egg:swiftkerbauth#kerbauth
+    ext_authentication_url = http://client.rhelbox.com/cgi-bin/swift-auth
+    auth_method = active
+    token_life = 86400
+    debug_headers = yes
+    realm_name = RHELBOX.COM
+
+Of all the options listed above, specifying **ext\_authentication\_url** is
+mandatory. The rest of the options are optional and have default values.
+
+#### ext\_authentication\_url
+A URL specifying location of the swift-auth CGI script. Avoid using IP address.  
+Default value: None
+
+#### token_life
+After how many seconds the cached information about an authentication token is
+discarded.  
+Default value: 86400
+
+#### debug_headers
+When turned on, the response headers sent to the user will contain additional
+debug information apart from the auth token.  
+Default value: yes
+
+#### auth_method
+Set this to **"active"** when you want to allow access **only to clients
+residing inside the domain**. In this mode, authentication is performed by
+mod\_auth\_kerb using the Kerberos ticket bundled with the client request.
+No username and password have to be specified to get a token.  
+Set this to **"passive"** when you want to allow access to clients residing
+outside the domain. In this mode, authentication is performed by gleaning
+username and password from request headers (X-Auth-User and X-Auth-Key) and
+running kinit command against it.   
+Default value: passive
+
+#### realm_name
+This is applicable only when the auth_method=passive. This option specifies
+realm name if RHS server belongs to more than one realm and realm name is not
+part of the username specified in X-Auth-User header.