summaryrefslogtreecommitdiffstats
path: root/doc
diff options
context:
space:
mode:
authorThiago da Silva <thiago@redhat.com>2014-04-22 14:15:02 -0400
committerPrashanth Pai <ppai@redhat.com>2016-01-06 07:53:12 -0800
commit2a8f9f0f530327039c32e444b6a27130b12666bd (patch)
treee24e38b5b3c0245a0acafc63fc50bacbf7de718a /doc
parent4c6ca1db931377b75583f61a7bca262cfc27b0fa (diff)
Update repo
This is a squashed commit imported from this repo: https://github.com/openstack/swiftonfile/tree/icehouse Contains the follwing commits from above mentioned repo: eb50236 Merge "Backport: Fix metadata overall limits bug" into icehouse 79ea52a Backport: Fix metadata overall limits bug bc43f0b Fix inconsistent data being returned on GET ad0bb79 Import HTTPBadRequest from swift's module 74d02e6 Exclude .trashcan dir from container listing b2dbc15 Catch ESTALE in addition to ENOENT 8d60b48 Properly handle read_metadata() exceptions 6762fc6 Fix object server leaking file descriptors 2842e82 Fix API incompatibility in update_metadata() 2beeef6 Merge "Remove swiftkerbauth code" into icehouse 93dbcb5 Update object-expirer.conf with explanations c9d2f09 Merge "Check if /etc/swift exists in ring builder" into icehouse d66c14c Remove swiftkerbauth code 3142ed2 Add object expiration functests 97153d1 Merge "Cleanup functest and undo old patch" into icehouse bc234d0 Remove old travis config file and fix typo 260c8ef Check if /etc/swift exists in ring builder 637dac9 Cleanup functest and undo old patch 051e068 Merge pull request #35 from prashanthpai/backport-1 be104a3 Merge pull request #36 from prashanthpai/backport-2 ff76f42 fix issue with GET on large object (icehouse-backport) 04d0a99 Fix unlink call after successful rename 4c6ca1d updating README file with project name change 10b2680 Merge pull request #18 from thiagol11/icehouse 5bcab8f Updating version on __init__ file 5c2cba2 Merge pull request #15 from thiagol11/update_spec 52b00a8 updating spec file to add dependency on swift icehouse ae7c93b Merge pull request #6 from prashanthpai/rebase 191e55b Revert: allow non-root user to run functests cb7e968 Modify unit tests and func tests d23fd1b Sync with OpenStack Swift v1.13.1 b6d1671 Merge pull request #12 from pushpesh/functionalnosetestremove 962622b Merge pull request #8 from thiagol11/update_readme 4560857 Merge pull request #9 from prashanthpai/spec-expirer be0ae7e Minor update 65000f1 Removing functionalnosetests 8ab1069 Fix object-expirer.conf-gluster RPM build error afee30f added new support filesystem section 527b01f updated README.md to Swift-On-File 9a240c7 Merge pull request #3 from thiagol11/add_jenkins_to_travis 34b5a8b removing blank lines 3568b64 fixing missing fi d8f5b0f adding support to run jenkins triggered by travis 6f4a88c Removing functionalnosetests 8041944 Update README.md c015148 Merge pull request #2 from thiagol11/master 3ddd952 fixing travis file to run correct unit test c582669 adding travis status badge to README 8093096 adding py26 unit testing to travis 37835fd trigger travis build cb6332a adding travis ci testing All tests have been run sucessfully against this. tox -e p2p8,py27,functest Change-Id: I096b611da852d3eb3913844034b443b8272c2ac4 Signed-off-by: Prashanth Pai <ppai@redhat.com> Reviewed-on: http://review.gluster.org/13188
Diffstat (limited to 'doc')
-rw-r--r--doc/markdown/auth_guide.md16
-rw-r--r--doc/markdown/swiftkerbauth/AD_client.md206
-rw-r--r--doc/markdown/swiftkerbauth/AD_server.md119
-rw-r--r--doc/markdown/swiftkerbauth/architecture.md105
-rw-r--r--doc/markdown/swiftkerbauth/ipa_client.md80
-rw-r--r--doc/markdown/swiftkerbauth/ipa_server.md146
-rw-r--r--doc/markdown/swiftkerbauth/swiftkerbauth_guide.md517
7 files changed, 0 insertions, 1189 deletions
diff --git a/doc/markdown/auth_guide.md b/doc/markdown/auth_guide.md
index 274dd32..86c3650 100644
--- a/doc/markdown/auth_guide.md
+++ b/doc/markdown/auth_guide.md
@@ -12,13 +12,6 @@
* [User roles](#gswauth_user_roles)
* [GSwauth Tools](#gswauth_tools)
* [Authenticating a user](#gswauth_authenticate)
-* [Swiftkerbauth](#swiftkerbauth)
- * [Architecture](swiftkerbauth/architecture.md)
- * [RHEL IPA Server Guide](swiftkerbauth/ipa_server.md)
- * [RHEL IPA Client Guide](swiftkerbauth/ipa_client.md)
- * [Windows AD Server Guide](swiftkerbauth/AD_server.md)
- * [Windows AD Client Guide](swiftkerbauth/AD_client.md)
- * [Swiftkerbauth Guide](swiftkerbauth/swiftkerbauth_guide.md)
## <a name="keystone" />Keystone ##
The Standard Openstack authentication service
@@ -468,12 +461,3 @@ bash-4.2$ swift --os-auth-token=AUTH_tk7e68ef4698f14c7f95af07ab7b298610 --os-sto
README.md
~~~
**Note:** Reseller admins must always use the second method to acquire a token, in order to be given access to other accounts different than his own. The first method of using the username and password will give them access only to their own accounts.
-
-## <a name="swiftkerbauth" />Swiftkerbauth ##
-Kerberos authentication filter
-
-Carsten Clasohm implemented a new authentication filter for swift
-that uses Kerberos tickets for single sign on authentication, and
-grants administrator permissions based on the users group membership
-in a directory service like Red Hat Enterprise Linux Identity Management
-or Microsoft Active Directory.
diff --git a/doc/markdown/swiftkerbauth/AD_client.md b/doc/markdown/swiftkerbauth/AD_client.md
deleted file mode 100644
index 0947a1e..0000000
--- a/doc/markdown/swiftkerbauth/AD_client.md
+++ /dev/null
@@ -1,206 +0,0 @@
-#AD client setup guide
-
-###Contents
-* [Setup Overview] (#setup)
-* [Configure Network] (#network)
-* [Installing AD Client] (#AD-client)
-
-<a name="setup" />
-###Setup Overview
-
-This guide talks about adding fedora linux client to windows domain.
-The test setup included a client machine with Fedora 19 installed
-on it with all the latest packages updated. The crux is to add this linux
-machine to Windows Domain. This linux box is expected to act as RHS node and on which swiftkerbauth,
-apachekerbauth code would run.
-
-Set hostname (FQDN) to fcclient.winad.com
-
- # hostnamectl set-hostname "fcclient.winad.com"
-
- # hostname "fcclient.winad.com"
-
-
-<a name="network" />
-### Configure client
-
-* Deploy Fedora linux 19.
-
-* Update the system with latest packages.
-
-* Configure SELinux security parameters.
-
-* Install & configure samba
-
-* Configure DNS
-
-* Synchronize the time services
-
-* Join Domain
-
-* Install / Configure Kerberos Client
-
-
-The document assumes the installing Fedora Linux and configuring SELinux
-parameters to 'permissive' is known already.
-
-###Install & Configure Samba:
- # yum -y install samba samba-client samba-common samba-winbind
- samba-winbind-clients
-
- # service start smb
-
- # ps -aef | grep smb
- # chkconfig smb on
-
-###Synchronize time services
-The kerberos authentication and most of the DNS functionality could fail with
-clock skew if times are not synchronized.
-
- # cat /etc/ntp.conf
- server ns1.bos.redhat.com
- server 10.5.26.10
-
- # service ntpd stop
-
- # ntpdate 10.16.255.2
-
- # service ntpd start
-
- #chkconfig ntpd on
-
-Check if Windows server in the whole environment is also time synchronized with
-same source.
-
- # C:\Users\Administrator>w32tm /query /status | find "Source"
-
- Source: ns1.xxx.xxx.com
-
-###Configure DNS on client
-Improperly resolved hostname is the leading cause in authentication failures.
-Best practice is to configure fedora client to use Windows DNS.
-'nameserver' below is the IP address of the windows server.
- # cat /etc/resolve.conf
- domain server.winad.com
- search server.winad.com
- nameserver 10.nn.nnn.3
-
-###Set the hostname of the client properly (FQDN)
- # cat /etc/sysconfig/network
- HOSTNAME=fcclient.winad.com
-
-
-###Install & Configure kerberos client
-
- # yum -y install krb5-workstation
-
-Edit the /etc/krb5.conf as follows:
-
- # cat /etc/krb5.conf
- [logging]
- default = FILE:/var/log/krb5libs.log
- kdc = FILE:/var/log/krb5kdc.log
- admin_server = FILE:/var/log/kadmind.log
-
- [libdefaults]
- default_realm = WINAD.COM
- dns_lookup_realm = false
- dns_lookup_kdc = false
- ticket_lifetime = 24h
- renew_lifetime = 7d
- forwardable = true
-
- [realms]
- WINAD.COM = {
- kdc = server.winad.com
- admin_server = server.winad.com
- }
- [domain_realm]
- .demo = server.winad.com
- demo = server.winad.com
-
-###Join Domain
-Fire command 'system-config-authentication' on client. This should display a
-graphical wizard. Below inputs would help configure this wizard.
-
- - User account data base = winbind
- - winbind domain = winad
- - security model = ads
- - winbind ads realm = winad.com
- - winbind controller = server.winad.com
- - template shell = /bin/bash
- - let the other options be as is to default.
- - Perform Join domain and appy settings and quit. Please note this join should
- not see any errors. This makes the client fedora box to join the windows
- domain.
-
-###Configure the kerberos client
-This would bring the users/groups from Windows Active directory to this
-fedora client.
-
-Edit /etc/samba/smb.conf file to have below parameters in the global section.
-
- # cat /etc/samba/smb.conf
- [global]
- workgroup = winad
- realm = winad.com
- server string = Samba Server Version %v
- security = ADS
- allow trusted domains = No
- password server = server.winad.com
- log file = /var/log/samba/log.%m
- max log size = 50
- idmap uid = 10000­19999
- idmap gid = 10000­19999
- template shell = /bin/bash
- winbind separator = +
- winbind use default domain = Yes
- idmap config REFARCH­AD:range = 10000000­19999999
- idmap config REFARCH­AD:backend = rid
- cups options = raw
-
-
- # service smb stop
-
- # service winbind stop
-
- # tar -cvf /var/tmp/samba-cache-backup.tar /var/lib/samba
-
- # ls -la /var/tmp/samba-cache-backup.tar
-
- # rm ­-f /var/lib/samba/*
-
-
-Verify that no kerberos ticket available and cached.
-
- # kdestroy
-
- # klist
-
-Rejoin the domain.
-
- # net join -S server -U Administrstor
-
-Test that client rejoined the domain.
-
- # net ads info
-
-Restart smb and winbind service.
-
- # wbinfo --domain-users
-
-Perform kinit for the domain users prepared on active directory. This is obtain
-the kerberos ticket for user 'auth_admin'
-
- # kinit auth_admin
-
- # id -Gn auth_admin
-
-###Notes
-Obtaining the HTTP service principal & keytab file and installing it with
-swiftkerbauth is added to swiftkerbauth_guide
-
-###References
-Reference Document for adding Linux box to windows domain :
-Integrating Red Hat Enterprise Linux 6
-with Active Directory
diff --git a/doc/markdown/swiftkerbauth/AD_server.md b/doc/markdown/swiftkerbauth/AD_server.md
deleted file mode 100644
index 66d90f2..0000000
--- a/doc/markdown/swiftkerbauth/AD_server.md
+++ /dev/null
@@ -1,119 +0,0 @@
-#Windows Active Directory & Domain Controller Server Guide
-
-###Contents
-* [Setup Overview] (#Setup)
-* [Installing Active Directory Services] (#AD-server)
-* [Configuring DNS] (#DNS)
-* [Adding Users and Groups] (#users-groups)
-
-
-<a name="Setup" />
-###Setup Overview
-
-The setup includes a server machine installed with Windows 2008 R2 Server, with
-Domain Controller, Active Directory services & DNS server installed alongwith.
-The steps to install windows operating system and above servers can be found
-on MicroSoft Documentation. This windows Active Directory server would act as an
-authentication server in the whole setup. This would provide the access control
-and permissions for users on certain data objects.
-
-
-Windows 2008 R2 deployment:
-
-http://technet.microsoft.com/en-us/library/dd283085.aspx
-
-
-Configuring Active Directory, Domain Services, DNS server:
-
-http://technet.microsoft.com/en-us/library/cc770946.aspx
-
-
-<a name="AD-server" />
-###Installing AD Server
-
-Administrators need to follow simple instructions in Server Manager on Windows
-2008, and should add Active Directory Domain Services & DNS server. It is
-recommended to use static IP for DNS server. Preferred Hostname(FQDN) for
-Windows server could be of format hostname 'server.winad.com' where
-'winad.com' is a domain name.
-
-Following tips would help prepare a test setup neatly.
-
- - Select Active Directory Domain services wizard in Server Manager
- - Move on to install it with all the pre-requisits, e.g. .NET framework etc.
- - Configure Active directory after installtion via exapanding the 'Roles'
- section in the server manager.
- - Create a new Domain in the New Forest.
- - Type the FQDN, winad.com
- - Set Forest functional level Windows 2008 R2.
- - Selct additional options for this domain controller as DNS server.
- - Leave the log locations to default provided by wizard.
- - Set the Administrator Password carefully.
- - Thats it. You are done configuring active directory.
-
-
-<a name="dns" />
-###Configuring DNS
-
-This section explains configuring the DNS server installed on Windows 2008 R2
-server. You must know know about
-
- - Forward lookup zone
-
- - Reverse lookup zone
-
- - Zone type
-
-A forward lookup zone is simply a way to resolve hostnames to IP address.
-A reverse lookup zone is to lookup DNS hostname of the host IP.
-
-Following tips would help configure the Zones on DNS server.
-
- - Create a Forward lookup zone.
- - Create it a primary zone.
- - Add the Clients using their ip addresses and FQDN to this forward lookup
- zones.
- - This would add type 'A' record for that host on DNS server.
- - Similarly create a Reverser lookup zone.
- - Add clients 'PTR' record to this zone via browsing through the forward
- zones clients.
-
-The above setup can be tested on client once it joins the domain using 'dig'
-command as mentioned below.
-
-
-On client:
-
- # dig fcclient.winad.com
- This should yield you a Answer section mentioning its IP address.
-
- Reverse lookup can be tested using
-
- # 'dig -t ptr 101.56.168.192.in-addr.arpa.'
- The answer section should state the FQDN of the client.
-
- Repeat the above steps on client for Windows AD server as well.
-
-
-<a name="users-groups" />
-###Adding users and groups
-
-The following convention is to be followed in creating group names:
-
- <reseller-prefix>\_<volume-name>
-
- <reseller-prefix>\_<account-name>
-
-As of now, account=volume=group
-
-For example:
-
- AUTH\_test
-
-Adding groups and users to the Windows domain is easy task.
-
- - Start -> Administrative Tools -> Active Directory Users & Computers
- - Expand the domain name which was prepared earlier. e.g winad.com
- - Add groups with appropreate access rights.
- - Add users to the group with appropreate permissions.
- - Make sure you set password for users prepared on AD server.
diff --git a/doc/markdown/swiftkerbauth/architecture.md b/doc/markdown/swiftkerbauth/architecture.md
deleted file mode 100644
index fc6d764..0000000
--- a/doc/markdown/swiftkerbauth/architecture.md
+++ /dev/null
@@ -1,105 +0,0 @@
-# Architecture
-
-The Swift API is HTTP-based. As described in the Swift documentation
-[1], clients first make a request to an authentication URL, providing
-a username and password. The reply contains a token which is used in
-all subsequent requests.
-
-Swift has a chain of filters through which all client requests go. The
-filters to use are configured with the pipeline parameter in
-/etc/swift/proxy-server.conf:
-
- [pipeline:main]
- pipeline = healthcheck cache tempauth proxy-server
-
-For the single sign authentication, we added a new filter called
-"kerbauth" and put it into the filter pipeline in place of tempauth.
-
-The filter checks the URL for each client request. If it matches the
-authentication URL, the client is redirected to a URL on a different
-server (on the same machine). The URL is handled by a CGI script, which
-is set up to authenticate the client with Kerberos negotiation, retrieve
-the user's system groups [2], store them in a memcache ring shared with
-the Swift server, and return the authentication token to the client.
-
-When the client provides the token as part of a resource request, the
-kerbauth filter checks it against its memcache, grants administrator
-rights based on the group membership retrieved from memcache, and
-either grants or denies the resource access.
-
-[1] http://docs.openstack.org/api/openstack-object-storage/1.0/content/authentication-object-dev-guide.html
-
-[2] The user data and system groups are usually provided by Red Hat
- Enterprise Linux identity Management or Microsoft Active
- Directory. The script relies on the system configuration to be set
- accordingly (/etc/nsswitch.conf).
-
-*****
-
-## kerbauth.py
-
-The script kerbauth.py began as a copy of the tempauth.py script from
-from tempauth middleware. It contains the following modifications, among
-others:
-
-In the __init__ method, we read the ext_authentication_url parameter
-from /etc/swift/proxy-server.conf. This is the URL that clients are
-redirected to when they access either the Swift authentication URL, or
-when they request a resource without a valid authentication token.
-
-The configuration in proxy-server.conf looks like this:
-
- [filter:kerbauth]
- use = egg:swiftkerbauth#kerbauth
- ext_authentication_url = http://client.rhelbox.com/cgi-bin/swift-auth
-
-The authorize method was changed so that global administrator rights
-are granted if the user is a member of the auth_reseller_admin
-group. Administrator rights for a specific account like vol1 are
-granted if the user is a member of the auth_vol1 group. [3]
-
-The denied_response method was changed to return a HTTP redirect to
-the external authentication URL if no valid token was provided by the
-client.
-
-Most of the handle_get_token method was moved to the external
-authentication script. This method now returns a HTTP redirect.
-
-In the __call__ and get_groups method, we removed support for the
-HTTP_AUTHORIZATION header, which is only needed when Amazon S3 is
-used.
-
-Like tempauth.py, kerbauth.py uses a Swift wrapper to access
-memcache. This wrapper converts the key to an MD5 hash and uses the
-hash value to determine on which of a pre-defined list of servers to
-store the data.
-
-[3] "auth" is the default reseller prefix, and would be different if
- the reseller_prefix parameter in proxy-server.conf was set.
-
-## swift-auth CGI script
-
-swift-auth resides on an Apache server and assumes that Apache is
-configured to authenticate the user before this script is
-executed. The script retrieves the username from the REMOTE_USER
-environment variable, and checks if there already is a token for this
-user in the memcache ring. If not, it generates a new one, retrieves
-the user's system groups with "id -Gn USERNAME", stores this
-information in the memcache ring, and returns the token to the client.
-
-To allow the CGI script to connect to memcache, the SELinux booleans
-httpd_can_network_connect and httpd_can_network_memcache had to be
-set.
-
-The tempauth filter uses the uuid module to generate token
-strings. This module creates and runs temporary files, which leads to
-AVC denial messages in /var/log/audit/audit.log when used from an
-Apache CGI script. While the module still works, the audit log would
-grow quickly. Instead of writing an SELinux policy module to allow or
-to silently ignore these accesses, the swift-auth script uses the
-"random" module for generating token strings.
-
-Red Hat Enterprise Linux 6 comes with Python 2.6 which only provides
-method to list the locally defined user groups. To include groups from
-Red Hat Enterprise Linux Identity Management and in the future from
-Active Directory, the "id" command is run in a subprocess.
diff --git a/doc/markdown/swiftkerbauth/ipa_client.md b/doc/markdown/swiftkerbauth/ipa_client.md
deleted file mode 100644
index f6afc42..0000000
--- a/doc/markdown/swiftkerbauth/ipa_client.md
+++ /dev/null
@@ -1,80 +0,0 @@
-#IPA Client Guide
-
-##Contents
-* [Setup Overview] (#setup)
-* [Configure Network] (#network)
-* [Installing IPA Client] (#ipa-client)
-
-<a name="setup" />
-##Setup Overview
-We have used a F18 box as IPA client machine and used FreeIPA client.
-This document borrows instructions from the following more detailed guide.
-[RHEL 6 Identity Management Guide][]
-
-
-<a name="network" />
-## Configure network
-
-Set hostname (FQDN) to client.rhelbox.com
-> hostnamectl set-hostname "client.rhelbox.com"
->
-> hostname "client.rhelbox.com"
-
-Add following to /etc/sysconfig/network:
-
- HOSTNAME=client.rhelbox.com
-
-Add the following to /etc/hostname
-
- client.rhelbox.com
-
-Add the following to /etc/hosts
-
- 192.168.56.110 server.rhelbox.com server
- 192.168.56.101 client.rhelbox.com client
-
-Logout and login again and verify hostname :
-> hostname --fqdn
-
-Edit */etc/resolv.conf* to add this at beginning of file
-
- nameserver 192.168.56.110
-
-Warning: NetworkManager changes resolv.conf on restart
-
-Turn off firewall
-> service iptables stop
->
-> chkconfig iptables off
-
-<a name="ipa-client" />
-## Installing IPA Client
-
-Install IPA client packages:
-
-For RHEL:
-> yum install ipa-client ipa-admintools
-
-For Fedora:
-> yum install freeipa-client freeipa-admintools
-
-Install IPA client and add to domain:
->ipa-client-install --enable-dns-updates
-
- Discovery was successful!
- Hostname: client.rhelbox.com
- Realm: RHELBOX.COM
- DNS Domain: rhelbox.com
- IPA Server: server.rhelbox.com
- BaseDN: dc=rhelbox,dc=com
-
- Continue to configure the system with these values? [no]: yes
- User authorized to enroll computers: admin
-
-Check if client is configured correctly:
-> kinit admin
->
-> getent passwd admin
-
-
-[RHEL 6 Identity Management Guide]: https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/
diff --git a/doc/markdown/swiftkerbauth/ipa_server.md b/doc/markdown/swiftkerbauth/ipa_server.md
deleted file mode 100644
index 55e654e..0000000
--- a/doc/markdown/swiftkerbauth/ipa_server.md
+++ /dev/null
@@ -1,146 +0,0 @@
-#IPA Server Guide
-
-##Contents
-* [Setup Overview] (#setup)
-* [Configure Network] (#network)
-* [Installing IPA Server] (#ipa-server)
-* [Configuring DNS] (#dns)
-* [Adding Users and Groups] (#users-groups)
-
-
-<a name="setup" />
-##Setup Overview
-We have used a RHEL 6.4 box as IPA and DNS server. This document borrows
-instructions from the following more detailed guide.
-[RHEL 6 Identity Management Guide][]
-
-
-<a name="network" />
-## Configure network
-
-Change hostname (FQDN) to server.rhelbox.com
-> hostname "server.rhelbox.com"
-
-Add following to */etc/sysconfig/network* file
-
- HOSTNAME=server.rhelbox.com
-
-Add the following to */etc/hosts* file
-
- 192.168.56.110 server.rhelbox.com server
- 192.168.56.101 client.rhelbox.com client
-
-Logout and login again and verify new hostname
-> hostname --fqdn
-
-Turn off firewall
-> service iptables stop
->
-> chkconfig iptables off
-
-
-<a name="ipa-server" />
-## Installing IPA Server
-
-Install IPA server packages and DNS dependencies
-> yum install ipa-server bind bind-dyndb-ldap
-
-Run the following interactive setup to install IPA server with DNS
-> ipa-server-install --setup-dns
-
- The IPA Master Server will be configured with:
- Hostname: server.rhelbox.com
- IP address: 192.168.56.110
- Domain name: rhelbox.com
- Realm name: RHELBOX.COM
-
- BIND DNS server will be configured to serve IPA domain with:
- Forwarders: No forwarders
- Reverse zone: 56.168.192.in-addr.arpa.
-
-The installation may take some time.
-
-Check if IPA is installed correctly :
-> kinit admin
->
-> ipa user-find admin
-
-
-<a name="dns" />
-## Configuring DNS
-
-Edit */etc/resolv.conf* to add this at beginning of file :
-
- nameserver 192.168.56.110
-
-Warning: NetworkManager changes resolv.conf on restart
-
-Add a DNS A record and PTR record for the client under rhelbox.com zone
-> ipa dnsrecord-add rhelbox.com client --a-rec=192.168.56.101 --a-create-reverse
-
-Check if DNS resolution is working by running :
-
-> dig server.rhelbox.com
-
- ;; ANSWER SECTION:
- server.rhelbox.com. 1200 IN A 192.168.56.110
-
-> dig client.rhelbox.com
-
- ;; ANSWER SECTION:
- client.rhelbox.com. 86400 IN A 192.168.56.101
-
-Check if reverse resolution works :
-
-> dig -t ptr 101.56.168.192.in-addr.arpa.
-
- ;; ANSWER SECTION:
- 101.56.168.192.in-addr.arpa. 86400 IN PTR client.rhelbox.com.
-
-
-> dig -t ptr 110.56.168.192.in-addr.arpa.
-
- ;; ANSWER SECTION:
- 110.56.168.192.in-addr.arpa. 86400 IN PTR server.rhelbox.com.
-
-
-<a name="users-groups" />
-## Adding users and groups
-
-The following convention is to be followed in creating group names:
-
- <reseller-prefix>\_<volume-name>
-
- <reseller-prefix>\_<account-name>
-
-As of now, account=volume=group
-
-For example:
-
- AUTH\_test
-
-Create *auth_reseller_admin* user group
-> ipa group-add auth_reseller_admin --desc="Full access to all Swift accounts"
-
-Create *auth_rhs_test* user group
-> ipa group-add auth_rhs_test --desc="Full access to rhs_test account"
-
-Create user *auth_admin* user as member of *auth_reseller_admin* user group
-> ipa user-add auth_admin --first=Auth --last=Admin --password
->
-> ipa group-add-member auth_reseller_admin --users=auth_admin
-
-Create user *rhs_test_admin* as member of *auth_rhs_test* user group
-> ipa user-add rhs_test_admin --first=RHS --last=Admin --password
->
-> ipa group-add-member auth_rhs_test --users=rhs_test_admin
-
-Create user *jsmith* with no relevant group membership
-> ipa user-add rhs_test_admin --first=RHS --last=Admin --password
-
-You can verify users have been added by running
->ipa user-find admin
-
-NOTE: Every user has to change password on first login.
-
-[RHEL 6 Identity Management Guide]: https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/
diff --git a/doc/markdown/swiftkerbauth/swiftkerbauth_guide.md b/doc/markdown/swiftkerbauth/swiftkerbauth_guide.md
deleted file mode 100644
index 5da1827..0000000
--- a/doc/markdown/swiftkerbauth/swiftkerbauth_guide.md
+++ /dev/null
@@ -1,517 +0,0 @@
-#swiftkerbauth
-
-* [Installing Kerberos module for Apache] (#httpd-kerb-install)
-* [Creating HTTP Service Principal] (#http-principal)
-* [Installing and configuring swiftkerbauth] (#install-swiftkerbauth)
-* [Using swiftkerbauth] (#use-swiftkerbauth)
-* [Configurable Parameters] (#config-swiftkerbauth)
-* [Functional tests] (#swfunctest)
-
-<a name="httpd-kerb-install" />
-## Installing Kerberos module for Apache on IPA client
-
-Install httpd server with kerberos module:
-> yum install httpd mod_auth_kerb
->
-> service httpd restart
-
-Check if auth_kerb_module is loaded :
-> httpd -M | grep kerb
-
-Change httpd log level to debug by adding/changing the following in
-*/etc/httpd/conf/httpd.conf* file
-
- LogLevel debug
-
-httpd logs are at */var/log/httpd/error_log* for troubleshooting
-
-If SELinux is enabled, allow Apache to connect to memcache and
-activate the changes by running
->setsebool -P httpd_can_network_connect 1
->
->setsebool -P httpd_can_network_memcache 1
-
-*****
-
-<a name="http-principal" />
-## Creating HTTP Service Principal on IPA server
-
-Add a HTTP Kerberos service principal :
-> ipa service-add HTTP/client.rhelbox.com@RHELBOX.COM
-
-Retrieve the HTTP service principal to a keytab file:
-> ipa-getkeytab -s server.rhelbox.com -p HTTP/client.rhelbox.com@RHELBOX.COM -k /tmp/http.keytab
-
-Copy keytab file to client:
-> scp /tmp/http.keytab root@192.168.56.101:/etc/httpd/conf/http.keytab
-
-## Creating HTTP Service Principal on Windows AD server
-
-Add a HTTP Kerberos service principal:
-> c:\>ktpass.exe -princ HTTP/fcclient.winad.com@WINAD.COM -mapuser
-> auth_admin@WINAD.COM -pass Redhat*123 -out c:\HTTP.keytab -crypto DES-CBC-CRC
-> -kvno 0
-
-Use winscp to copy HTTP.ketab file to /etc/httpd/conf/http.keytab
-
-*****
-
-<a name="install-swiftkerbauth" />
-##Installing and configuring swiftkerbauth on IPA client
-
-Prerequisites for installing swiftkerbauth
-* swift (havana)
-* gluster-swift (optional)
-
-You can install swiftkerbauth using one of these three ways:
-
-Installing swiftkerbauth from source:
-> python setup.py install
-
-Installing swiftkerbauth using pip:
-> pip install swiftkerbauth
-
-Installing swiftkerbauth from RPMs:
-> ./makerpm.sh
->
-> rpm -ivh dist/swiftkerbauth-1.0.0-1.noarch.rpm
-
-Edit */etc/httpd/conf.d/swift-auth.conf* and change KrbServiceName, KrbAuthRealms and Krb5KeyTab parameters accordingly.
-More detail on configuring kerberos for apache can be found at:
-[auth_kerb_module Configuration][]
-
-Make /etc/httpd/conf/http.keytab readable by any user :
-> chmod 644 /etc/httpd/conf/http.keytab
-
-And preferably change owner of keytab file to apache :
-> chown apache:apache /etc/httpd/conf/http.keytab
-
-Reload httpd
-> service httpd reload
-
-Make authentication script executable:
-> chmod +x /var/www/cgi-bin/swift-auth
-
-*****
-
-<a name="#use-swiftkerbauth" />
-##Using swiftkerbauth
-
-### Adding kerbauth filter in swift pipeline
-
-Edit */etc/swift/proxy-server.conf* and add a new filter section as follows:
-
- [filter:kerbauth]
- use = egg:swiftkerbauth#kerbauth
- ext_authentication_url = http://client.rhelbox.com/cgi-bin/swift-auth
- auth_mode=passive
-
-Add kerbauth to pipeline
-
- [pipeline:main]
- pipeline = catch_errors healthcheck proxy-logging cache proxy-logging kerbauth proxy-server
-
-If the Swift server is not one of your Gluster nodes, edit
-*/etc/swift/fs.conf* and change the following lines in the DEFAULT
-section:
-
- mount_ip = RHS_NODE_HOSTNAME
- remote_cluster = yes
-
-Restart swift to activate kerbauth filer
-> swift-init main restart
-
-
-###Examples
-
-####Authenticate user and get Kerberos ticket
-
-> kinit auth_admin
-
-NOTE: curl ignores user specified in -u option. All further curl commands
-will use the currently authenticated auth_admin user.
-
-####Get an authentication token:
-> curl -v -u : --negotiate --location-trusted http://client.rhelbox.com:8080/auth/v1.0
-
- * About to connect() to client.rhelbox.com port 8080 (#0)
- * Trying 192.168.56.101...
- * connected
- * Connected to client.rhelbox.com (192.168.56.101) port 8080 (#0)
- > GET /auth/v1.0 HTTP/1.1
- > User-Agent: curl/7.27.0
- > Host: client.rhelbox.com:8080
- > Accept: */*
- >
- < HTTP/1.1 303 See Other
- < Content-Type: text/html; charset=UTF-8
- < Location: http://client.rhelbox.com/cgi-bin/swift-auth
- < Content-Length: 0
- < X-Trans-Id: txecd415aae89b4320b6145-0052417ea5
- < Date: Tue, 24 Sep 2013 11:59:33 GMT
- <
- * Connection #0 to host client.rhelbox.com left intact
- * Issue another request to this URL: 'http://client.rhelbox.com/cgi-bin/swift-auth'
- * About to connect() to client.rhelbox.com port 80 (#1)
- * Trying 192.168.56.101...
- * connected
- * Connected to client.rhelbox.com (192.168.56.101) port 80 (#1)
- > GET /cgi-bin/swift-auth HTTP/1.1
- > User-Agent: curl/7.27.0
- > Host: client.rhelbox.com
- > Accept: */*
- >
- < HTTP/1.1 401 Unauthorized
- < Date: Tue, 24 Sep 2013 11:59:33 GMT
- < Server: Apache/2.4.6 (Fedora) mod_auth_kerb/5.4
- < WWW-Authenticate: Negotiate
- < WWW-Authenticate: Basic realm="Swift Authentication"
- < Content-Length: 381
- < Content-Type: text/html; charset=iso-8859-1
- <
- * Ignoring the response-body
- * Connection #1 to host client.rhelbox.com left intact
- * Issue another request to this URL: 'http://client.rhelbox.com/cgi-bin/swift-auth'
- * Re-using existing connection! (#1) with host (nil)
- * Connected to (nil) (192.168.56.101) port 80 (#1)
- * Server auth using GSS-Negotiate with user ''
- > GET /cgi-bin/swift-auth HTTP/1.1
- > Authorization: Negotiate YIICYgYJKoZIhvcSAQICAQBuggJRMIICTaADAgEFoQMCAQ6iBwMFACAAAACjggFgYYIBXDCCAVigAwIBBaENGwtSSEVMQk9YLkNPTaIlMCOgAwIBA6EcMBobBEhUVFAbEmNsaWVudC5yaGVsYm94LmNvbaOCARkwggEVoAMCARKhAwIBAaKCAQcEggEDx9SH2R90RO4eAkhsNKow/DYfjv1rWhgxNRqj/My3yslASSgefls48VdDNHVVWqr1Kd6mB/9BIoumpA+of+KSAg2QfPtcWiVFj5n5Fa8fyCHyQPvV8c92KzUdrBPc8OVn0aldFp0I4P1MsYZbnddDRSH3kjVA5oSucHF59DhZWiGJV/F6sVimBSeoTBHQD38Cs5RhyDHNyUad9v3gZERVGCJXC76i7+yyaoIDA+N9s0hasHajhTnjs3XQBYfZFwp8lWl3Ub+sOtPO1Ng7mFlSAYXCM6ljlKTEaxRwaYoXUC1EoIqEOG/8pC9SJThS2M1G7MW1c5xm4lksNss72OH4gtPns6SB0zCB0KADAgESooHIBIHFrLtai5U8ajEWo1J9B26PnIUqLd+uA0KPd2Y2FjrH6rx4xT8qG2p8i36SVGubvwBVmfQ7lSJcXt6wUvb43qyPs/fMiSY7QxHxt7/btMgxQl6JWMagvXMhCNXnhEHNNaTdBcG5KFERDGeo0txaAD1bzZ4mnxCQmoqusGzZ6wdDw6+5wq1tK/hQTQUgk2NwxfXAg2J5K02/3fKjFR2h7zewI1pEyhhpeONRkkRETcyojkK2EbVzZ8kc3RsuwzFYsJ+9u5Qj3E4=
- > User-Agent: curl/7.27.0
- > Host: client.rhelbox.com
- > Accept: */*
- >
- < HTTP/1.1 200 OK
- < Date: Tue, 24 Sep 2013 11:59:33 GMT
- < Server: Apache/2.4.6 (Fedora) mod_auth_kerb/5.4
- < WWW-Authenticate: Negotiate YIGZBgkqhkiG9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRveeZTV/QRJSIOoOWPbZkEmtdug9V5ZcMGXWqAJvCAnrvw9gHbklMyLl8f8jU2e0wU3ehtchLEL4dVeAYgKsnUgw4wGhHu59AZBwSbHRKSpv3I6gWEZqC4NAEuZJFW9ipdUHOiclBQniVXXCsRF/5Y
- < X-Auth-Token: AUTH_tk083b8abc92f4a514f34224a181ed568a
- < X-Debug-Remote-User: auth_admin
- < X-Debug-Groups: auth_admin,auth_reseller_admin
- < X-Debug-Token-Life: 86400s
- < X-Debug-Token-Expires: Wed Sep 25 17:29:33 2013
- < Content-Length: 0
- < Content-Type: text/html; charset=UTF-8
- <
- * Connection #1 to host (nil) left intact
- * Closing connection #0
- * Closing connection #1
-
-The header *X-Auth-Token* in response contains the token *AUTH_tk083b8abc92f4a514f34224a181ed568a*.
-
-####PUT a container
->curl -v -X PUT -H 'X-Auth-Token: AUTH_tk083b8abc92f4a514f34224a181ed568a' http://client.rhelbox.com:8080/v1/AUTH_myvolume/c1
-
- * About to connect() to client.rhelbox.com port 8080 (#0)
- * Trying 192.168.56.101...
- * connected
- * Connected to client.rhelbox.com (192.168.56.101) port 8080 (#0)
- > PUT /v1/AUTH_myvolume/c1 HTTP/1.1
- > User-Agent: curl/7.27.0
- > Host: client.rhelbox.com:8080
- > Accept: */*
- > X-Auth-Token: AUTH_tk083b8abc92f4a514f34224a181ed568a
- >
- < HTTP/1.1 201 Created
- < Content-Length: 0
- < Content-Type: text/html; charset=UTF-8
- < X-Trans-Id: txc420b0ebf9714445900e8-0052418863
- < Date: Tue, 24 Sep 2013 12:41:07 GMT
- <
- * Connection #0 to host client.rhelbox.com left intact
- * Closing connection #0
-
-####GET a container listing
-> curl -v -X GET -H 'X-Auth-Token: AUTH_tk083b8abc92f4a514f34224a181ed568a' http://client.rhelbox.com:8080/v1/AUTH_myvolume
-
- * About to connect() to client.rhelbox.com port 8080 (#0)
- * Trying 192.168.56.101...
- * connected
- * Connected to client.rhelbox.com (192.168.56.101) port 8080 (#0)
- > GET /v1/AUTH_myvolume HTTP/1.1
- > User-Agent: curl/7.27.0
- > Host: client.rhelbox.com:8080
- > Accept: */*
- > X-Auth-Token: AUTH_tk083b8abc92f4a514f34224a181ed568a
- >
- < HTTP/1.1 200 OK
- < Content-Length: 3
- < X-Account-Container-Count: 0
- < Accept-Ranges: bytes
- < X-Account-Object-Count: 0
- < X-Bytes-Used: 0
- < X-Timestamp: 1379997117.09468
- < X-Object-Count: 0
- < X-Account-Bytes-Used: 0
- < X-Type: Account
- < Content-Type: text/plain; charset=utf-8
- < X-Container-Count: 0
- < X-Trans-Id: tx89826736a1ab4d6aae6e3-00524188dc
- < Date: Tue, 24 Sep 2013 12:43:08 GMT
- <
- c1
- * Connection #0 to host client.rhelbox.com left intact
- * Closing connection #0
-
-####PUT an object in container
-> curl -v -X PUT -H 'X-Auth-Token: AUTH_tk083b8abc92f4a514f34224a181ed568a' http://client.rhelbox.com:8080/v1/AUTH_myvolume/c1/object1 -d'Hello world'
-
- * About to connect() to client.rhelbox.com port 8080 (#0)
- * Trying 192.168.56.101...
- * connected
- * Connected to client.rhelbox.com (192.168.56.101) port 8080 (#0)
- > PUT /v1/AUTH_myvolume/c1/object1 HTTP/1.1
- > User-Agent: curl/7.27.0
- > Host: client.rhelbox.com:8080
- > Accept: */*
- > X-Auth-Token: AUTH_tk083b8abc92f4a514f34224a181ed568a
- > Content-Length: 11
- > Content-Type: application/x-www-form-urlencoded
- >
- * upload completely sent off: 11 out of 11 bytes
- < HTTP/1.1 201 Created
- < Last-Modified: Wed, 25 Sep 2013 06:08:00 GMT
- < Content-Length: 0
- < Etag: 3e25960a79dbc69b674cd4ec67a72c62
- < Content-Type: text/html; charset=UTF-8
- < X-Trans-Id: tx01f1b5a430cf4af3897be-0052427dc0
- < Date: Wed, 25 Sep 2013 06:08:01 GMT
- <
- * Connection #0 to host client.rhelbox.com left intact
- * Closing connection #0
-
-####Give permission to jsmith to list and download objects from c1 container
-> curl -v -X POST -H 'X-Auth-Token: AUTH_tk083b8abc92f4a514f34224a181ed568a' -H 'X-Container-Read: jsmith' http://client.rhelbox.com:8080/v1/AUTH_myvolume/c1
-
- * About to connect() to client.rhelbox.com port 8080 (#0)
- * Trying 192.168.56.101...
- * connected
- * Connected to client.rhelbox.com (192.168.56.101) port 8080 (#0)
- > POST /v1/AUTH_myvolume/c1 HTTP/1.1
- > User-Agent: curl/7.27.0
- > Host: client.rhelbox.com:8080
- > Accept: */*
- > X-Auth-Token: AUTH_tk083b8abc92f4a514f34224a181ed568a
- > X-Container-Read: jsmith
- >
- < HTTP/1.1 204 No Content
- < Content-Length: 0
- < Content-Type: text/html; charset=UTF-8
- < X-Trans-Id: txcedea3e2557d463eb591d-0052427f60
- < Date: Wed, 25 Sep 2013 06:14:56 GMT
- <
- * Connection #0 to host client.rhelbox.com left intact
- * Closing connection #0
-
-####Access container as jsmith
-
-> kinit jsmith
-
-Get token for jsmith
-> curl -v -u : --negotiate --location-trusted http://client.rhelbox.com:8080/auth/v1.0
-
- * About to connect() to client.rhelbox.com port 8080 (#0)
- * Trying 192.168.56.101...
- * connected
- * Connected to client.rhelbox.com (192.168.56.101) port 8080 (#0)
- > GET /auth/v1.0 HTTP/1.1
- > User-Agent: curl/7.27.0
- > Host: client.rhelbox.com:8080
- > Accept: */*
- >
- < HTTP/1.1 303 See Other
- < Content-Type: text/html; charset=UTF-8
- < Location: http://client.rhelbox.com/cgi-bin/swift-auth
- < Content-Length: 0
- < X-Trans-Id: txf51e1bf7f8c5496f8cc93-005242800b
- < Date: Wed, 25 Sep 2013 06:17:47 GMT
- <
- * Connection #0 to host client.rhelbox.com left intact
- * Issue another request to this URL: 'http://client.rhelbox.com/cgi-bin/swift-auth'
- * About to connect() to client.rhelbox.com port 80 (#1)
- * Trying 192.168.56.101...
- * connected
- * Connected to client.rhelbox.com (192.168.56.101) port 80 (#1)
- > GET /cgi-bin/swift-auth HTTP/1.1
- > User-Agent: curl/7.27.0
- > Host: client.rhelbox.com
- > Accept: */*
- >
- < HTTP/1.1 401 Unauthorized
- < Date: Wed, 25 Sep 2013 06:17:47 GMT
- < Server: Apache/2.4.6 (Fedora) mod_auth_kerb/5.4
- < WWW-Authenticate: Negotiate
- < WWW-Authenticate: Basic realm="Swift Authentication"
- < Content-Length: 381
- < Content-Type: text/html; charset=iso-8859-1
- <
- * Ignoring the response-body
- * Connection #1 to host client.rhelbox.com left intact
- * Issue another request to this URL: 'http://client.rhelbox.com/cgi-bin/swift-auth'
- * Re-using existing connection! (#1) with host (nil)
- * Connected to (nil) (192.168.56.101) port 80 (#1)
- * Server auth using GSS-Negotiate with user ''
- > GET /cgi-bin/swift-auth HTTP/1.1
- > Authorization: Negotiate YIICWAYJKoZIhvcSAQICAQBuggJHMIICQ6ADAgEFoQMCAQ6iBwMFACAAAACjggFbYYIBVzCCAVOgAwIBBaENGwtSSEVMQk9YLkNPTaIlMCOgAwIBA6EcMBobBEhUVFAbEmNsaWVudC5yaGVsYm94LmNvbaOCARQwggEQoAMCARKhAwIBAaKCAQIEgf/+3OaXYCSEjcsjU3t3lOLcYG84GBP9Kj9YTHc7yVMlcam4ivCwMqCkzxgvNo2E3a5KSWyFwngeX4b/QFbCKPXA4sfBibZRkeMk5gr2f0MLI3gWEAIYq7bJLre04bnkD2F0MzijPJrOLIx1KmFe08UGWCEmnG2uj07lvIR1RwV/7dMM4J1B+KKvDVKA0LxahwPIpx8oOON2yMGcstrBAHBBk5pmpt1Gg9Lh7xdNPsjP0IfI5Q0zkGCRBKpvpXymP1lQpQXlHbqkdBYOmG4+p/R+vIosO4ui1G6GWE9t71h3AqW61CcCj3/oOjZsG56k8HMSNk/+3mfUTP86nzLRGkekgc4wgcugAwIBEqKBwwSBwPsG9nGloEnOsA1abP4R1/yUDcikjjwKiacvZ+cu7bWEzu3L376k08U8C2YIClyUJy3Grt68LxhnfZ65VCZ5J5IOLiXOJnHBIoJ1L4GMYp4EgZzHvI7R3U3DApMzNWZwc1MsSF5UGhmLwxSevDLetJHjgKzKNteRyVN/8CFgjSBEjGSN1Qgy1RZHuQR9d3JHPczONZ4+ZgStfy+I1m2IUIgW3+4JGFVafHiBQVwSWRNfdXFgI3wBz7slntd7r3qMWA==
- > User-Agent: curl/7.27.0
- > Host: client.rhelbox.com
- > Accept: */*
- >
- < HTTP/1.1 200 OK
- < Date: Wed, 25 Sep 2013 06:17:47 GMT
- < Server: Apache/2.4.6 (Fedora) mod_auth_kerb/5.4
- < WWW-Authenticate: Negotiate YIGYBgkqhkiG9xIBAgICAG+BiDCBhaADAgEFoQMCAQ+ieTB3oAMCARKicARuH2YpjFrtgIhGr5nO7gh/21EvGH9tayRo5A3pw5pxD1B1036ePLG/x98OdMrSflse5s8ttz8FmvRphCFJa8kfYtnWULgoFLF2F2a1zBdSo2oCA0R05YFwArNhkg6ou5o7wWZkERHK33CKlhudSj8=
- < X-Auth-Token: AUTH_tkb5a20eb8207a819e76619431c8410447
- < X-Debug-Remote-User: jsmith
- < X-Debug-Groups: jsmith
- < X-Debug-Token-Life: 86400s
- < X-Debug-Token-Expires: Thu Sep 26 11:47:47 2013
- < Content-Length: 0
- < Content-Type: text/html; charset=UTF-8
- <
- * Connection #1 to host (nil) left intact
- * Closing connection #0
- * Closing connection #1
-
-List the container using authentication token for jsmith:
-> curl -v -X GET -H 'X-Auth-Token: AUTH_tkb5a20eb8207a819e76619431c8410447' http://client.rhelbox.com:8080/v1/AUTH_myvolume/c1
-
- * About to connect() to client.rhelbox.com port 8080 (#0)
- * Trying 192.168.56.101...
- * connected
- * Connected to client.rhelbox.com (192.168.56.101) port 8080 (#0)
- > GET /v1/AUTH_myvolume/c1 HTTP/1.1
- > User-Agent: curl/7.27.0
- > Host: client.rhelbox.com:8080
- > Accept: */*
- > X-Auth-Token: AUTH_tkb5a20eb8207a819e76619431c8410447
- >
- < HTTP/1.1 200 OK
- < Content-Length: 8
- < X-Container-Object-Count: 0
- < Accept-Ranges: bytes
- < X-Timestamp: 1
- < X-Container-Bytes-Used: 0
- < Content-Type: text/plain; charset=utf-8
- < X-Trans-Id: tx575215929c654d9f9f284-00524280a4
- < Date: Wed, 25 Sep 2013 06:20:20 GMT
- <
- object1
- * Connection #0 to host client.rhelbox.com left intact
- * Closing connection #0
-
-Downloading the object as jsmith:
-> curl -v -X GET -H 'X-Auth-Token: AUTH_tkb5a20eb8207a819e76619431c8410447' http://client.rhelbox.com:8080/v1/AUTH_myvolume/c1/object1
-
- * About to connect() to client.rhelbox.com port 8080 (#0)
- * Trying 192.168.56.101...
- * connected
- * Connected to client.rhelbox.com (192.168.56.101) port 8080 (#0)
- > GET /v1/AUTH_myvolume/c1/object1 HTTP/1.1
- > User-Agent: curl/7.27.0
- > Host: client.rhelbox.com:8080
- > Accept: */*
- > X-Auth-Token: AUTH_tkb5a20eb8207a819e76619431c8410447
- >
- < HTTP/1.1 200 OK
- < Content-Length: 11
- < Accept-Ranges: bytes
- < Last-Modified: Wed, 25 Sep 2013 06:08:00 GMT
- < Etag: 3e25960a79dbc69b674cd4ec67a72c62
- < X-Timestamp: 1380089280.98829
- < Content-Type: application/x-www-form-urlencoded
- < X-Trans-Id: tx19b5cc3847854f40a6ca8-00524281aa
- < Date: Wed, 25 Sep 2013 06:24:42 GMT
- <
- * Connection #0 to host client.rhelbox.com left intact
- Hello world* Closing connection #0
-
-For curl to follow the redirect, you need to specify additional
-options. With these, and with a current Kerberos ticket, you should
-get the Kerberos user's cached authentication token, or a new one if
-the previous token has expired.
-
-> curl -v -u : --negotiate --location-trusted -X GET http://client.rhelbox.com:8080/v1/AUTH_myvolume/c1/object1
-
-The --negotiate option is for curl to perform Kerberos authentication and
---location-trusted is for curl to follow the redirect.
-
-[auth_kerb_module Configuration]: http://modauthkerb.sourceforge.net/configure.html
-
-
-#### Get an authentication token when auth_mode=passive:
-> curl -v -H 'X-Auth-User: test:auth_admin' -H 'X-Auth-Key: Redhat*123' http://127.0.0.1:8080/auth/v1.0
-
-**NOTE**: X-Storage-Url response header can be returned only in passive mode.
-
-<a name="config-swiftkerbauth" />
-##Configurable Parameters
-
-The kerbauth filter section in **/etc/swift/proxy-server.conf** looks something
-like this:
-
- [filter:kerbauth]
- use = egg:swiftkerbauth#kerbauth
- ext_authentication_url = http://client.rhelbox.com/cgi-bin/swift-auth
- auth_method = active
- token_life = 86400
- debug_headers = yes
- realm_name = RHELBOX.COM
-
-Of all the options listed above, specifying **ext\_authentication\_url** is
-mandatory. The rest of the options are optional and have default values.
-
-#### ext\_authentication\_url
-A URL specifying location of the swift-auth CGI script. Avoid using IP address.
-Default value: None
-
-#### token_life
-After how many seconds the cached information about an authentication token is
-discarded.
-Default value: 86400
-
-#### debug_headers
-When turned on, the response headers sent to the user will contain additional
-debug information apart from the auth token.
-Default value: yes
-
-#### auth_method
-Set this to **"active"** when you want to allow access **only to clients
-residing inside the domain**. In this mode, authentication is performed by
-mod\_auth\_kerb using the Kerberos ticket bundled with the client request.
-No username and password have to be specified to get a token.
-Set this to **"passive"** when you want to allow access to clients residing
-outside the domain. In this mode, authentication is performed by gleaning
-username and password from request headers (X-Auth-User and X-Auth-Key) and
-running kinit command against it.
-Default value: passive
-
-#### realm_name
-This is applicable only when the auth_method=passive. This option specifies
-realm name if storage server belongs to more than one realm and realm name is not
-part of the username specified in X-Auth-User header.
-
-<a name="swfunctest" />
-##Functional tests for SwiftkerbAuth
-
-Functional tests to be run on the storage node after SwiftKerbAuth is setup using
-either IPA server or Windows AD. The gluster-swift/doc/markdown/swiftkerbauth
-directory contains the SwiftkerbAuth setup documents. There are two modes of
-working with SwiftKerbAuth. 'PASSIVE' mode indicates the client is outside the
-domain configured using SwiftKerbAuth. Client provides the 'Username' and
-'Password' while invoking a command. SwiftKerbAuth auth filter code then
-would get the ticket granting ticket from AD server or IPA server.
-In 'ACTIVE' mode of SwiftKerbAuth, User is already logged into storage node using
-its kerberos credentials. That user is authenticated across AD/IPA server.
-
-In PASSIVE mode all the generic functional tests are run. ACTIVE mode has a
-different way of acquiring Ticket Granting Ticket. And hence the different
-framework of functional tests there.
-
-The accounts, users, passwords must be prepared on AD/IPA server as per
-mentioned in test/functional_auth/swiftkerbauth/conf/test.conf
-
-Command to invoke SwiftKerbAuth functional tests is
-> $tox -e swfunctest
-
-This would run both ACTIVE and PASSIVE mode functional test cases.