diff options
Diffstat (limited to 'doc/markdown/swiftkerbauth')
-rw-r--r-- | doc/markdown/swiftkerbauth/AD_client.md | 206 | ||||
-rw-r--r-- | doc/markdown/swiftkerbauth/AD_server.md | 119 | ||||
-rw-r--r-- | doc/markdown/swiftkerbauth/architecture.md | 105 | ||||
-rw-r--r-- | doc/markdown/swiftkerbauth/ipa_client.md | 80 | ||||
-rw-r--r-- | doc/markdown/swiftkerbauth/ipa_server.md | 146 | ||||
-rw-r--r-- | doc/markdown/swiftkerbauth/swiftkerbauth_guide.md | 517 |
6 files changed, 0 insertions, 1173 deletions
diff --git a/doc/markdown/swiftkerbauth/AD_client.md b/doc/markdown/swiftkerbauth/AD_client.md deleted file mode 100644 index 0947a1e..0000000 --- a/doc/markdown/swiftkerbauth/AD_client.md +++ /dev/null @@ -1,206 +0,0 @@ -#AD client setup guide - -###Contents -* [Setup Overview] (#setup) -* [Configure Network] (#network) -* [Installing AD Client] (#AD-client) - -<a name="setup" /> -###Setup Overview - -This guide talks about adding fedora linux client to windows domain. -The test setup included a client machine with Fedora 19 installed -on it with all the latest packages updated. The crux is to add this linux -machine to Windows Domain. This linux box is expected to act as RHS node and on which swiftkerbauth, -apachekerbauth code would run. - -Set hostname (FQDN) to fcclient.winad.com - - # hostnamectl set-hostname "fcclient.winad.com" - - # hostname "fcclient.winad.com" - - -<a name="network" /> -### Configure client - -* Deploy Fedora linux 19. - -* Update the system with latest packages. - -* Configure SELinux security parameters. - -* Install & configure samba - -* Configure DNS - -* Synchronize the time services - -* Join Domain - -* Install / Configure Kerberos Client - - -The document assumes the installing Fedora Linux and configuring SELinux -parameters to 'permissive' is known already. - -###Install & Configure Samba: - # yum -y install samba samba-client samba-common samba-winbind - samba-winbind-clients - - # service start smb - - # ps -aef | grep smb - # chkconfig smb on - -###Synchronize time services -The kerberos authentication and most of the DNS functionality could fail with -clock skew if times are not synchronized. - - # cat /etc/ntp.conf - server ns1.bos.redhat.com - server 10.5.26.10 - - # service ntpd stop - - # ntpdate 10.16.255.2 - - # service ntpd start - - #chkconfig ntpd on - -Check if Windows server in the whole environment is also time synchronized with -same source. - - # C:\Users\Administrator>w32tm /query /status | find "Source" - - Source: ns1.xxx.xxx.com - -###Configure DNS on client -Improperly resolved hostname is the leading cause in authentication failures. -Best practice is to configure fedora client to use Windows DNS. -'nameserver' below is the IP address of the windows server. - # cat /etc/resolve.conf - domain server.winad.com - search server.winad.com - nameserver 10.nn.nnn.3 - -###Set the hostname of the client properly (FQDN) - # cat /etc/sysconfig/network - HOSTNAME=fcclient.winad.com - - -###Install & Configure kerberos client - - # yum -y install krb5-workstation - -Edit the /etc/krb5.conf as follows: - - # cat /etc/krb5.conf - [logging] - default = FILE:/var/log/krb5libs.log - kdc = FILE:/var/log/krb5kdc.log - admin_server = FILE:/var/log/kadmind.log - - [libdefaults] - default_realm = WINAD.COM - dns_lookup_realm = false - dns_lookup_kdc = false - ticket_lifetime = 24h - renew_lifetime = 7d - forwardable = true - - [realms] - WINAD.COM = { - kdc = server.winad.com - admin_server = server.winad.com - } - [domain_realm] - .demo = server.winad.com - demo = server.winad.com - -###Join Domain -Fire command 'system-config-authentication' on client. This should display a -graphical wizard. Below inputs would help configure this wizard. - - - User account data base = winbind - - winbind domain = winad - - security model = ads - - winbind ads realm = winad.com - - winbind controller = server.winad.com - - template shell = /bin/bash - - let the other options be as is to default. - - Perform Join domain and appy settings and quit. Please note this join should - not see any errors. This makes the client fedora box to join the windows - domain. - -###Configure the kerberos client -This would bring the users/groups from Windows Active directory to this -fedora client. - -Edit /etc/samba/smb.conf file to have below parameters in the global section. - - # cat /etc/samba/smb.conf - [global] - workgroup = winad - realm = winad.com - server string = Samba Server Version %v - security = ADS - allow trusted domains = No - password server = server.winad.com - log file = /var/log/samba/log.%m - max log size = 50 - idmap uid = 1000019999 - idmap gid = 1000019999 - template shell = /bin/bash - winbind separator = + - winbind use default domain = Yes - idmap config REFARCHAD:range = 1000000019999999 - idmap config REFARCHAD:backend = rid - cups options = raw - - - # service smb stop - - # service winbind stop - - # tar -cvf /var/tmp/samba-cache-backup.tar /var/lib/samba - - # ls -la /var/tmp/samba-cache-backup.tar - - # rm -f /var/lib/samba/* - - -Verify that no kerberos ticket available and cached. - - # kdestroy - - # klist - -Rejoin the domain. - - # net join -S server -U Administrstor - -Test that client rejoined the domain. - - # net ads info - -Restart smb and winbind service. - - # wbinfo --domain-users - -Perform kinit for the domain users prepared on active directory. This is obtain -the kerberos ticket for user 'auth_admin' - - # kinit auth_admin - - # id -Gn auth_admin - -###Notes -Obtaining the HTTP service principal & keytab file and installing it with -swiftkerbauth is added to swiftkerbauth_guide - -###References -Reference Document for adding Linux box to windows domain : -Integrating Red Hat Enterprise Linux 6 -with Active Directory diff --git a/doc/markdown/swiftkerbauth/AD_server.md b/doc/markdown/swiftkerbauth/AD_server.md deleted file mode 100644 index 66d90f2..0000000 --- a/doc/markdown/swiftkerbauth/AD_server.md +++ /dev/null @@ -1,119 +0,0 @@ -#Windows Active Directory & Domain Controller Server Guide - -###Contents -* [Setup Overview] (#Setup) -* [Installing Active Directory Services] (#AD-server) -* [Configuring DNS] (#DNS) -* [Adding Users and Groups] (#users-groups) - - -<a name="Setup" /> -###Setup Overview - -The setup includes a server machine installed with Windows 2008 R2 Server, with -Domain Controller, Active Directory services & DNS server installed alongwith. -The steps to install windows operating system and above servers can be found -on MicroSoft Documentation. This windows Active Directory server would act as an -authentication server in the whole setup. This would provide the access control -and permissions for users on certain data objects. - - -Windows 2008 R2 deployment: - -http://technet.microsoft.com/en-us/library/dd283085.aspx - - -Configuring Active Directory, Domain Services, DNS server: - -http://technet.microsoft.com/en-us/library/cc770946.aspx - - -<a name="AD-server" /> -###Installing AD Server - -Administrators need to follow simple instructions in Server Manager on Windows -2008, and should add Active Directory Domain Services & DNS server. It is -recommended to use static IP for DNS server. Preferred Hostname(FQDN) for -Windows server could be of format hostname 'server.winad.com' where -'winad.com' is a domain name. - -Following tips would help prepare a test setup neatly. - - - Select Active Directory Domain services wizard in Server Manager - - Move on to install it with all the pre-requisits, e.g. .NET framework etc. - - Configure Active directory after installtion via exapanding the 'Roles' - section in the server manager. - - Create a new Domain in the New Forest. - - Type the FQDN, winad.com - - Set Forest functional level Windows 2008 R2. - - Selct additional options for this domain controller as DNS server. - - Leave the log locations to default provided by wizard. - - Set the Administrator Password carefully. - - Thats it. You are done configuring active directory. - - -<a name="dns" /> -###Configuring DNS - -This section explains configuring the DNS server installed on Windows 2008 R2 -server. You must know know about - - - Forward lookup zone - - - Reverse lookup zone - - - Zone type - -A forward lookup zone is simply a way to resolve hostnames to IP address. -A reverse lookup zone is to lookup DNS hostname of the host IP. - -Following tips would help configure the Zones on DNS server. - - - Create a Forward lookup zone. - - Create it a primary zone. - - Add the Clients using their ip addresses and FQDN to this forward lookup - zones. - - This would add type 'A' record for that host on DNS server. - - Similarly create a Reverser lookup zone. - - Add clients 'PTR' record to this zone via browsing through the forward - zones clients. - -The above setup can be tested on client once it joins the domain using 'dig' -command as mentioned below. - - -On client: - - # dig fcclient.winad.com - This should yield you a Answer section mentioning its IP address. - - Reverse lookup can be tested using - - # 'dig -t ptr 101.56.168.192.in-addr.arpa.' - The answer section should state the FQDN of the client. - - Repeat the above steps on client for Windows AD server as well. - - -<a name="users-groups" /> -###Adding users and groups - -The following convention is to be followed in creating group names: - - <reseller-prefix>\_<volume-name> - - <reseller-prefix>\_<account-name> - -As of now, account=volume=group - -For example: - - AUTH\_test - -Adding groups and users to the Windows domain is easy task. - - - Start -> Administrative Tools -> Active Directory Users & Computers - - Expand the domain name which was prepared earlier. e.g winad.com - - Add groups with appropreate access rights. - - Add users to the group with appropreate permissions. - - Make sure you set password for users prepared on AD server. diff --git a/doc/markdown/swiftkerbauth/architecture.md b/doc/markdown/swiftkerbauth/architecture.md deleted file mode 100644 index fc6d764..0000000 --- a/doc/markdown/swiftkerbauth/architecture.md +++ /dev/null @@ -1,105 +0,0 @@ -# Architecture - -The Swift API is HTTP-based. As described in the Swift documentation -[1], clients first make a request to an authentication URL, providing -a username and password. The reply contains a token which is used in -all subsequent requests. - -Swift has a chain of filters through which all client requests go. The -filters to use are configured with the pipeline parameter in -/etc/swift/proxy-server.conf: - - [pipeline:main] - pipeline = healthcheck cache tempauth proxy-server - -For the single sign authentication, we added a new filter called -"kerbauth" and put it into the filter pipeline in place of tempauth. - -The filter checks the URL for each client request. If it matches the -authentication URL, the client is redirected to a URL on a different -server (on the same machine). The URL is handled by a CGI script, which -is set up to authenticate the client with Kerberos negotiation, retrieve -the user's system groups [2], store them in a memcache ring shared with -the Swift server, and return the authentication token to the client. - -When the client provides the token as part of a resource request, the -kerbauth filter checks it against its memcache, grants administrator -rights based on the group membership retrieved from memcache, and -either grants or denies the resource access. - -[1] http://docs.openstack.org/api/openstack-object-storage/1.0/content/authentication-object-dev-guide.html - -[2] The user data and system groups are usually provided by Red Hat - Enterprise Linux identity Management or Microsoft Active - Directory. The script relies on the system configuration to be set - accordingly (/etc/nsswitch.conf). - -***** - -## kerbauth.py - -The script kerbauth.py began as a copy of the tempauth.py script from -from tempauth middleware. It contains the following modifications, among -others: - -In the __init__ method, we read the ext_authentication_url parameter -from /etc/swift/proxy-server.conf. This is the URL that clients are -redirected to when they access either the Swift authentication URL, or -when they request a resource without a valid authentication token. - -The configuration in proxy-server.conf looks like this: - - [filter:kerbauth] - use = egg:swiftkerbauth#kerbauth - ext_authentication_url = http://client.rhelbox.com/cgi-bin/swift-auth - -The authorize method was changed so that global administrator rights -are granted if the user is a member of the auth_reseller_admin -group. Administrator rights for a specific account like vol1 are -granted if the user is a member of the auth_vol1 group. [3] - -The denied_response method was changed to return a HTTP redirect to -the external authentication URL if no valid token was provided by the -client. - -Most of the handle_get_token method was moved to the external -authentication script. This method now returns a HTTP redirect. - -In the __call__ and get_groups method, we removed support for the -HTTP_AUTHORIZATION header, which is only needed when Amazon S3 is -used. - -Like tempauth.py, kerbauth.py uses a Swift wrapper to access -memcache. This wrapper converts the key to an MD5 hash and uses the -hash value to determine on which of a pre-defined list of servers to -store the data. - -[3] "auth" is the default reseller prefix, and would be different if - the reseller_prefix parameter in proxy-server.conf was set. - -## swift-auth CGI script - -swift-auth resides on an Apache server and assumes that Apache is -configured to authenticate the user before this script is -executed. The script retrieves the username from the REMOTE_USER -environment variable, and checks if there already is a token for this -user in the memcache ring. If not, it generates a new one, retrieves -the user's system groups with "id -Gn USERNAME", stores this -information in the memcache ring, and returns the token to the client. - -To allow the CGI script to connect to memcache, the SELinux booleans -httpd_can_network_connect and httpd_can_network_memcache had to be -set. - -The tempauth filter uses the uuid module to generate token -strings. This module creates and runs temporary files, which leads to -AVC denial messages in /var/log/audit/audit.log when used from an -Apache CGI script. While the module still works, the audit log would -grow quickly. Instead of writing an SELinux policy module to allow or -to silently ignore these accesses, the swift-auth script uses the -"random" module for generating token strings. - -Red Hat Enterprise Linux 6 comes with Python 2.6 which only provides -method to list the locally defined user groups. To include groups from -Red Hat Enterprise Linux Identity Management and in the future from -Active Directory, the "id" command is run in a subprocess. diff --git a/doc/markdown/swiftkerbauth/ipa_client.md b/doc/markdown/swiftkerbauth/ipa_client.md deleted file mode 100644 index f6afc42..0000000 --- a/doc/markdown/swiftkerbauth/ipa_client.md +++ /dev/null @@ -1,80 +0,0 @@ -#IPA Client Guide - -##Contents -* [Setup Overview] (#setup) -* [Configure Network] (#network) -* [Installing IPA Client] (#ipa-client) - -<a name="setup" /> -##Setup Overview -We have used a F18 box as IPA client machine and used FreeIPA client. -This document borrows instructions from the following more detailed guide. -[RHEL 6 Identity Management Guide][] - - -<a name="network" /> -## Configure network - -Set hostname (FQDN) to client.rhelbox.com -> hostnamectl set-hostname "client.rhelbox.com" -> -> hostname "client.rhelbox.com" - -Add following to /etc/sysconfig/network: - - HOSTNAME=client.rhelbox.com - -Add the following to /etc/hostname - - client.rhelbox.com - -Add the following to /etc/hosts - - 192.168.56.110 server.rhelbox.com server - 192.168.56.101 client.rhelbox.com client - -Logout and login again and verify hostname : -> hostname --fqdn - -Edit */etc/resolv.conf* to add this at beginning of file - - nameserver 192.168.56.110 - -Warning: NetworkManager changes resolv.conf on restart - -Turn off firewall -> service iptables stop -> -> chkconfig iptables off - -<a name="ipa-client" /> -## Installing IPA Client - -Install IPA client packages: - -For RHEL: -> yum install ipa-client ipa-admintools - -For Fedora: -> yum install freeipa-client freeipa-admintools - -Install IPA client and add to domain: ->ipa-client-install --enable-dns-updates - - Discovery was successful! - Hostname: client.rhelbox.com - Realm: RHELBOX.COM - DNS Domain: rhelbox.com - IPA Server: server.rhelbox.com - BaseDN: dc=rhelbox,dc=com - - Continue to configure the system with these values? [no]: yes - User authorized to enroll computers: admin - -Check if client is configured correctly: -> kinit admin -> -> getent passwd admin - - -[RHEL 6 Identity Management Guide]: https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/ diff --git a/doc/markdown/swiftkerbauth/ipa_server.md b/doc/markdown/swiftkerbauth/ipa_server.md deleted file mode 100644 index 55e654e..0000000 --- a/doc/markdown/swiftkerbauth/ipa_server.md +++ /dev/null @@ -1,146 +0,0 @@ -#IPA Server Guide - -##Contents -* [Setup Overview] (#setup) -* [Configure Network] (#network) -* [Installing IPA Server] (#ipa-server) -* [Configuring DNS] (#dns) -* [Adding Users and Groups] (#users-groups) - - -<a name="setup" /> -##Setup Overview -We have used a RHEL 6.4 box as IPA and DNS server. This document borrows -instructions from the following more detailed guide. -[RHEL 6 Identity Management Guide][] - - -<a name="network" /> -## Configure network - -Change hostname (FQDN) to server.rhelbox.com -> hostname "server.rhelbox.com" - -Add following to */etc/sysconfig/network* file - - HOSTNAME=server.rhelbox.com - -Add the following to */etc/hosts* file - - 192.168.56.110 server.rhelbox.com server - 192.168.56.101 client.rhelbox.com client - -Logout and login again and verify new hostname -> hostname --fqdn - -Turn off firewall -> service iptables stop -> -> chkconfig iptables off - - -<a name="ipa-server" /> -## Installing IPA Server - -Install IPA server packages and DNS dependencies -> yum install ipa-server bind bind-dyndb-ldap - -Run the following interactive setup to install IPA server with DNS -> ipa-server-install --setup-dns - - The IPA Master Server will be configured with: - Hostname: server.rhelbox.com - IP address: 192.168.56.110 - Domain name: rhelbox.com - Realm name: RHELBOX.COM - - BIND DNS server will be configured to serve IPA domain with: - Forwarders: No forwarders - Reverse zone: 56.168.192.in-addr.arpa. - -The installation may take some time. - -Check if IPA is installed correctly : -> kinit admin -> -> ipa user-find admin - - -<a name="dns" /> -## Configuring DNS - -Edit */etc/resolv.conf* to add this at beginning of file : - - nameserver 192.168.56.110 - -Warning: NetworkManager changes resolv.conf on restart - -Add a DNS A record and PTR record for the client under rhelbox.com zone -> ipa dnsrecord-add rhelbox.com client --a-rec=192.168.56.101 --a-create-reverse - -Check if DNS resolution is working by running : - -> dig server.rhelbox.com - - ;; ANSWER SECTION: - server.rhelbox.com. 1200 IN A 192.168.56.110 - -> dig client.rhelbox.com - - ;; ANSWER SECTION: - client.rhelbox.com. 86400 IN A 192.168.56.101 - -Check if reverse resolution works : - -> dig -t ptr 101.56.168.192.in-addr.arpa. - - ;; ANSWER SECTION: - 101.56.168.192.in-addr.arpa. 86400 IN PTR client.rhelbox.com. - - -> dig -t ptr 110.56.168.192.in-addr.arpa. - - ;; ANSWER SECTION: - 110.56.168.192.in-addr.arpa. 86400 IN PTR server.rhelbox.com. - - -<a name="users-groups" /> -## Adding users and groups - -The following convention is to be followed in creating group names: - - <reseller-prefix>\_<volume-name> - - <reseller-prefix>\_<account-name> - -As of now, account=volume=group - -For example: - - AUTH\_test - -Create *auth_reseller_admin* user group -> ipa group-add auth_reseller_admin --desc="Full access to all Swift accounts" - -Create *auth_rhs_test* user group -> ipa group-add auth_rhs_test --desc="Full access to rhs_test account" - -Create user *auth_admin* user as member of *auth_reseller_admin* user group -> ipa user-add auth_admin --first=Auth --last=Admin --password -> -> ipa group-add-member auth_reseller_admin --users=auth_admin - -Create user *rhs_test_admin* as member of *auth_rhs_test* user group -> ipa user-add rhs_test_admin --first=RHS --last=Admin --password -> -> ipa group-add-member auth_rhs_test --users=rhs_test_admin - -Create user *jsmith* with no relevant group membership -> ipa user-add rhs_test_admin --first=RHS --last=Admin --password - -You can verify users have been added by running ->ipa user-find admin - -NOTE: Every user has to change password on first login. - -[RHEL 6 Identity Management Guide]: https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/ diff --git a/doc/markdown/swiftkerbauth/swiftkerbauth_guide.md b/doc/markdown/swiftkerbauth/swiftkerbauth_guide.md deleted file mode 100644 index 5da1827..0000000 --- a/doc/markdown/swiftkerbauth/swiftkerbauth_guide.md +++ /dev/null @@ -1,517 +0,0 @@ -#swiftkerbauth - -* [Installing Kerberos module for Apache] (#httpd-kerb-install) -* [Creating HTTP Service Principal] (#http-principal) -* [Installing and configuring swiftkerbauth] (#install-swiftkerbauth) -* [Using swiftkerbauth] (#use-swiftkerbauth) -* [Configurable Parameters] (#config-swiftkerbauth) -* [Functional tests] (#swfunctest) - -<a name="httpd-kerb-install" /> -## Installing Kerberos module for Apache on IPA client - -Install httpd server with kerberos module: -> yum install httpd mod_auth_kerb -> -> service httpd restart - -Check if auth_kerb_module is loaded : -> httpd -M | grep kerb - -Change httpd log level to debug by adding/changing the following in -*/etc/httpd/conf/httpd.conf* file - - LogLevel debug - -httpd logs are at */var/log/httpd/error_log* for troubleshooting - -If SELinux is enabled, allow Apache to connect to memcache and -activate the changes by running ->setsebool -P httpd_can_network_connect 1 -> ->setsebool -P httpd_can_network_memcache 1 - -***** - -<a name="http-principal" /> -## Creating HTTP Service Principal on IPA server - -Add a HTTP Kerberos service principal : -> ipa service-add HTTP/client.rhelbox.com@RHELBOX.COM - -Retrieve the HTTP service principal to a keytab file: -> ipa-getkeytab -s server.rhelbox.com -p HTTP/client.rhelbox.com@RHELBOX.COM -k /tmp/http.keytab - -Copy keytab file to client: -> scp /tmp/http.keytab root@192.168.56.101:/etc/httpd/conf/http.keytab - -## Creating HTTP Service Principal on Windows AD server - -Add a HTTP Kerberos service principal: -> c:\>ktpass.exe -princ HTTP/fcclient.winad.com@WINAD.COM -mapuser -> auth_admin@WINAD.COM -pass Redhat*123 -out c:\HTTP.keytab -crypto DES-CBC-CRC -> -kvno 0 - -Use winscp to copy HTTP.ketab file to /etc/httpd/conf/http.keytab - -***** - -<a name="install-swiftkerbauth" /> -##Installing and configuring swiftkerbauth on IPA client - -Prerequisites for installing swiftkerbauth -* swift (havana) -* gluster-swift (optional) - -You can install swiftkerbauth using one of these three ways: - -Installing swiftkerbauth from source: -> python setup.py install - -Installing swiftkerbauth using pip: -> pip install swiftkerbauth - -Installing swiftkerbauth from RPMs: -> ./makerpm.sh -> -> rpm -ivh dist/swiftkerbauth-1.0.0-1.noarch.rpm - -Edit */etc/httpd/conf.d/swift-auth.conf* and change KrbServiceName, KrbAuthRealms and Krb5KeyTab parameters accordingly. -More detail on configuring kerberos for apache can be found at: -[auth_kerb_module Configuration][] - -Make /etc/httpd/conf/http.keytab readable by any user : -> chmod 644 /etc/httpd/conf/http.keytab - -And preferably change owner of keytab file to apache : -> chown apache:apache /etc/httpd/conf/http.keytab - -Reload httpd -> service httpd reload - -Make authentication script executable: -> chmod +x /var/www/cgi-bin/swift-auth - -***** - -<a name="#use-swiftkerbauth" /> -##Using swiftkerbauth - -### Adding kerbauth filter in swift pipeline - -Edit */etc/swift/proxy-server.conf* and add a new filter section as follows: - - [filter:kerbauth] - use = egg:swiftkerbauth#kerbauth - ext_authentication_url = http://client.rhelbox.com/cgi-bin/swift-auth - auth_mode=passive - -Add kerbauth to pipeline - - [pipeline:main] - pipeline = catch_errors healthcheck proxy-logging cache proxy-logging kerbauth proxy-server - -If the Swift server is not one of your Gluster nodes, edit -*/etc/swift/fs.conf* and change the following lines in the DEFAULT -section: - - mount_ip = RHS_NODE_HOSTNAME - remote_cluster = yes - -Restart swift to activate kerbauth filer -> swift-init main restart - - -###Examples - -####Authenticate user and get Kerberos ticket - -> kinit auth_admin - -NOTE: curl ignores user specified in -u option. All further curl commands -will use the currently authenticated auth_admin user. - -####Get an authentication token: -> curl -v -u : --negotiate --location-trusted http://client.rhelbox.com:8080/auth/v1.0 - - * About to connect() to client.rhelbox.com port 8080 (#0) - * Trying 192.168.56.101... - * connected - * Connected to client.rhelbox.com (192.168.56.101) port 8080 (#0) - > GET /auth/v1.0 HTTP/1.1 - > User-Agent: curl/7.27.0 - > Host: client.rhelbox.com:8080 - > Accept: */* - > - < HTTP/1.1 303 See Other - < Content-Type: text/html; charset=UTF-8 - < Location: http://client.rhelbox.com/cgi-bin/swift-auth - < Content-Length: 0 - < X-Trans-Id: txecd415aae89b4320b6145-0052417ea5 - < Date: Tue, 24 Sep 2013 11:59:33 GMT - < - * Connection #0 to host client.rhelbox.com left intact - * Issue another request to this URL: 'http://client.rhelbox.com/cgi-bin/swift-auth' - * About to connect() to client.rhelbox.com port 80 (#1) - * Trying 192.168.56.101... - * connected - * Connected to client.rhelbox.com (192.168.56.101) port 80 (#1) - > GET /cgi-bin/swift-auth HTTP/1.1 - > User-Agent: curl/7.27.0 - > Host: client.rhelbox.com - > Accept: */* - > - < HTTP/1.1 401 Unauthorized - < Date: Tue, 24 Sep 2013 11:59:33 GMT - < Server: Apache/2.4.6 (Fedora) mod_auth_kerb/5.4 - < WWW-Authenticate: Negotiate - < WWW-Authenticate: Basic realm="Swift Authentication" - < Content-Length: 381 - < Content-Type: text/html; charset=iso-8859-1 - < - * Ignoring the response-body - * Connection #1 to host client.rhelbox.com left intact - * Issue another request to this URL: 'http://client.rhelbox.com/cgi-bin/swift-auth' - * Re-using existing connection! (#1) with host (nil) - * Connected to (nil) (192.168.56.101) port 80 (#1) - * Server auth using GSS-Negotiate with user '' - > GET /cgi-bin/swift-auth HTTP/1.1 - > Authorization: Negotiate YIICYgYJKoZIhvcSAQICAQBuggJRMIICTaADAgEFoQMCAQ6iBwMFACAAAACjggFgYYIBXDCCAVigAwIBBaENGwtSSEVMQk9YLkNPTaIlMCOgAwIBA6EcMBobBEhUVFAbEmNsaWVudC5yaGVsYm94LmNvbaOCARkwggEVoAMCARKhAwIBAaKCAQcEggEDx9SH2R90RO4eAkhsNKow/DYfjv1rWhgxNRqj/My3yslASSgefls48VdDNHVVWqr1Kd6mB/9BIoumpA+of+KSAg2QfPtcWiVFj5n5Fa8fyCHyQPvV8c92KzUdrBPc8OVn0aldFp0I4P1MsYZbnddDRSH3kjVA5oSucHF59DhZWiGJV/F6sVimBSeoTBHQD38Cs5RhyDHNyUad9v3gZERVGCJXC76i7+yyaoIDA+N9s0hasHajhTnjs3XQBYfZFwp8lWl3Ub+sOtPO1Ng7mFlSAYXCM6ljlKTEaxRwaYoXUC1EoIqEOG/8pC9SJThS2M1G7MW1c5xm4lksNss72OH4gtPns6SB0zCB0KADAgESooHIBIHFrLtai5U8ajEWo1J9B26PnIUqLd+uA0KPd2Y2FjrH6rx4xT8qG2p8i36SVGubvwBVmfQ7lSJcXt6wUvb43qyPs/fMiSY7QxHxt7/btMgxQl6JWMagvXMhCNXnhEHNNaTdBcG5KFERDGeo0txaAD1bzZ4mnxCQmoqusGzZ6wdDw6+5wq1tK/hQTQUgk2NwxfXAg2J5K02/3fKjFR2h7zewI1pEyhhpeONRkkRETcyojkK2EbVzZ8kc3RsuwzFYsJ+9u5Qj3E4= - > User-Agent: curl/7.27.0 - > Host: client.rhelbox.com - > Accept: */* - > - < HTTP/1.1 200 OK - < Date: Tue, 24 Sep 2013 11:59:33 GMT - < Server: Apache/2.4.6 (Fedora) mod_auth_kerb/5.4 - < WWW-Authenticate: Negotiate YIGZBgkqhkiG9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRveeZTV/QRJSIOoOWPbZkEmtdug9V5ZcMGXWqAJvCAnrvw9gHbklMyLl8f8jU2e0wU3ehtchLEL4dVeAYgKsnUgw4wGhHu59AZBwSbHRKSpv3I6gWEZqC4NAEuZJFW9ipdUHOiclBQniVXXCsRF/5Y - < X-Auth-Token: AUTH_tk083b8abc92f4a514f34224a181ed568a - < X-Debug-Remote-User: auth_admin - < X-Debug-Groups: auth_admin,auth_reseller_admin - < X-Debug-Token-Life: 86400s - < X-Debug-Token-Expires: Wed Sep 25 17:29:33 2013 - < Content-Length: 0 - < Content-Type: text/html; charset=UTF-8 - < - * Connection #1 to host (nil) left intact - * Closing connection #0 - * Closing connection #1 - -The header *X-Auth-Token* in response contains the token *AUTH_tk083b8abc92f4a514f34224a181ed568a*. - -####PUT a container ->curl -v -X PUT -H 'X-Auth-Token: AUTH_tk083b8abc92f4a514f34224a181ed568a' http://client.rhelbox.com:8080/v1/AUTH_myvolume/c1 - - * About to connect() to client.rhelbox.com port 8080 (#0) - * Trying 192.168.56.101... - * connected - * Connected to client.rhelbox.com (192.168.56.101) port 8080 (#0) - > PUT /v1/AUTH_myvolume/c1 HTTP/1.1 - > User-Agent: curl/7.27.0 - > Host: client.rhelbox.com:8080 - > Accept: */* - > X-Auth-Token: AUTH_tk083b8abc92f4a514f34224a181ed568a - > - < HTTP/1.1 201 Created - < Content-Length: 0 - < Content-Type: text/html; charset=UTF-8 - < X-Trans-Id: txc420b0ebf9714445900e8-0052418863 - < Date: Tue, 24 Sep 2013 12:41:07 GMT - < - * Connection #0 to host client.rhelbox.com left intact - * Closing connection #0 - -####GET a container listing -> curl -v -X GET -H 'X-Auth-Token: AUTH_tk083b8abc92f4a514f34224a181ed568a' http://client.rhelbox.com:8080/v1/AUTH_myvolume - - * About to connect() to client.rhelbox.com port 8080 (#0) - * Trying 192.168.56.101... - * connected - * Connected to client.rhelbox.com (192.168.56.101) port 8080 (#0) - > GET /v1/AUTH_myvolume HTTP/1.1 - > User-Agent: curl/7.27.0 - > Host: client.rhelbox.com:8080 - > Accept: */* - > X-Auth-Token: AUTH_tk083b8abc92f4a514f34224a181ed568a - > - < HTTP/1.1 200 OK - < Content-Length: 3 - < X-Account-Container-Count: 0 - < Accept-Ranges: bytes - < X-Account-Object-Count: 0 - < X-Bytes-Used: 0 - < X-Timestamp: 1379997117.09468 - < X-Object-Count: 0 - < X-Account-Bytes-Used: 0 - < X-Type: Account - < Content-Type: text/plain; charset=utf-8 - < X-Container-Count: 0 - < X-Trans-Id: tx89826736a1ab4d6aae6e3-00524188dc - < Date: Tue, 24 Sep 2013 12:43:08 GMT - < - c1 - * Connection #0 to host client.rhelbox.com left intact - * Closing connection #0 - -####PUT an object in container -> curl -v -X PUT -H 'X-Auth-Token: AUTH_tk083b8abc92f4a514f34224a181ed568a' http://client.rhelbox.com:8080/v1/AUTH_myvolume/c1/object1 -d'Hello world' - - * About to connect() to client.rhelbox.com port 8080 (#0) - * Trying 192.168.56.101... - * connected - * Connected to client.rhelbox.com (192.168.56.101) port 8080 (#0) - > PUT /v1/AUTH_myvolume/c1/object1 HTTP/1.1 - > User-Agent: curl/7.27.0 - > Host: client.rhelbox.com:8080 - > Accept: */* - > X-Auth-Token: AUTH_tk083b8abc92f4a514f34224a181ed568a - > Content-Length: 11 - > Content-Type: application/x-www-form-urlencoded - > - * upload completely sent off: 11 out of 11 bytes - < HTTP/1.1 201 Created - < Last-Modified: Wed, 25 Sep 2013 06:08:00 GMT - < Content-Length: 0 - < Etag: 3e25960a79dbc69b674cd4ec67a72c62 - < Content-Type: text/html; charset=UTF-8 - < X-Trans-Id: tx01f1b5a430cf4af3897be-0052427dc0 - < Date: Wed, 25 Sep 2013 06:08:01 GMT - < - * Connection #0 to host client.rhelbox.com left intact - * Closing connection #0 - -####Give permission to jsmith to list and download objects from c1 container -> curl -v -X POST -H 'X-Auth-Token: AUTH_tk083b8abc92f4a514f34224a181ed568a' -H 'X-Container-Read: jsmith' http://client.rhelbox.com:8080/v1/AUTH_myvolume/c1 - - * About to connect() to client.rhelbox.com port 8080 (#0) - * Trying 192.168.56.101... - * connected - * Connected to client.rhelbox.com (192.168.56.101) port 8080 (#0) - > POST /v1/AUTH_myvolume/c1 HTTP/1.1 - > User-Agent: curl/7.27.0 - > Host: client.rhelbox.com:8080 - > Accept: */* - > X-Auth-Token: AUTH_tk083b8abc92f4a514f34224a181ed568a - > X-Container-Read: jsmith - > - < HTTP/1.1 204 No Content - < Content-Length: 0 - < Content-Type: text/html; charset=UTF-8 - < X-Trans-Id: txcedea3e2557d463eb591d-0052427f60 - < Date: Wed, 25 Sep 2013 06:14:56 GMT - < - * Connection #0 to host client.rhelbox.com left intact - * Closing connection #0 - -####Access container as jsmith - -> kinit jsmith - -Get token for jsmith -> curl -v -u : --negotiate --location-trusted http://client.rhelbox.com:8080/auth/v1.0 - - * About to connect() to client.rhelbox.com port 8080 (#0) - * Trying 192.168.56.101... - * connected - * Connected to client.rhelbox.com (192.168.56.101) port 8080 (#0) - > GET /auth/v1.0 HTTP/1.1 - > User-Agent: curl/7.27.0 - > Host: client.rhelbox.com:8080 - > Accept: */* - > - < HTTP/1.1 303 See Other - < Content-Type: text/html; charset=UTF-8 - < Location: http://client.rhelbox.com/cgi-bin/swift-auth - < Content-Length: 0 - < X-Trans-Id: txf51e1bf7f8c5496f8cc93-005242800b - < Date: Wed, 25 Sep 2013 06:17:47 GMT - < - * Connection #0 to host client.rhelbox.com left intact - * Issue another request to this URL: 'http://client.rhelbox.com/cgi-bin/swift-auth' - * About to connect() to client.rhelbox.com port 80 (#1) - * Trying 192.168.56.101... - * connected - * Connected to client.rhelbox.com (192.168.56.101) port 80 (#1) - > GET /cgi-bin/swift-auth HTTP/1.1 - > User-Agent: curl/7.27.0 - > Host: client.rhelbox.com - > Accept: */* - > - < HTTP/1.1 401 Unauthorized - < Date: Wed, 25 Sep 2013 06:17:47 GMT - < Server: Apache/2.4.6 (Fedora) mod_auth_kerb/5.4 - < WWW-Authenticate: Negotiate - < WWW-Authenticate: Basic realm="Swift Authentication" - < Content-Length: 381 - < Content-Type: text/html; charset=iso-8859-1 - < - * Ignoring the response-body - * Connection #1 to host client.rhelbox.com left intact - * Issue another request to this URL: 'http://client.rhelbox.com/cgi-bin/swift-auth' - * Re-using existing connection! (#1) with host (nil) - * Connected to (nil) (192.168.56.101) port 80 (#1) - * Server auth using GSS-Negotiate with user '' - > GET /cgi-bin/swift-auth HTTP/1.1 - > Authorization: Negotiate YIICWAYJKoZIhvcSAQICAQBuggJHMIICQ6ADAgEFoQMCAQ6iBwMFACAAAACjggFbYYIBVzCCAVOgAwIBBaENGwtSSEVMQk9YLkNPTaIlMCOgAwIBA6EcMBobBEhUVFAbEmNsaWVudC5yaGVsYm94LmNvbaOCARQwggEQoAMCARKhAwIBAaKCAQIEgf/+3OaXYCSEjcsjU3t3lOLcYG84GBP9Kj9YTHc7yVMlcam4ivCwMqCkzxgvNo2E3a5KSWyFwngeX4b/QFbCKPXA4sfBibZRkeMk5gr2f0MLI3gWEAIYq7bJLre04bnkD2F0MzijPJrOLIx1KmFe08UGWCEmnG2uj07lvIR1RwV/7dMM4J1B+KKvDVKA0LxahwPIpx8oOON2yMGcstrBAHBBk5pmpt1Gg9Lh7xdNPsjP0IfI5Q0zkGCRBKpvpXymP1lQpQXlHbqkdBYOmG4+p/R+vIosO4ui1G6GWE9t71h3AqW61CcCj3/oOjZsG56k8HMSNk/+3mfUTP86nzLRGkekgc4wgcugAwIBEqKBwwSBwPsG9nGloEnOsA1abP4R1/yUDcikjjwKiacvZ+cu7bWEzu3L376k08U8C2YIClyUJy3Grt68LxhnfZ65VCZ5J5IOLiXOJnHBIoJ1L4GMYp4EgZzHvI7R3U3DApMzNWZwc1MsSF5UGhmLwxSevDLetJHjgKzKNteRyVN/8CFgjSBEjGSN1Qgy1RZHuQR9d3JHPczONZ4+ZgStfy+I1m2IUIgW3+4JGFVafHiBQVwSWRNfdXFgI3wBz7slntd7r3qMWA== - > User-Agent: curl/7.27.0 - > Host: client.rhelbox.com - > Accept: */* - > - < HTTP/1.1 200 OK - < Date: Wed, 25 Sep 2013 06:17:47 GMT - < Server: Apache/2.4.6 (Fedora) mod_auth_kerb/5.4 - < WWW-Authenticate: Negotiate YIGYBgkqhkiG9xIBAgICAG+BiDCBhaADAgEFoQMCAQ+ieTB3oAMCARKicARuH2YpjFrtgIhGr5nO7gh/21EvGH9tayRo5A3pw5pxD1B1036ePLG/x98OdMrSflse5s8ttz8FmvRphCFJa8kfYtnWULgoFLF2F2a1zBdSo2oCA0R05YFwArNhkg6ou5o7wWZkERHK33CKlhudSj8= - < X-Auth-Token: AUTH_tkb5a20eb8207a819e76619431c8410447 - < X-Debug-Remote-User: jsmith - < X-Debug-Groups: jsmith - < X-Debug-Token-Life: 86400s - < X-Debug-Token-Expires: Thu Sep 26 11:47:47 2013 - < Content-Length: 0 - < Content-Type: text/html; charset=UTF-8 - < - * Connection #1 to host (nil) left intact - * Closing connection #0 - * Closing connection #1 - -List the container using authentication token for jsmith: -> curl -v -X GET -H 'X-Auth-Token: AUTH_tkb5a20eb8207a819e76619431c8410447' http://client.rhelbox.com:8080/v1/AUTH_myvolume/c1 - - * About to connect() to client.rhelbox.com port 8080 (#0) - * Trying 192.168.56.101... - * connected - * Connected to client.rhelbox.com (192.168.56.101) port 8080 (#0) - > GET /v1/AUTH_myvolume/c1 HTTP/1.1 - > User-Agent: curl/7.27.0 - > Host: client.rhelbox.com:8080 - > Accept: */* - > X-Auth-Token: AUTH_tkb5a20eb8207a819e76619431c8410447 - > - < HTTP/1.1 200 OK - < Content-Length: 8 - < X-Container-Object-Count: 0 - < Accept-Ranges: bytes - < X-Timestamp: 1 - < X-Container-Bytes-Used: 0 - < Content-Type: text/plain; charset=utf-8 - < X-Trans-Id: tx575215929c654d9f9f284-00524280a4 - < Date: Wed, 25 Sep 2013 06:20:20 GMT - < - object1 - * Connection #0 to host client.rhelbox.com left intact - * Closing connection #0 - -Downloading the object as jsmith: -> curl -v -X GET -H 'X-Auth-Token: AUTH_tkb5a20eb8207a819e76619431c8410447' http://client.rhelbox.com:8080/v1/AUTH_myvolume/c1/object1 - - * About to connect() to client.rhelbox.com port 8080 (#0) - * Trying 192.168.56.101... - * connected - * Connected to client.rhelbox.com (192.168.56.101) port 8080 (#0) - > GET /v1/AUTH_myvolume/c1/object1 HTTP/1.1 - > User-Agent: curl/7.27.0 - > Host: client.rhelbox.com:8080 - > Accept: */* - > X-Auth-Token: AUTH_tkb5a20eb8207a819e76619431c8410447 - > - < HTTP/1.1 200 OK - < Content-Length: 11 - < Accept-Ranges: bytes - < Last-Modified: Wed, 25 Sep 2013 06:08:00 GMT - < Etag: 3e25960a79dbc69b674cd4ec67a72c62 - < X-Timestamp: 1380089280.98829 - < Content-Type: application/x-www-form-urlencoded - < X-Trans-Id: tx19b5cc3847854f40a6ca8-00524281aa - < Date: Wed, 25 Sep 2013 06:24:42 GMT - < - * Connection #0 to host client.rhelbox.com left intact - Hello world* Closing connection #0 - -For curl to follow the redirect, you need to specify additional -options. With these, and with a current Kerberos ticket, you should -get the Kerberos user's cached authentication token, or a new one if -the previous token has expired. - -> curl -v -u : --negotiate --location-trusted -X GET http://client.rhelbox.com:8080/v1/AUTH_myvolume/c1/object1 - -The --negotiate option is for curl to perform Kerberos authentication and ---location-trusted is for curl to follow the redirect. - -[auth_kerb_module Configuration]: http://modauthkerb.sourceforge.net/configure.html - - -#### Get an authentication token when auth_mode=passive: -> curl -v -H 'X-Auth-User: test:auth_admin' -H 'X-Auth-Key: Redhat*123' http://127.0.0.1:8080/auth/v1.0 - -**NOTE**: X-Storage-Url response header can be returned only in passive mode. - -<a name="config-swiftkerbauth" /> -##Configurable Parameters - -The kerbauth filter section in **/etc/swift/proxy-server.conf** looks something -like this: - - [filter:kerbauth] - use = egg:swiftkerbauth#kerbauth - ext_authentication_url = http://client.rhelbox.com/cgi-bin/swift-auth - auth_method = active - token_life = 86400 - debug_headers = yes - realm_name = RHELBOX.COM - -Of all the options listed above, specifying **ext\_authentication\_url** is -mandatory. The rest of the options are optional and have default values. - -#### ext\_authentication\_url -A URL specifying location of the swift-auth CGI script. Avoid using IP address. -Default value: None - -#### token_life -After how many seconds the cached information about an authentication token is -discarded. -Default value: 86400 - -#### debug_headers -When turned on, the response headers sent to the user will contain additional -debug information apart from the auth token. -Default value: yes - -#### auth_method -Set this to **"active"** when you want to allow access **only to clients -residing inside the domain**. In this mode, authentication is performed by -mod\_auth\_kerb using the Kerberos ticket bundled with the client request. -No username and password have to be specified to get a token. -Set this to **"passive"** when you want to allow access to clients residing -outside the domain. In this mode, authentication is performed by gleaning -username and password from request headers (X-Auth-User and X-Auth-Key) and -running kinit command against it. -Default value: passive - -#### realm_name -This is applicable only when the auth_method=passive. This option specifies -realm name if storage server belongs to more than one realm and realm name is not -part of the username specified in X-Auth-User header. - -<a name="swfunctest" /> -##Functional tests for SwiftkerbAuth - -Functional tests to be run on the storage node after SwiftKerbAuth is setup using -either IPA server or Windows AD. The gluster-swift/doc/markdown/swiftkerbauth -directory contains the SwiftkerbAuth setup documents. There are two modes of -working with SwiftKerbAuth. 'PASSIVE' mode indicates the client is outside the -domain configured using SwiftKerbAuth. Client provides the 'Username' and -'Password' while invoking a command. SwiftKerbAuth auth filter code then -would get the ticket granting ticket from AD server or IPA server. -In 'ACTIVE' mode of SwiftKerbAuth, User is already logged into storage node using -its kerberos credentials. That user is authenticated across AD/IPA server. - -In PASSIVE mode all the generic functional tests are run. ACTIVE mode has a -different way of acquiring Ticket Granting Ticket. And hence the different -framework of functional tests there. - -The accounts, users, passwords must be prepared on AD/IPA server as per -mentioned in test/functional_auth/swiftkerbauth/conf/test.conf - -Command to invoke SwiftKerbAuth functional tests is -> $tox -e swfunctest - -This would run both ACTIVE and PASSIVE mode functional test cases. |