blob: 215601db65b60f1e1211d4875deed742e224422c (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
|
# Authentication Services Start Guide
## Contents
* [Keystone](#keystone)
* [Swiftkerbauth](#swiftkerbauth)
* [GSwauth](#gswauth)
* [Overview](#gswauth_overview)
* [Quick Install](#gswauth_quick_install)
* [How to use it](#swauth_use)
<a name="keystone" />
## Keystone
The Standard Openstack authentication service
TBD
<a name="swiftkerbauth" />
## Swiftkerbauth
Kerberos authentication filter for Swift
TBD
<a name="gswauth" />
## GSwauth
<a name="gswauth_overview" />
### Overview
An easily deployable GlusterFS aware authentication service based on [Swauth](http://gholt.github.com/swauth/).
GSwauth is a WSGI Middleware that uses Swift itself as a backing store to
maintain its metadata.
This model has the benefit of having the metadata available to all proxy servers
and saving the data to a GlusterFS volume. To protect the metadata, the GlusterFS
volume should only be able to be mounted by the systems running the proxy servers.
Currently, gluster-swift has a strict mapping of one account to a GlusterFS volume.
Future releases, this will be enhanced to support multiple accounts per GlusterFS
volume.
See <http://gholt.github.com/swauth/> for more information on Swauth.
<a name="gswauth_quick_install" />
###Quick Install
1. GSwauth is installed by default with Gluster for Swift.
2. Create and start the `gsmetadata` gluster volume
```
gluster volume create gsmetadata `hostname`:`brick`
gluster volume start gsmetadata
```
3. run `gluster-swift-gen-builders` with all volumes that should be
accessible by gluster-swift, including `gsmetadata`
```
gluster-swift-gen-builders gsmetadata `other volumes`
```
4. Change your proxy-server.conf pipeline to have gswauth instead of tempauth:
Was:
```
[pipeline:main]
pipeline = catch_errors cache tempauth proxy-server
```
Change To:
```
[pipeline:main]
pipeline = catch_errors cache gswauth proxy-server
```
5. Add to your proxy-server.conf the section for the Swauth WSGI filter:
```
[filter:gswauth]
use = egg:gluster_swift#gswauth
set log_name = gswauth
super_admin_key = swauthkey
metadata_volume = gsmetadata
auth_type = sha1
auth_type_salt = swauthsalt
```
6. Restart your proxy server ``swift-init proxy reload``
<a name="swauth_use" />
###How to use it
1. Initialize the GSwauth backing store in Gluster-Swift
``swauth-prep -K swauthkey``
2. Add an account/user. The account name must match the Glusterfs volume name
the user will be given access to. In this example we use the volume ``test``
``swauth-add-user -A http://127.0.0.1:8080/auth/ -K swauthkey -a test user1 password1``
3. Ensure it works
``swift -A http://127.0.0.1:8080/auth/v1.0 -U test:user1 -K password1 stat``
4. Ensure the following fails when an incorrect password is used
``swift -A http://127.0.0.1:8080/auth/v1.0 -U test:user1 -K wrongpassword stat``
|