summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPrashanth Pai <ppai@redhat.com>2013-09-24 11:47:50 +0530
committerLuis Pabon <lpabon@redhat.com>2013-10-16 15:49:12 -0700
commit373032fc97d27c79895e6114670760aa717f9f61 (patch)
treeecf027f06b2e00fd6605c148e831df806d10243f
parent9812a4a9e4a30a208d77d3b10828a1c174dccd77 (diff)
Add documentation
The following guides were added: * Setting up a RHEL 6.x IdM server with a Fedora 18 client * Setting up and configuring swiftkerbauth * Architecture of Swiftkerbauth Change-Id: I50665e584ff9513b5a20d1eda546c73c93f14638 Signed-off-by: Prashanth Pai <ppai@redhat.com> Reviewed-on: http://review.gluster.org/6040 Reviewed-by: Luis Pabon <lpabon@redhat.com> Tested-by: Luis Pabon <lpabon@redhat.com>
-rw-r--r--MANIFEST.in2
-rw-r--r--README4
-rw-r--r--README.md19
-rw-r--r--doc/DOCUMENTATION299
-rw-r--r--doc/architecture.md106
-rw-r--r--doc/ipa_client.md80
-rw-r--r--doc/ipa_server.md134
-rw-r--r--doc/swiftkerbauth_guide.md427
-rw-r--r--setup.py4
-rw-r--r--swiftkerbauth/kerbauth.py2
10 files changed, 772 insertions, 305 deletions
diff --git a/MANIFEST.in b/MANIFEST.in
index 67cbf75..157606a 100644
--- a/MANIFEST.in
+++ b/MANIFEST.in
@@ -1,4 +1,4 @@
-include LICENSE README
+include LICENSE README.md
recursive-include swiftkerbauth test *.py
graft doc
graft apachekerbauth
diff --git a/README b/README
deleted file mode 100644
index 5200e57..0000000
--- a/README
+++ /dev/null
@@ -1,4 +0,0 @@
-swiftkerbauth
-=============
-
-Kerberos Authentication filter for Openstack Swift
diff --git a/README.md b/README.md
new file mode 100644
index 0000000..f3ef73a
--- /dev/null
+++ b/README.md
@@ -0,0 +1,19 @@
+swiftkerbauth
+=============
+
+Kerberos Authentication filter for Openstack Swift
+--------------------------------------------------
+
+Carsten Clasohm implemented a new authentication filter for swift
+that uses Kerberos tickets for single sign on authentication, and
+grants administrator permissions based on the user's group membership
+in a directory service like Red Hat Enterprise Linux Identity Management
+or Microsoft Active Directory.
+
+Table of Contents
+-----------------
+
+1. [Architecture](doc/architecture.md)
+2. [IPA Server Guide](doc/ipa_server.md)
+3. [IPA Client Guide](doc/ipa_client.md)
+4. [Swiftkerbauth Guide](doc/swiftkerbauth_guide.md)
diff --git a/doc/DOCUMENTATION b/doc/DOCUMENTATION
deleted file mode 100644
index 5b36b24..0000000
--- a/doc/DOCUMENTATION
+++ /dev/null
@@ -1,299 +0,0 @@
-Kerberos Authentication Filter for Red Hat Storage and OpenStack Swift
-----------------------------------------------------------------------
-
-Red Hat Storage not only provides file system access to its data, but
-also object-level access. The latter is implemented with OpenStack
-Swift, and allows containers and objects to be stored and retrieved
-with an HTTP-based API.
-
-Red Hat Storage 2.0 comes with a simple authentication filter that
-defines user accounts as a static list in the Swift configuration
-file. For this project, we implemented a new authentication filter
-that uses Kerberos tickets for single sign on authentication, and
-grants administrator permissions based on the user's group membership
-in a directory service like Red Hat Enterprise Linux Identity
-Management or Microsoft Active Directory.
-
-* Building
-
-To build the swiftkerbauth and apachekerbauth RPM packages, change
-into the respective directory and run
-
- ./build.sh
-
-* Installation
-
-** Swift Server
-
-Install the swiftkerbauth RPM on all Red Hat Storage nodes that will
-provide object-level access via Swift.
-
-To active the Kerberos authentication filter, add "kerbauth" in the
-/etc/swift/proxy-server.conf pipeline parameter:
-
- [pipeline:main]
- pipeline = healthcheck cache kerbauth proxy-server
-
-Set the URL of the Apache server that will be used for authentication
-with the ext_authentication_url parameter in the same file:
-
- [filter:kerbauth]
- paste.filter_factory = swiftkerbauth:filter_factory
- ext_authentication_url = http://AUTHENTICATION_SERVER/cgi-bin/swift-auth
-
-If the Swift server is not one of your Gluster nodes, edit
-/etc/swift/fs.conf and change the following lines in the DEFAULT
-section:
-
- mount_ip = RHS_NODE_HOSTNAME
- remote_cluster = yes
-
-Activate the changes by running
-
- swift-init main restart
-
-For troubleshooting, check /var/log/messages.
-
-** Authentication Server
-
-On the authentication server, install the apachekerbauth package.
-
-Edit /etc/httpd/conf.d/swift-auth.conf and set the KrbAuthRealms and
-Krb5KeyTab parameters.
-
-The keytab must contain a HTTP/$HOSTNAME principal. Usually, you will
-have to create the Kerberos principal on the KDC, export it, and copy
-it to a keytab file on the Apache server.
-
-If SELinux is enabled, allow Apache to connect to memcache and
-activate the changes by running
-
- setsebool -P httpd_can_network_connect 1
- setsebool -P httpd_can_network_memcache 1
-
- service httpd reload
-
-For troubleshooting, see /var/log/httpd/error_log.
-
-* Testing
-
-The tests were done with curl on a machine set up as an IDM client,
-using the Gluster volume rhs_ufo1.
-
-In IDM, we created the following user groups:
-
-- auth_reseller_admin
- Users in this group get full access to all Swift accounts.
-
-- auth_rhs_ufo1
- Users in this group get full access to the rhs_ufo1 Swift account.
-
-Next, we created the following users in IDM:
-
-- auth_admin
- Member of the auth_reseller_admin group
-
-- rhs_ufo1_admin
- Member of the auth_rhs_ufo1 group
-
-- jsmith
- No relevant group membership
-
-The authentication tokens were then retrieved with the following
-commands:
-
- kinit auth_admin
- curl -v -u : --negotiate --location-trusted \
- http://rhs1.example.com:8080/auth/v1.0
-
- kinit rhs_ufo1_admin
- curl -v -u : --negotiate --location-trusted \
- http://rhs1.example.com:8080/auth/v1.0
-
- kinit jsmith
- curl -v -u : --negotiate --location-trusted \
- http://rhs1.example.com:8080/auth/v1.0
-
-Each of these commands should output the following two lines:
-
-< X-Auth-Token: AUTH_tk4097146ed3814e026209556eeb121fe0
-...
-<pre>1365195860 / auth_admin,auth_reseller_admin</pre>
-
-The first line contains the authentication token that is used in
-subsequent requests.
-
-The second line is printed by the swift-auth CGI script for debugging
-- it lists the token expiration (in seconds since January 1, 1970) and
-the user's groups.
-
-Next, we try to get information about the Swift account, replacing the
-AUTH_tk* with one of the tokens we got with the commands above. This
-should display statistics, and the list of container names when used
-with the the admin users. For jsmith, you should get a 403 Forbidden
-error.
-
- curl -v -X GET \
- -H 'X-Auth-Token: AUTH_tk4097146ed3814e026209556eeb121fe0' \
- http://rhs1.example.com:8080/v1/AUTH_rhs_ufo1
-
-With one of the admin accounts, create a new container and a new
-object in that container:
-
- curl -v -X PUT \
- -H 'X-Auth-Token: AUTH_tk4097146ed3814e026209556eeb121fe0' \
- http://rhs1.example.com:8080/v1/AUTH_rhs_ufo1/pictures
-
- curl -v -X PUT \
- -H 'X-Auth-Token: AUTH_tk4097146ed3814e026209556eeb121fe0' \
- -H 'Content-Length: 0' \
- http://rhs1.example.com:8080/v1/AUTH_rhs_ufo1/pictures/pic1.png
-
-Grant permission for jsmith to list and download objects from the
-pictures container:
-
- curl -v -X POST \
- -H 'X-Auth-Token: AUTH_tkdbf7725c1e4ad1ebe9ab0d7098d425f2' \
- -H 'X-Container-Read: jsmith' \
- http://rhs1.example.com:8080/v1/AUTH_rhs_ufo1/pictures
-
-List the container contents using the authentication token for jsmith:
-
- curl -v -X GET \
- -H 'X-Auth-Token: AUTH_tkef8b417ac0c2a73a80ab3b8db85254e2' \
- http://rhs1.example.com:8080/v1/AUTH_rhs_ufo1/pictures
-
-Try to access a resource without an authentication token. This will
-return a 303 redirect:
-
- curl -v -X GET \
- http://rhs1.example.com:8080/v1/AUTH_rhs_ufo1/pictures/pic1.png
-
-For curl to follow the redirect, you need to specify additional
-options. With these, and with a current Kerberos ticket, you should
-get the Kerberos user's cached authentication token, or a new one if
-the previous token has expired.
-
- curl -v -u : --negotiate --location-trusted -X GET \
- http://rhs1.example.com:8080/v1/AUTH_rhs_ufo1/pictures/pic1.png
-
-* Implementation Details
-
-** Architecture
-
-The Swift API is HTTP-based. As described in the Swift documentation
-[1], clients first make a request to an authentication URL, providing
-a username and password. The reply contains a token which is used in
-all subsequent requests.
-
-Swift has a chain of filters through which all client requests go. The
-filters to use are configured with the pipeline parameter in
-/etc/swift/proxy-server.conf:
-
- [pipeline:main]
- pipeline = healthcheck cache tempauth proxy-server
-
-For the single sign authentication, we added a new filter called
-"kerbauth" and put it into the filter pipeline in place of tempauth.
-
-The filter checks the URL for each client request. If it matches the
-authentication URL, the client is redirected to a URL on a different
-server. The URL is handled by a CGI script, which is set up to
-authenticate the client with Kerberos negotiation, retrieve the user's
-system groups [2], store them in a memcache ring shared with the Swift
-server, and return the authentication token to the client.
-
-When the client provides the token as part of a resource request, the
-kerbauth filter checks it against its memcache, grants administrator
-rights based on the group membership retrieved from memcache, and
-either grants or denies the resource access.
-
-[1] http://docs.openstack.org/api/openstack-object-storage/1.0/content/authentication-object-dev-guide.html
-
-[2] The user data and system groups are usually provided by Red Hat
- Enterprise Linux identity Management or Microsoft Active
- Directory. The script relies on the system configuration to be set
- accordingly (/etc/nsswitch.conf).
-
-** swiftkerbauth.py
-
-The script /usr/lib/python2.6/site-packages/swiftkerbauth.py began as
-a copy of the tempauth.py script from
-/usr/lib/python2.6/site-packages/swift/common/middleware. It contains
-the following modifications, among others:
-
-In the __init__ method, we read the ext_authentication_url parameter
-from /etc/swift/proxy-server.conf. This is the URL that clients are
-redirected to when they access either the Swift authentication URL, or
-when they request a resource without a valid authentication token.
-
-The configuration in proxy-server.conf looks like this:
-
- [filter:kerbauth]
- paste.filter_factory = swiftkerbauth:filter_factory
- ext_authentication_url = http://rhel6-4.localdomain/cgi-bin/swift-auth
-
-The authorize method was changed so that global administrator rights
-are granted if the user is a member of the auth_reseller_admin
-group. Administrator rights for a specific account like vol1 are
-granted if the user is a member of the auth_vol1 group. [3]
-
-The denied_response method was changed to return a HTTP redirect to
-the external authentication URL if no valid token was provided by the
-client.
-
-Most of the handle_get_token method was moved to the external
-authentication script. This method now returns a HTTP redirect.
-
-In the __call__ and get_groups method, we removed support for the
-HTTP_AUTHORIZATION header, which is only needed when Amazon S3 is
-used.
-
-Like tempauth.py, swiftkerbauth.py uses a Swift wrapper to access
-memcache. This wrapper converts the key to an MD5 hash and uses the
-hash value to determine on which of a pre-defined list of servers to
-store the data.
-
-[3] "auth" is the default reseller prefix, and would be different if
- the reseller_prefix parameter in proxy-server.conf was set.
-
-** swift-auth CGI Script
-
-swift-auth resides on an Apache server and assumes that Apache is
-configured to authenticate the user before this script is
-executed. The script retrieves the username from the REMOTE_USER
-environment variable, and checks if there already is a token for this
-user in the memcache ring. If not, it generates a new one, retrieves
-the user's system groups with "id -Gn USERNAME", stores this
-information in the memcache ring, and returns the token to the client.
-
-For the Swift filter to be able to find the information, it was
-important to use the Swift memcached module. Because we don't want to
-require a full Swift installation on the authentication server,
-/usr/lib/python2.6/site-packages/swift/common/memcached.py from the
-Swift server was copied to /var/www/cgi-bin on the Apache server.
-
-To allow the CGI script to connect to memcache, the SELinux booleans
-httpd_can_network_connect and httpd_can_network_memcache had to be
-set.
-
-The tempauth filter uses the uuid module to generate token
-strings. This module creates and runs temporary files, which leads to
-AVC denial messages in /var/log/audit/audit.log when used from an
-Apache CGI script. While the module still works, the audit log would
-grow quickly. Instead of writing an SELinux policy module to allow or
-to silently ignore these accesses, the swift-auth script uses the
-"random" module for generating token strings.
-
-Red Hat Enterprise Linux 6 comes with Python 2.6 which only provides
-method to list the locally defined user groups. To include groups from
-Red Hat Enterprise Linux Identity Management and in the future from
-Active Directory, the "id" command is run in a subprocess.
-
-* Reference Material
-
-Red Hat Storage Administration Guide:
-https://access.redhat.com/knowledge/docs/Red_Hat_Storage/
-
-Swift Documentation:
-http://docs.openstack.org/developer/swift/
diff --git a/doc/architecture.md b/doc/architecture.md
new file mode 100644
index 0000000..cfe64d2
--- /dev/null
+++ b/doc/architecture.md
@@ -0,0 +1,106 @@
+# Architecture
+
+The Swift API is HTTP-based. As described in the Swift documentation
+[1], clients first make a request to an authentication URL, providing
+a username and password. The reply contains a token which is used in
+all subsequent requests.
+
+Swift has a chain of filters through which all client requests go. The
+filters to use are configured with the pipeline parameter in
+/etc/swift/proxy-server.conf:
+
+ [pipeline:main]
+ pipeline = healthcheck cache tempauth proxy-server
+
+For the single sign authentication, we added a new filter called
+"kerbauth" and put it into the filter pipeline in place of tempauth.
+
+The filter checks the URL for each client request. If it matches the
+authentication URL, the client is redirected to a URL on a different
+server (on the same machine). The URL is handled by a CGI script, which
+is set up to authenticate the client with Kerberos negotiation, retrieve
+the user's system groups [2], store them in a memcache ring shared with
+the Swift server, and return the authentication token to the client.
+
+When the client provides the token as part of a resource request, the
+kerbauth filter checks it against its memcache, grants administrator
+rights based on the group membership retrieved from memcache, and
+either grants or denies the resource access.
+
+[1] http://docs.openstack.org/api/openstack-object-storage/1.0/content/authentication-object-dev-guide.html
+
+[2] The user data and system groups are usually provided by Red Hat
+ Enterprise Linux identity Management or Microsoft Active
+ Directory. The script relies on the system configuration to be set
+ accordingly (/etc/nsswitch.conf).
+
+*****
+
+## kerbauth.py
+
+The script /usr/lib/python2.6/site-packages/swiftkerbauth/kerbauth.py began as
+a copy of the tempauth.py script from
+/usr/lib/python2.6/site-packages/swift/common/middleware. It contains
+the following modifications, among others:
+
+In the __init__ method, we read the ext_authentication_url parameter
+from /etc/swift/proxy-server.conf. This is the URL that clients are
+redirected to when they access either the Swift authentication URL, or
+when they request a resource without a valid authentication token.
+
+The configuration in proxy-server.conf looks like this:
+
+ [filter:kerbauth]
+ use = egg:swiftkerbauth#kerbauth
+ ext_authentication_url = http://client.rhelbox.com/cgi-bin/swift-auth
+
+The authorize method was changed so that global administrator rights
+are granted if the user is a member of the auth_reseller_admin
+group. Administrator rights for a specific account like vol1 are
+granted if the user is a member of the auth_vol1 group. [3]
+
+The denied_response method was changed to return a HTTP redirect to
+the external authentication URL if no valid token was provided by the
+client.
+
+Most of the handle_get_token method was moved to the external
+authentication script. This method now returns a HTTP redirect.
+
+In the __call__ and get_groups method, we removed support for the
+HTTP_AUTHORIZATION header, which is only needed when Amazon S3 is
+used.
+
+Like tempauth.py, kerbauth.py uses a Swift wrapper to access
+memcache. This wrapper converts the key to an MD5 hash and uses the
+hash value to determine on which of a pre-defined list of servers to
+store the data.
+
+[3] "auth" is the default reseller prefix, and would be different if
+ the reseller_prefix parameter in proxy-server.conf was set.
+
+## swift-auth CGI script
+
+swift-auth resides on an Apache server and assumes that Apache is
+configured to authenticate the user before this script is
+executed. The script retrieves the username from the REMOTE_USER
+environment variable, and checks if there already is a token for this
+user in the memcache ring. If not, it generates a new one, retrieves
+the user's system groups with "id -Gn USERNAME", stores this
+information in the memcache ring, and returns the token to the client.
+
+To allow the CGI script to connect to memcache, the SELinux booleans
+httpd_can_network_connect and httpd_can_network_memcache had to be
+set.
+
+The tempauth filter uses the uuid module to generate token
+strings. This module creates and runs temporary files, which leads to
+AVC denial messages in /var/log/audit/audit.log when used from an
+Apache CGI script. While the module still works, the audit log would
+grow quickly. Instead of writing an SELinux policy module to allow or
+to silently ignore these accesses, the swift-auth script uses the
+"random" module for generating token strings.
+
+Red Hat Enterprise Linux 6 comes with Python 2.6 which only provides
+method to list the locally defined user groups. To include groups from
+Red Hat Enterprise Linux Identity Management and in the future from
+Active Directory, the "id" command is run in a subprocess.
diff --git a/doc/ipa_client.md b/doc/ipa_client.md
new file mode 100644
index 0000000..f6afc42
--- /dev/null
+++ b/doc/ipa_client.md
@@ -0,0 +1,80 @@
+#IPA Client Guide
+
+##Contents
+* [Setup Overview] (#setup)
+* [Configure Network] (#network)
+* [Installing IPA Client] (#ipa-client)
+
+<a name="setup" />
+##Setup Overview
+We have used a F18 box as IPA client machine and used FreeIPA client.
+This document borrows instructions from the following more detailed guide.
+[RHEL 6 Identity Management Guide][]
+
+
+<a name="network" />
+## Configure network
+
+Set hostname (FQDN) to client.rhelbox.com
+> hostnamectl set-hostname "client.rhelbox.com"
+>
+> hostname "client.rhelbox.com"
+
+Add following to /etc/sysconfig/network:
+
+ HOSTNAME=client.rhelbox.com
+
+Add the following to /etc/hostname
+
+ client.rhelbox.com
+
+Add the following to /etc/hosts
+
+ 192.168.56.110 server.rhelbox.com server
+ 192.168.56.101 client.rhelbox.com client
+
+Logout and login again and verify hostname :
+> hostname --fqdn
+
+Edit */etc/resolv.conf* to add this at beginning of file
+
+ nameserver 192.168.56.110
+
+Warning: NetworkManager changes resolv.conf on restart
+
+Turn off firewall
+> service iptables stop
+>
+> chkconfig iptables off
+
+<a name="ipa-client" />
+## Installing IPA Client
+
+Install IPA client packages:
+
+For RHEL:
+> yum install ipa-client ipa-admintools
+
+For Fedora:
+> yum install freeipa-client freeipa-admintools
+
+Install IPA client and add to domain:
+>ipa-client-install --enable-dns-updates
+
+ Discovery was successful!
+ Hostname: client.rhelbox.com
+ Realm: RHELBOX.COM
+ DNS Domain: rhelbox.com
+ IPA Server: server.rhelbox.com
+ BaseDN: dc=rhelbox,dc=com
+
+ Continue to configure the system with these values? [no]: yes
+ User authorized to enroll computers: admin
+
+Check if client is configured correctly:
+> kinit admin
+>
+> getent passwd admin
+
+
+[RHEL 6 Identity Management Guide]: https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/
diff --git a/doc/ipa_server.md b/doc/ipa_server.md
new file mode 100644
index 0000000..ef12b53
--- /dev/null
+++ b/doc/ipa_server.md
@@ -0,0 +1,134 @@
+#IPA Server Guide
+
+##Contents
+* [Setup Overview] (#setup)
+* [Configure Network] (#network)
+* [Installing IPA Server] (#ipa-server)
+* [Configuring DNS] (#dns)
+* [Adding Users and Groups] (#users-groups)
+
+
+<a name="setup" />
+##Setup Overview
+We have used a RHEL 6.4 box as IPA and DNS server. This document borrows
+instructions from the following more detailed guide.
+[RHEL 6 Identity Management Guide][]
+
+
+<a name="network" />
+## Configure network
+
+Change hostname (FQDN) to server.rhelbox.com
+> hostname "server.rhelbox.com"
+
+Add following to */etc/sysconfig/network* file
+
+ HOSTNAME=server.rhelbox.com
+
+Add the following to */etc/hosts* file
+
+ 192.168.56.110 server.rhelbox.com server
+ 192.168.56.101 client.rhelbox.com client
+
+Logout and login again and verify new hostname
+> hostname --fqdn
+
+Turn off firewall
+> service iptables stop
+>
+> chkconfig iptables off
+
+
+<a name="ipa-server" />
+## Installing IPA Server
+
+Install IPA server packages and DNS dependencies
+> yum install ipa-server bind bind-dyndb-ldap
+
+Run the following interactive setup to install IPA server with DNS
+> ipa-server-install --setup-dns
+
+ The IPA Master Server will be configured with:
+ Hostname: server.rhelbox.com
+ IP address: 192.168.56.110
+ Domain name: rhelbox.com
+ Realm name: RHELBOX.COM
+
+ BIND DNS server will be configured to serve IPA domain with:
+ Forwarders: No forwarders
+ Reverse zone: 56.168.192.in-addr.arpa.
+
+The installation may take some time.
+
+Check if IPA is installed correctly :
+> kinit admin
+>
+> ipa user-find admin
+
+
+<a name="dns" />
+## Configuring DNS
+
+Edit */etc/resolv.conf* to add this at beginning of file :
+
+ nameserver 192.168.56.110
+
+Warning: NetworkManager changes resolv.conf on restart
+
+Add a DNS A record and PTR record for the client under rhelbox.com zone
+> ipa dnsrecord-add rhelbox.com client --a-rec=192.168.56.101 --a-create-reverse
+
+Check if DNS resolution is working by running :
+
+> dig server.rhelbox.com
+
+ ;; ANSWER SECTION:
+ server.rhelbox.com. 1200 IN A 192.168.56.110
+
+> dig client.rhelbox.com
+
+ ;; ANSWER SECTION:
+ client.rhelbox.com. 86400 IN A 192.168.56.101
+
+Check if reverse resolution works :
+
+> dig -t ptr 101.56.168.192.in-addr.arpa.
+
+ ;; ANSWER SECTION:
+ 101.56.168.192.in-addr.arpa. 86400 IN PTR client.rhelbox.com.
+
+
+> dig -t ptr 110.56.168.192.in-addr.arpa.
+
+ ;; ANSWER SECTION:
+ 110.56.168.192.in-addr.arpa. 86400 IN PTR server.rhelbox.com.
+
+
+<a name="users-groups" />
+## Adding users and groups
+
+Create *auth_reseller_admin* user group
+> ipa group-add auth_reseller_admin --desc="Full access to all Swift accounts"
+
+Create *auth_rhs_test* user group
+> ipa group-add auth_rhs_test --desc="Full access to rhs_test account"
+
+Create user *auth_admin* user as member of *auth_reseller_admin* user group
+> ipa user-add auth_admin --first=Auth --last=Admin --password
+>
+> ipa group-add-member auth_reseller_admin --users=auth_admin
+
+Create user *rhs_test_admin* as member of *auth_rhs_test* user group
+> ipa user-add rhs_test_admin --first=RHS --last=Admin --password
+>
+> ipa group-add-member auth_rhs_test --users=rhs_test_admin
+
+Create user *jsmith* with no relevant group membership
+> ipa user-add rhs_test_admin --first=RHS --last=Admin --password
+
+You can verify users have been added by running
+>ipa user-find admin
+
+NOTE: Every user has to change password on first login.
+
+[RHEL 6 Identity Management Guide]: https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/
diff --git a/doc/swiftkerbauth_guide.md b/doc/swiftkerbauth_guide.md
new file mode 100644
index 0000000..eaebca5
--- /dev/null
+++ b/doc/swiftkerbauth_guide.md
@@ -0,0 +1,427 @@
+#swiftkerbauth
+
+* [Installing Kerberos module for Apache on IPA client] (#httpd-kerb-install)
+* [Creating HTTP Service Principal on IPA server] (#http-principal)
+* [Installing and configuring swiftkerbauth on IPA client] (#install-swiftkerbauth)
+* [Using swiftkerbauth] (#use-swiftkerbauth)
+
+<a name="httpd-kerb-install" />
+## Installing Kerberos module for Apache on IPA client
+
+Install httpd server with kerberos module:
+> yum install httpd mod_auth_kerb
+>
+> service httpd restart
+
+Check if auth_kerb_module is loaded :
+> httpd -M | grep kerb
+
+Change httpd log level to debug by adding/changing the following in
+*/etc/httpd/conf/httpd.conf* file
+
+ LogLevel debug
+
+httpd logs are at */var/log/httpd/error_log* for troubleshooting
+
+If SELinux is enabled, allow Apache to connect to memcache and
+activate the changes by running
+>setsebool -P httpd_can_network_connect 1
+>
+>setsebool -P httpd_can_network_memcache 1
+
+*****
+
+<a name="http-principal" />
+## Creating HTTP Service Principal on IPA server
+
+Add a HTTP Kerberos service principal :
+> ipa service-add HTTP/client.rhelbox.com@RHELBOX.COM
+
+Retrieve the HTTP service principal to a keytab file:
+> ipa-getkeytab -s server.rhelbox.com -p HTTP/client.rhelbox.com@RHELBOX.COM -k /tmp/http.keytab
+
+Copy keytab file to client:
+> scp /tmp/http.keytab root@192.168.56.101:/etc/httpd/conf/http.keytab
+
+*****
+
+<a name="install-swiftkerbauth" />
+##Installing and configuring swiftkerbauth on IPA client
+
+Prerequisites for installing swiftkerbauth
+* swift (havana)
+* gluster-swift (optional)
+
+You can install swiftkerbauth using one of these three ways:
+
+Installing swiftkerbauth from source:
+> python setup.py install
+
+Installing swiftkerbauth using pip:
+> pip install swiftkerbauth
+
+Installing swiftkerbauth from RPMs:
+> ./makerpm.sh
+>
+> rpm -ivh dist/swiftkerbauth-1.0.0-1.noarch.rpm
+
+Edit */etc/httpd/conf.d/swift-auth.conf* and change KrbServiceName, KrbAuthRealms and Krb5KeyTab parameters accordingly.
+More detail on configuring kerberos for apache can be found at:
+[auth_kerb_module Configuration][]
+
+Make /etc/httpd/conf/http.keytab readable by any user :
+> chmod 644 /etc/httpd/conf/http.keytab
+
+And preferably change owner of keytab file to apache :
+> chown apache:apache /etc/httpd/conf/http.keytab
+
+Reload httpd
+> service httpd reload
+
+Make authentication script executable:
+> chmod +x /var/www/cgi-bin/swift-auth
+
+*****
+
+<a name="#use-swiftkerbauth" />
+##Using swiftkerbauth
+
+### Adding kerbauth filter in swift pipeline
+
+Edit */etc/swift/proxy-server.conf* and add a new filter section as follows:
+
+ [filter:kerbauth]
+ use = egg:swiftkerbauth#kerbauth
+ ext_authentication_url = http://client.rhelbox.com/cgi-bin/swift-auth
+
+Add kerbauth to pipeline
+
+ [pipeline:main]
+ pipeline = catch_errors healthcheck proxy-logging cache proxy-logging kerbauth proxy-server
+
+If the Swift server is not one of your Gluster nodes, edit
+*/etc/swift/fs.conf* and change the following lines in the DEFAULT
+section:
+
+ mount_ip = RHS_NODE_HOSTNAME
+ remote_cluster = yes
+
+Restart swift to activate kerbauth filer
+> swift-init main restart
+
+
+###Examples
+
+####Authenticate user and get Kerberos ticket
+
+> kinit auth_admin
+
+NOTE: curl ignores user specified in -u option. All further curl commands
+will use the currently authenticated auth_admin user.
+
+####Get an authentication token:
+> curl -v -u : --negotiate --location-trusted http://client.rhelbox.com:8080/auth/v1.0
+
+ * About to connect() to client.rhelbox.com port 8080 (#0)
+ * Trying 192.168.56.101...
+ * connected
+ * Connected to client.rhelbox.com (192.168.56.101) port 8080 (#0)
+ > GET /auth/v1.0 HTTP/1.1
+ > User-Agent: curl/7.27.0
+ > Host: client.rhelbox.com:8080
+ > Accept: */*
+ >
+ < HTTP/1.1 303 See Other
+ < Content-Type: text/html; charset=UTF-8
+ < Location: http://client.rhelbox.com/cgi-bin/swift-auth
+ < Content-Length: 0
+ < X-Trans-Id: txecd415aae89b4320b6145-0052417ea5
+ < Date: Tue, 24 Sep 2013 11:59:33 GMT
+ <
+ * Connection #0 to host client.rhelbox.com left intact
+ * Issue another request to this URL: 'http://client.rhelbox.com/cgi-bin/swift-auth'
+ * About to connect() to client.rhelbox.com port 80 (#1)
+ * Trying 192.168.56.101...
+ * connected
+ * Connected to client.rhelbox.com (192.168.56.101) port 80 (#1)
+ > GET /cgi-bin/swift-auth HTTP/1.1
+ > User-Agent: curl/7.27.0
+ > Host: client.rhelbox.com
+ > Accept: */*
+ >
+ < HTTP/1.1 401 Unauthorized
+ < Date: Tue, 24 Sep 2013 11:59:33 GMT
+ < Server: Apache/2.4.6 (Fedora) mod_auth_kerb/5.4
+ < WWW-Authenticate: Negotiate
+ < WWW-Authenticate: Basic realm="Swift Authentication"
+ < Content-Length: 381
+ < Content-Type: text/html; charset=iso-8859-1
+ <
+ * Ignoring the response-body
+ * Connection #1 to host client.rhelbox.com left intact
+ * Issue another request to this URL: 'http://client.rhelbox.com/cgi-bin/swift-auth'
+ * Re-using existing connection! (#1) with host (nil)
+ * Connected to (nil) (192.168.56.101) port 80 (#1)
+ * Server auth using GSS-Negotiate with user ''
+ > GET /cgi-bin/swift-auth HTTP/1.1
+ > Authorization: Negotiate YIICYgYJKoZIhvcSAQICAQBuggJRMIICTaADAgEFoQMCAQ6iBwMFACAAAACjggFgYYIBXDCCAVigAwIBBaENGwtSSEVMQk9YLkNPTaIlMCOgAwIBA6EcMBobBEhUVFAbEmNsaWVudC5yaGVsYm94LmNvbaOCARkwggEVoAMCARKhAwIBAaKCAQcEggEDx9SH2R90RO4eAkhsNKow/DYfjv1rWhgxNRqj/My3yslASSgefls48VdDNHVVWqr1Kd6mB/9BIoumpA+of+KSAg2QfPtcWiVFj5n5Fa8fyCHyQPvV8c92KzUdrBPc8OVn0aldFp0I4P1MsYZbnddDRSH3kjVA5oSucHF59DhZWiGJV/F6sVimBSeoTBHQD38Cs5RhyDHNyUad9v3gZERVGCJXC76i7+yyaoIDA+N9s0hasHajhTnjs3XQBYfZFwp8lWl3Ub+sOtPO1Ng7mFlSAYXCM6ljlKTEaxRwaYoXUC1EoIqEOG/8pC9SJThS2M1G7MW1c5xm4lksNss72OH4gtPns6SB0zCB0KADAgESooHIBIHFrLtai5U8ajEWo1J9B26PnIUqLd+uA0KPd2Y2FjrH6rx4xT8qG2p8i36SVGubvwBVmfQ7lSJcXt6wUvb43qyPs/fMiSY7QxHxt7/btMgxQl6JWMagvXMhCNXnhEHNNaTdBcG5KFERDGeo0txaAD1bzZ4mnxCQmoqusGzZ6wdDw6+5wq1tK/hQTQUgk2NwxfXAg2J5K02/3fKjFR2h7zewI1pEyhhpeONRkkRETcyojkK2EbVzZ8kc3RsuwzFYsJ+9u5Qj3E4=
+ > User-Agent: curl/7.27.0
+ > Host: client.rhelbox.com
+ > Accept: */*
+ >
+ < HTTP/1.1 200 OK
+ < Date: Tue, 24 Sep 2013 11:59:33 GMT
+ < Server: Apache/2.4.6 (Fedora) mod_auth_kerb/5.4
+ < WWW-Authenticate: Negotiate YIGZBgkqhkiG9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRveeZTV/QRJSIOoOWPbZkEmtdug9V5ZcMGXWqAJvCAnrvw9gHbklMyLl8f8jU2e0wU3ehtchLEL4dVeAYgKsnUgw4wGhHu59AZBwSbHRKSpv3I6gWEZqC4NAEuZJFW9ipdUHOiclBQniVXXCsRF/5Y
+ < X-Auth-Token: AUTH_tk083b8abc92f4a514f34224a181ed568a
+ < X-Debug-Remote-User: auth_admin
+ < X-Debug-Groups: auth_admin,auth_reseller_admin
+ < X-Debug-Token-Life: 86400s
+ < X-Debug-Token-Expires: Wed Sep 25 17:29:33 2013
+ < Content-Length: 0
+ < Content-Type: text/html; charset=UTF-8
+ <
+ * Connection #1 to host (nil) left intact
+ * Closing connection #0
+ * Closing connection #1
+
+The header *X-Auth-Token* in response contains the token *AUTH_tk083b8abc92f4a514f34224a181ed568a*.
+
+####PUT a container
+>curl -v -X PUT -H 'X-Auth-Token: AUTH_tk083b8abc92f4a514f34224a181ed568a' http://client.rhelbox.com:8080/v1/AUTH_myvolume/c1
+
+ * About to connect() to client.rhelbox.com port 8080 (#0)
+ * Trying 192.168.56.101...
+ * connected
+ * Connected to client.rhelbox.com (192.168.56.101) port 8080 (#0)
+ > PUT /v1/AUTH_myvolume/c1 HTTP/1.1
+ > User-Agent: curl/7.27.0
+ > Host: client.rhelbox.com:8080
+ > Accept: */*
+ > X-Auth-Token: AUTH_tk083b8abc92f4a514f34224a181ed568a
+ >
+ < HTTP/1.1 201 Created
+ < Content-Length: 0
+ < Content-Type: text/html; charset=UTF-8
+ < X-Trans-Id: txc420b0ebf9714445900e8-0052418863
+ < Date: Tue, 24 Sep 2013 12:41:07 GMT
+ <
+ * Connection #0 to host client.rhelbox.com left intact
+ * Closing connection #0
+
+####GET a container listing
+> curl -v -X GET -H 'X-Auth-Token: AUTH_tk083b8abc92f4a514f34224a181ed568a' http://client.rhelbox.com:8080/v1/AUTH_myvolume
+
+ * About to connect() to client.rhelbox.com port 8080 (#0)
+ * Trying 192.168.56.101...
+ * connected
+ * Connected to client.rhelbox.com (192.168.56.101) port 8080 (#0)
+ > GET /v1/AUTH_myvolume HTTP/1.1
+ > User-Agent: curl/7.27.0
+ > Host: client.rhelbox.com:8080
+ > Accept: */*
+ > X-Auth-Token: AUTH_tk083b8abc92f4a514f34224a181ed568a
+ >
+ < HTTP/1.1 200 OK
+ < Content-Length: 3
+ < X-Account-Container-Count: 0
+ < Accept-Ranges: bytes
+ < X-Account-Object-Count: 0
+ < X-Bytes-Used: 0
+ < X-Timestamp: 1379997117.09468
+ < X-Object-Count: 0
+ < X-Account-Bytes-Used: 0
+ < X-Type: Account
+ < Content-Type: text/plain; charset=utf-8
+ < X-Container-Count: 0
+ < X-Trans-Id: tx89826736a1ab4d6aae6e3-00524188dc
+ < Date: Tue, 24 Sep 2013 12:43:08 GMT
+ <
+ c1
+ * Connection #0 to host client.rhelbox.com left intact
+ * Closing connection #0
+
+####PUT an object in container
+> curl -v -X PUT -H 'X-Auth-Token: AUTH_tk083b8abc92f4a514f34224a181ed568a' http://client.rhelbox.com:8080/v1/AUTH_myvolume/c1/object1 -d'Hello world'
+
+ * About to connect() to client.rhelbox.com port 8080 (#0)
+ * Trying 192.168.56.101...
+ * connected
+ * Connected to client.rhelbox.com (192.168.56.101) port 8080 (#0)
+ > PUT /v1/AUTH_myvolume/c1/object1 HTTP/1.1
+ > User-Agent: curl/7.27.0
+ > Host: client.rhelbox.com:8080
+ > Accept: */*
+ > X-Auth-Token: AUTH_tk083b8abc92f4a514f34224a181ed568a
+ > Content-Length: 11
+ > Content-Type: application/x-www-form-urlencoded
+ >
+ * upload completely sent off: 11 out of 11 bytes
+ < HTTP/1.1 201 Created
+ < Last-Modified: Wed, 25 Sep 2013 06:08:00 GMT
+ < Content-Length: 0
+ < Etag: 3e25960a79dbc69b674cd4ec67a72c62
+ < Content-Type: text/html; charset=UTF-8
+ < X-Trans-Id: tx01f1b5a430cf4af3897be-0052427dc0
+ < Date: Wed, 25 Sep 2013 06:08:01 GMT
+ <
+ * Connection #0 to host client.rhelbox.com left intact
+ * Closing connection #0
+
+####Give permission to jsmith to list and download objects from c1 container
+> curl -v -X POST -H 'X-Auth-Token: AUTH_tk083b8abc92f4a514f34224a181ed568a' -H 'X-Container-Read: jsmith' http://client.rhelbox.com:8080/v1/AUTH_myvolume/c1
+
+ * About to connect() to client.rhelbox.com port 8080 (#0)
+ * Trying 192.168.56.101...
+ * connected
+ * Connected to client.rhelbox.com (192.168.56.101) port 8080 (#0)
+ > POST /v1/AUTH_myvolume/c1 HTTP/1.1
+ > User-Agent: curl/7.27.0
+ > Host: client.rhelbox.com:8080
+ > Accept: */*
+ > X-Auth-Token: AUTH_tk083b8abc92f4a514f34224a181ed568a
+ > X-Container-Read: jsmith
+ >
+ < HTTP/1.1 204 No Content
+ < Content-Length: 0
+ < Content-Type: text/html; charset=UTF-8
+ < X-Trans-Id: txcedea3e2557d463eb591d-0052427f60
+ < Date: Wed, 25 Sep 2013 06:14:56 GMT
+ <
+ * Connection #0 to host client.rhelbox.com left intact
+ * Closing connection #0
+
+####Access container as jsmith
+
+> kinit jsmith
+
+Get token for jsmith
+> curl -v -u : --negotiate --location-trusted http://client.rhelbox.com:8080/auth/v1.0
+
+ * About to connect() to client.rhelbox.com port 8080 (#0)
+ * Trying 192.168.56.101...
+ * connected
+ * Connected to client.rhelbox.com (192.168.56.101) port 8080 (#0)
+ > GET /auth/v1.0 HTTP/1.1
+ > User-Agent: curl/7.27.0
+ > Host: client.rhelbox.com:8080
+ > Accept: */*
+ >
+ < HTTP/1.1 303 See Other
+ < Content-Type: text/html; charset=UTF-8
+ < Location: http://client.rhelbox.com/cgi-bin/swift-auth
+ < Content-Length: 0
+ < X-Trans-Id: txf51e1bf7f8c5496f8cc93-005242800b
+ < Date: Wed, 25 Sep 2013 06:17:47 GMT
+ <
+ * Connection #0 to host client.rhelbox.com left intact
+ * Issue another request to this URL: 'http://client.rhelbox.com/cgi-bin/swift-auth'
+ * About to connect() to client.rhelbox.com port 80 (#1)
+ * Trying 192.168.56.101...
+ * connected
+ * Connected to client.rhelbox.com (192.168.56.101) port 80 (#1)
+ > GET /cgi-bin/swift-auth HTTP/1.1
+ > User-Agent: curl/7.27.0
+ > Host: client.rhelbox.com
+ > Accept: */*
+ >
+ < HTTP/1.1 401 Unauthorized
+ < Date: Wed, 25 Sep 2013 06:17:47 GMT
+ < Server: Apache/2.4.6 (Fedora) mod_auth_kerb/5.4
+ < WWW-Authenticate: Negotiate
+ < WWW-Authenticate: Basic realm="Swift Authentication"
+ < Content-Length: 381
+ < Content-Type: text/html; charset=iso-8859-1
+ <
+ * Ignoring the response-body
+ * Connection #1 to host client.rhelbox.com left intact
+ * Issue another request to this URL: 'http://client.rhelbox.com/cgi-bin/swift-auth'
+ * Re-using existing connection! (#1) with host (nil)
+ * Connected to (nil) (192.168.56.101) port 80 (#1)
+ * Server auth using GSS-Negotiate with user ''
+ > GET /cgi-bin/swift-auth HTTP/1.1
+ > Authorization: Negotiate YIICWAYJKoZIhvcSAQICAQBuggJHMIICQ6ADAgEFoQMCAQ6iBwMFACAAAACjggFbYYIBVzCCAVOgAwIBBaENGwtSSEVMQk9YLkNPTaIlMCOgAwIBA6EcMBobBEhUVFAbEmNsaWVudC5yaGVsYm94LmNvbaOCARQwggEQoAMCARKhAwIBAaKCAQIEgf/+3OaXYCSEjcsjU3t3lOLcYG84GBP9Kj9YTHc7yVMlcam4ivCwMqCkzxgvNo2E3a5KSWyFwngeX4b/QFbCKPXA4sfBibZRkeMk5gr2f0MLI3gWEAIYq7bJLre04bnkD2F0MzijPJrOLIx1KmFe08UGWCEmnG2uj07lvIR1RwV/7dMM4J1B+KKvDVKA0LxahwPIpx8oOON2yMGcstrBAHBBk5pmpt1Gg9Lh7xdNPsjP0IfI5Q0zkGCRBKpvpXymP1lQpQXlHbqkdBYOmG4+p/R+vIosO4ui1G6GWE9t71h3AqW61CcCj3/oOjZsG56k8HMSNk/+3mfUTP86nzLRGkekgc4wgcugAwIBEqKBwwSBwPsG9nGloEnOsA1abP4R1/yUDcikjjwKiacvZ+cu7bWEzu3L376k08U8C2YIClyUJy3Grt68LxhnfZ65VCZ5J5IOLiXOJnHBIoJ1L4GMYp4EgZzHvI7R3U3DApMzNWZwc1MsSF5UGhmLwxSevDLetJHjgKzKNteRyVN/8CFgjSBEjGSN1Qgy1RZHuQR9d3JHPczONZ4+ZgStfy+I1m2IUIgW3+4JGFVafHiBQVwSWRNfdXFgI3wBz7slntd7r3qMWA==
+ > User-Agent: curl/7.27.0
+ > Host: client.rhelbox.com
+ > Accept: */*
+ >
+ < HTTP/1.1 200 OK
+ < Date: Wed, 25 Sep 2013 06:17:47 GMT
+ < Server: Apache/2.4.6 (Fedora) mod_auth_kerb/5.4
+ < WWW-Authenticate: Negotiate YIGYBgkqhkiG9xIBAgICAG+BiDCBhaADAgEFoQMCAQ+ieTB3oAMCARKicARuH2YpjFrtgIhGr5nO7gh/21EvGH9tayRo5A3pw5pxD1B1036ePLG/x98OdMrSflse5s8ttz8FmvRphCFJa8kfYtnWULgoFLF2F2a1zBdSo2oCA0R05YFwArNhkg6ou5o7wWZkERHK33CKlhudSj8=
+ < X-Auth-Token: AUTH_tkb5a20eb8207a819e76619431c8410447
+ < X-Debug-Remote-User: jsmith
+ < X-Debug-Groups: jsmith
+ < X-Debug-Token-Life: 86400s
+ < X-Debug-Token-Expires: Thu Sep 26 11:47:47 2013
+ < Content-Length: 0
+ < Content-Type: text/html; charset=UTF-8
+ <
+ * Connection #1 to host (nil) left intact
+ * Closing connection #0
+ * Closing connection #1
+
+List the container using authentication token for jsmith:
+> curl -v -X GET -H 'X-Auth-Token: AUTH_tkb5a20eb8207a819e76619431c8410447' http://client.rhelbox.com:8080/v1/AUTH_myvolume/c1
+
+ * About to connect() to client.rhelbox.com port 8080 (#0)
+ * Trying 192.168.56.101...
+ * connected
+ * Connected to client.rhelbox.com (192.168.56.101) port 8080 (#0)
+ > GET /v1/AUTH_myvolume/c1 HTTP/1.1
+ > User-Agent: curl/7.27.0
+ > Host: client.rhelbox.com:8080
+ > Accept: */*
+ > X-Auth-Token: AUTH_tkb5a20eb8207a819e76619431c8410447
+ >
+ < HTTP/1.1 200 OK
+ < Content-Length: 8
+ < X-Container-Object-Count: 0
+ < Accept-Ranges: bytes
+ < X-Timestamp: 1
+ < X-Container-Bytes-Used: 0
+ < Content-Type: text/plain; charset=utf-8
+ < X-Trans-Id: tx575215929c654d9f9f284-00524280a4
+ < Date: Wed, 25 Sep 2013 06:20:20 GMT
+ <
+ object1
+ * Connection #0 to host client.rhelbox.com left intact
+ * Closing connection #0
+
+Downloading the object as jsmith:
+> curl -v -X GET -H 'X-Auth-Token: AUTH_tkb5a20eb8207a819e76619431c8410447' http://client.rhelbox.com:8080/v1/AUTH_myvolume/c1/object1
+
+ * About to connect() to client.rhelbox.com port 8080 (#0)
+ * Trying 192.168.56.101...
+ * connected
+ * Connected to client.rhelbox.com (192.168.56.101) port 8080 (#0)
+ > GET /v1/AUTH_myvolume/c1/object1 HTTP/1.1
+ > User-Agent: curl/7.27.0
+ > Host: client.rhelbox.com:8080
+ > Accept: */*
+ > X-Auth-Token: AUTH_tkb5a20eb8207a819e76619431c8410447
+ >
+ < HTTP/1.1 200 OK
+ < Content-Length: 11
+ < Accept-Ranges: bytes
+ < Last-Modified: Wed, 25 Sep 2013 06:08:00 GMT
+ < Etag: 3e25960a79dbc69b674cd4ec67a72c62
+ < X-Timestamp: 1380089280.98829
+ < Content-Type: application/x-www-form-urlencoded
+ < X-Trans-Id: tx19b5cc3847854f40a6ca8-00524281aa
+ < Date: Wed, 25 Sep 2013 06:24:42 GMT
+ <
+ * Connection #0 to host client.rhelbox.com left intact
+ Hello world* Closing connection #0
+
+For curl to follow the redirect, you need to specify additional
+options. With these, and with a current Kerberos ticket, you should
+get the Kerberos user's cached authentication token, or a new one if
+the previous token has expired.
+
+> curl -v -u : --negotiate --location-trusted -X GET http://client.rhelbox.com:8080/v1/AUTH_myvolume/c1/object1
+
+The --negotiate option is for curl to perform Kerberos authentication and
+--location-trusted is for curl to follow the redirect.
+
+[auth_kerb_module Configuration]: http://modauthkerb.sourceforge.net/configure.html
diff --git a/setup.py b/setup.py
index 01210df..65aab59 100644
--- a/setup.py
+++ b/setup.py
@@ -19,6 +19,9 @@ from setuptools import setup
from swiftkerbauth import __version__
import os
+with open('README.md') as file:
+ long_description = file.read()
+
# Ugly hack to exclude data_files if running in tox as non root
def include_data_files():
@@ -40,6 +43,7 @@ setup(
license='Apache License (2.0)',
author='Red Hat, Inc.',
author_email='gluster-users@gluster.org',
+ long_description=long_description,
url='https://forge.gluster.org/swiftkerbauth',
packages=['swiftkerbauth'],
keywords='openstack swift kerberos',
diff --git a/swiftkerbauth/kerbauth.py b/swiftkerbauth/kerbauth.py
index 323a677..612299d 100644
--- a/swiftkerbauth/kerbauth.py
+++ b/swiftkerbauth/kerbauth.py
@@ -46,7 +46,7 @@ class KerbAuth(object):
And add a kerbauth filter section, such as::
[filter:kerbauth]
- use = egg:swift#kerbauth
+ use = egg:swiftkerbauth#kerbauth
See the proxy-server.conf-sample for more information.