From 373032fc97d27c79895e6114670760aa717f9f61 Mon Sep 17 00:00:00 2001 From: Prashanth Pai Date: Tue, 24 Sep 2013 11:47:50 +0530 Subject: Add documentation The following guides were added: * Setting up a RHEL 6.x IdM server with a Fedora 18 client * Setting up and configuring swiftkerbauth * Architecture of Swiftkerbauth Change-Id: I50665e584ff9513b5a20d1eda546c73c93f14638 Signed-off-by: Prashanth Pai Reviewed-on: http://review.gluster.org/6040 Reviewed-by: Luis Pabon Tested-by: Luis Pabon --- MANIFEST.in | 2 +- README | 4 - README.md | 19 ++ doc/DOCUMENTATION | 299 ------------------------------- doc/architecture.md | 106 +++++++++++ doc/ipa_client.md | 80 +++++++++ doc/ipa_server.md | 134 ++++++++++++++ doc/swiftkerbauth_guide.md | 427 +++++++++++++++++++++++++++++++++++++++++++++ setup.py | 4 + swiftkerbauth/kerbauth.py | 2 +- 10 files changed, 772 insertions(+), 305 deletions(-) delete mode 100644 README create mode 100644 README.md delete mode 100644 doc/DOCUMENTATION create mode 100644 doc/architecture.md create mode 100644 doc/ipa_client.md create mode 100644 doc/ipa_server.md create mode 100644 doc/swiftkerbauth_guide.md diff --git a/MANIFEST.in b/MANIFEST.in index 67cbf75..157606a 100644 --- a/MANIFEST.in +++ b/MANIFEST.in @@ -1,4 +1,4 @@ -include LICENSE README +include LICENSE README.md recursive-include swiftkerbauth test *.py graft doc graft apachekerbauth diff --git a/README b/README deleted file mode 100644 index 5200e57..0000000 --- a/README +++ /dev/null @@ -1,4 +0,0 @@ -swiftkerbauth -============= - -Kerberos Authentication filter for Openstack Swift diff --git a/README.md b/README.md new file mode 100644 index 0000000..f3ef73a --- /dev/null +++ b/README.md @@ -0,0 +1,19 @@ +swiftkerbauth +============= + +Kerberos Authentication filter for Openstack Swift +-------------------------------------------------- + +Carsten Clasohm implemented a new authentication filter for swift +that uses Kerberos tickets for single sign on authentication, and +grants administrator permissions based on the user's group membership +in a directory service like Red Hat Enterprise Linux Identity Management +or Microsoft Active Directory. + +Table of Contents +----------------- + +1. [Architecture](doc/architecture.md) +2. [IPA Server Guide](doc/ipa_server.md) +3. [IPA Client Guide](doc/ipa_client.md) +4. [Swiftkerbauth Guide](doc/swiftkerbauth_guide.md) diff --git a/doc/DOCUMENTATION b/doc/DOCUMENTATION deleted file mode 100644 index 5b36b24..0000000 --- a/doc/DOCUMENTATION +++ /dev/null @@ -1,299 +0,0 @@ -Kerberos Authentication Filter for Red Hat Storage and OpenStack Swift ----------------------------------------------------------------------- - -Red Hat Storage not only provides file system access to its data, but -also object-level access. The latter is implemented with OpenStack -Swift, and allows containers and objects to be stored and retrieved -with an HTTP-based API. - -Red Hat Storage 2.0 comes with a simple authentication filter that -defines user accounts as a static list in the Swift configuration -file. For this project, we implemented a new authentication filter -that uses Kerberos tickets for single sign on authentication, and -grants administrator permissions based on the user's group membership -in a directory service like Red Hat Enterprise Linux Identity -Management or Microsoft Active Directory. - -* Building - -To build the swiftkerbauth and apachekerbauth RPM packages, change -into the respective directory and run - - ./build.sh - -* Installation - -** Swift Server - -Install the swiftkerbauth RPM on all Red Hat Storage nodes that will -provide object-level access via Swift. - -To active the Kerberos authentication filter, add "kerbauth" in the -/etc/swift/proxy-server.conf pipeline parameter: - - [pipeline:main] - pipeline = healthcheck cache kerbauth proxy-server - -Set the URL of the Apache server that will be used for authentication -with the ext_authentication_url parameter in the same file: - - [filter:kerbauth] - paste.filter_factory = swiftkerbauth:filter_factory - ext_authentication_url = http://AUTHENTICATION_SERVER/cgi-bin/swift-auth - -If the Swift server is not one of your Gluster nodes, edit -/etc/swift/fs.conf and change the following lines in the DEFAULT -section: - - mount_ip = RHS_NODE_HOSTNAME - remote_cluster = yes - -Activate the changes by running - - swift-init main restart - -For troubleshooting, check /var/log/messages. - -** Authentication Server - -On the authentication server, install the apachekerbauth package. - -Edit /etc/httpd/conf.d/swift-auth.conf and set the KrbAuthRealms and -Krb5KeyTab parameters. - -The keytab must contain a HTTP/$HOSTNAME principal. Usually, you will -have to create the Kerberos principal on the KDC, export it, and copy -it to a keytab file on the Apache server. - -If SELinux is enabled, allow Apache to connect to memcache and -activate the changes by running - - setsebool -P httpd_can_network_connect 1 - setsebool -P httpd_can_network_memcache 1 - - service httpd reload - -For troubleshooting, see /var/log/httpd/error_log. - -* Testing - -The tests were done with curl on a machine set up as an IDM client, -using the Gluster volume rhs_ufo1. - -In IDM, we created the following user groups: - -- auth_reseller_admin - Users in this group get full access to all Swift accounts. - -- auth_rhs_ufo1 - Users in this group get full access to the rhs_ufo1 Swift account. - -Next, we created the following users in IDM: - -- auth_admin - Member of the auth_reseller_admin group - -- rhs_ufo1_admin - Member of the auth_rhs_ufo1 group - -- jsmith - No relevant group membership - -The authentication tokens were then retrieved with the following -commands: - - kinit auth_admin - curl -v -u : --negotiate --location-trusted \ - http://rhs1.example.com:8080/auth/v1.0 - - kinit rhs_ufo1_admin - curl -v -u : --negotiate --location-trusted \ - http://rhs1.example.com:8080/auth/v1.0 - - kinit jsmith - curl -v -u : --negotiate --location-trusted \ - http://rhs1.example.com:8080/auth/v1.0 - -Each of these commands should output the following two lines: - -< X-Auth-Token: AUTH_tk4097146ed3814e026209556eeb121fe0 -... -
1365195860 / auth_admin,auth_reseller_admin
- -The first line contains the authentication token that is used in -subsequent requests. - -The second line is printed by the swift-auth CGI script for debugging -- it lists the token expiration (in seconds since January 1, 1970) and -the user's groups. - -Next, we try to get information about the Swift account, replacing the -AUTH_tk* with one of the tokens we got with the commands above. This -should display statistics, and the list of container names when used -with the the admin users. For jsmith, you should get a 403 Forbidden -error. - - curl -v -X GET \ - -H 'X-Auth-Token: AUTH_tk4097146ed3814e026209556eeb121fe0' \ - http://rhs1.example.com:8080/v1/AUTH_rhs_ufo1 - -With one of the admin accounts, create a new container and a new -object in that container: - - curl -v -X PUT \ - -H 'X-Auth-Token: AUTH_tk4097146ed3814e026209556eeb121fe0' \ - http://rhs1.example.com:8080/v1/AUTH_rhs_ufo1/pictures - - curl -v -X PUT \ - -H 'X-Auth-Token: AUTH_tk4097146ed3814e026209556eeb121fe0' \ - -H 'Content-Length: 0' \ - http://rhs1.example.com:8080/v1/AUTH_rhs_ufo1/pictures/pic1.png - -Grant permission for jsmith to list and download objects from the -pictures container: - - curl -v -X POST \ - -H 'X-Auth-Token: AUTH_tkdbf7725c1e4ad1ebe9ab0d7098d425f2' \ - -H 'X-Container-Read: jsmith' \ - http://rhs1.example.com:8080/v1/AUTH_rhs_ufo1/pictures - -List the container contents using the authentication token for jsmith: - - curl -v -X GET \ - -H 'X-Auth-Token: AUTH_tkef8b417ac0c2a73a80ab3b8db85254e2' \ - http://rhs1.example.com:8080/v1/AUTH_rhs_ufo1/pictures - -Try to access a resource without an authentication token. This will -return a 303 redirect: - - curl -v -X GET \ - http://rhs1.example.com:8080/v1/AUTH_rhs_ufo1/pictures/pic1.png - -For curl to follow the redirect, you need to specify additional -options. With these, and with a current Kerberos ticket, you should -get the Kerberos user's cached authentication token, or a new one if -the previous token has expired. - - curl -v -u : --negotiate --location-trusted -X GET \ - http://rhs1.example.com:8080/v1/AUTH_rhs_ufo1/pictures/pic1.png - -* Implementation Details - -** Architecture - -The Swift API is HTTP-based. As described in the Swift documentation -[1], clients first make a request to an authentication URL, providing -a username and password. The reply contains a token which is used in -all subsequent requests. - -Swift has a chain of filters through which all client requests go. The -filters to use are configured with the pipeline parameter in -/etc/swift/proxy-server.conf: - - [pipeline:main] - pipeline = healthcheck cache tempauth proxy-server - -For the single sign authentication, we added a new filter called -"kerbauth" and put it into the filter pipeline in place of tempauth. - -The filter checks the URL for each client request. If it matches the -authentication URL, the client is redirected to a URL on a different -server. The URL is handled by a CGI script, which is set up to -authenticate the client with Kerberos negotiation, retrieve the user's -system groups [2], store them in a memcache ring shared with the Swift -server, and return the authentication token to the client. - -When the client provides the token as part of a resource request, the -kerbauth filter checks it against its memcache, grants administrator -rights based on the group membership retrieved from memcache, and -either grants or denies the resource access. - -[1] http://docs.openstack.org/api/openstack-object-storage/1.0/content/authentication-object-dev-guide.html - -[2] The user data and system groups are usually provided by Red Hat - Enterprise Linux identity Management or Microsoft Active - Directory. The script relies on the system configuration to be set - accordingly (/etc/nsswitch.conf). - -** swiftkerbauth.py - -The script /usr/lib/python2.6/site-packages/swiftkerbauth.py began as -a copy of the tempauth.py script from -/usr/lib/python2.6/site-packages/swift/common/middleware. It contains -the following modifications, among others: - -In the __init__ method, we read the ext_authentication_url parameter -from /etc/swift/proxy-server.conf. This is the URL that clients are -redirected to when they access either the Swift authentication URL, or -when they request a resource without a valid authentication token. - -The configuration in proxy-server.conf looks like this: - - [filter:kerbauth] - paste.filter_factory = swiftkerbauth:filter_factory - ext_authentication_url = http://rhel6-4.localdomain/cgi-bin/swift-auth - -The authorize method was changed so that global administrator rights -are granted if the user is a member of the auth_reseller_admin -group. Administrator rights for a specific account like vol1 are -granted if the user is a member of the auth_vol1 group. [3] - -The denied_response method was changed to return a HTTP redirect to -the external authentication URL if no valid token was provided by the -client. - -Most of the handle_get_token method was moved to the external -authentication script. This method now returns a HTTP redirect. - -In the __call__ and get_groups method, we removed support for the -HTTP_AUTHORIZATION header, which is only needed when Amazon S3 is -used. - -Like tempauth.py, swiftkerbauth.py uses a Swift wrapper to access -memcache. This wrapper converts the key to an MD5 hash and uses the -hash value to determine on which of a pre-defined list of servers to -store the data. - -[3] "auth" is the default reseller prefix, and would be different if - the reseller_prefix parameter in proxy-server.conf was set. - -** swift-auth CGI Script - -swift-auth resides on an Apache server and assumes that Apache is -configured to authenticate the user before this script is -executed. The script retrieves the username from the REMOTE_USER -environment variable, and checks if there already is a token for this -user in the memcache ring. If not, it generates a new one, retrieves -the user's system groups with "id -Gn USERNAME", stores this -information in the memcache ring, and returns the token to the client. - -For the Swift filter to be able to find the information, it was -important to use the Swift memcached module. Because we don't want to -require a full Swift installation on the authentication server, -/usr/lib/python2.6/site-packages/swift/common/memcached.py from the -Swift server was copied to /var/www/cgi-bin on the Apache server. - -To allow the CGI script to connect to memcache, the SELinux booleans -httpd_can_network_connect and httpd_can_network_memcache had to be -set. - -The tempauth filter uses the uuid module to generate token -strings. This module creates and runs temporary files, which leads to -AVC denial messages in /var/log/audit/audit.log when used from an -Apache CGI script. While the module still works, the audit log would -grow quickly. Instead of writing an SELinux policy module to allow or -to silently ignore these accesses, the swift-auth script uses the -"random" module for generating token strings. - -Red Hat Enterprise Linux 6 comes with Python 2.6 which only provides -method to list the locally defined user groups. To include groups from -Red Hat Enterprise Linux Identity Management and in the future from -Active Directory, the "id" command is run in a subprocess. - -* Reference Material - -Red Hat Storage Administration Guide: -https://access.redhat.com/knowledge/docs/Red_Hat_Storage/ - -Swift Documentation: -http://docs.openstack.org/developer/swift/ diff --git a/doc/architecture.md b/doc/architecture.md new file mode 100644 index 0000000..cfe64d2 --- /dev/null +++ b/doc/architecture.md @@ -0,0 +1,106 @@ +# Architecture + +The Swift API is HTTP-based. As described in the Swift documentation +[1], clients first make a request to an authentication URL, providing +a username and password. The reply contains a token which is used in +all subsequent requests. + +Swift has a chain of filters through which all client requests go. The +filters to use are configured with the pipeline parameter in +/etc/swift/proxy-server.conf: + + [pipeline:main] + pipeline = healthcheck cache tempauth proxy-server + +For the single sign authentication, we added a new filter called +"kerbauth" and put it into the filter pipeline in place of tempauth. + +The filter checks the URL for each client request. If it matches the +authentication URL, the client is redirected to a URL on a different +server (on the same machine). The URL is handled by a CGI script, which +is set up to authenticate the client with Kerberos negotiation, retrieve +the user's system groups [2], store them in a memcache ring shared with +the Swift server, and return the authentication token to the client. + +When the client provides the token as part of a resource request, the +kerbauth filter checks it against its memcache, grants administrator +rights based on the group membership retrieved from memcache, and +either grants or denies the resource access. + +[1] http://docs.openstack.org/api/openstack-object-storage/1.0/content/authentication-object-dev-guide.html + +[2] The user data and system groups are usually provided by Red Hat + Enterprise Linux identity Management or Microsoft Active + Directory. The script relies on the system configuration to be set + accordingly (/etc/nsswitch.conf). + +***** + +## kerbauth.py + +The script /usr/lib/python2.6/site-packages/swiftkerbauth/kerbauth.py began as +a copy of the tempauth.py script from +/usr/lib/python2.6/site-packages/swift/common/middleware. It contains +the following modifications, among others: + +In the __init__ method, we read the ext_authentication_url parameter +from /etc/swift/proxy-server.conf. This is the URL that clients are +redirected to when they access either the Swift authentication URL, or +when they request a resource without a valid authentication token. + +The configuration in proxy-server.conf looks like this: + + [filter:kerbauth] + use = egg:swiftkerbauth#kerbauth + ext_authentication_url = http://client.rhelbox.com/cgi-bin/swift-auth + +The authorize method was changed so that global administrator rights +are granted if the user is a member of the auth_reseller_admin +group. Administrator rights for a specific account like vol1 are +granted if the user is a member of the auth_vol1 group. [3] + +The denied_response method was changed to return a HTTP redirect to +the external authentication URL if no valid token was provided by the +client. + +Most of the handle_get_token method was moved to the external +authentication script. This method now returns a HTTP redirect. + +In the __call__ and get_groups method, we removed support for the +HTTP_AUTHORIZATION header, which is only needed when Amazon S3 is +used. + +Like tempauth.py, kerbauth.py uses a Swift wrapper to access +memcache. This wrapper converts the key to an MD5 hash and uses the +hash value to determine on which of a pre-defined list of servers to +store the data. + +[3] "auth" is the default reseller prefix, and would be different if + the reseller_prefix parameter in proxy-server.conf was set. + +## swift-auth CGI script + +swift-auth resides on an Apache server and assumes that Apache is +configured to authenticate the user before this script is +executed. The script retrieves the username from the REMOTE_USER +environment variable, and checks if there already is a token for this +user in the memcache ring. If not, it generates a new one, retrieves +the user's system groups with "id -Gn USERNAME", stores this +information in the memcache ring, and returns the token to the client. + +To allow the CGI script to connect to memcache, the SELinux booleans +httpd_can_network_connect and httpd_can_network_memcache had to be +set. + +The tempauth filter uses the uuid module to generate token +strings. This module creates and runs temporary files, which leads to +AVC denial messages in /var/log/audit/audit.log when used from an +Apache CGI script. While the module still works, the audit log would +grow quickly. Instead of writing an SELinux policy module to allow or +to silently ignore these accesses, the swift-auth script uses the +"random" module for generating token strings. + +Red Hat Enterprise Linux 6 comes with Python 2.6 which only provides +method to list the locally defined user groups. To include groups from +Red Hat Enterprise Linux Identity Management and in the future from +Active Directory, the "id" command is run in a subprocess. diff --git a/doc/ipa_client.md b/doc/ipa_client.md new file mode 100644 index 0000000..f6afc42 --- /dev/null +++ b/doc/ipa_client.md @@ -0,0 +1,80 @@ +#IPA Client Guide + +##Contents +* [Setup Overview] (#setup) +* [Configure Network] (#network) +* [Installing IPA Client] (#ipa-client) + + +##Setup Overview +We have used a F18 box as IPA client machine and used FreeIPA client. +This document borrows instructions from the following more detailed guide. +[RHEL 6 Identity Management Guide][] + + + +## Configure network + +Set hostname (FQDN) to client.rhelbox.com +> hostnamectl set-hostname "client.rhelbox.com" +> +> hostname "client.rhelbox.com" + +Add following to /etc/sysconfig/network: + + HOSTNAME=client.rhelbox.com + +Add the following to /etc/hostname + + client.rhelbox.com + +Add the following to /etc/hosts + + 192.168.56.110 server.rhelbox.com server + 192.168.56.101 client.rhelbox.com client + +Logout and login again and verify hostname : +> hostname --fqdn + +Edit */etc/resolv.conf* to add this at beginning of file + + nameserver 192.168.56.110 + +Warning: NetworkManager changes resolv.conf on restart + +Turn off firewall +> service iptables stop +> +> chkconfig iptables off + + +## Installing IPA Client + +Install IPA client packages: + +For RHEL: +> yum install ipa-client ipa-admintools + +For Fedora: +> yum install freeipa-client freeipa-admintools + +Install IPA client and add to domain: +>ipa-client-install --enable-dns-updates + + Discovery was successful! + Hostname: client.rhelbox.com + Realm: RHELBOX.COM + DNS Domain: rhelbox.com + IPA Server: server.rhelbox.com + BaseDN: dc=rhelbox,dc=com + + Continue to configure the system with these values? [no]: yes + User authorized to enroll computers: admin + +Check if client is configured correctly: +> kinit admin +> +> getent passwd admin + + +[RHEL 6 Identity Management Guide]: https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/ diff --git a/doc/ipa_server.md b/doc/ipa_server.md new file mode 100644 index 0000000..ef12b53 --- /dev/null +++ b/doc/ipa_server.md @@ -0,0 +1,134 @@ +#IPA Server Guide + +##Contents +* [Setup Overview] (#setup) +* [Configure Network] (#network) +* [Installing IPA Server] (#ipa-server) +* [Configuring DNS] (#dns) +* [Adding Users and Groups] (#users-groups) + + + +##Setup Overview +We have used a RHEL 6.4 box as IPA and DNS server. This document borrows +instructions from the following more detailed guide. +[RHEL 6 Identity Management Guide][] + + + +## Configure network + +Change hostname (FQDN) to server.rhelbox.com +> hostname "server.rhelbox.com" + +Add following to */etc/sysconfig/network* file + + HOSTNAME=server.rhelbox.com + +Add the following to */etc/hosts* file + + 192.168.56.110 server.rhelbox.com server + 192.168.56.101 client.rhelbox.com client + +Logout and login again and verify new hostname +> hostname --fqdn + +Turn off firewall +> service iptables stop +> +> chkconfig iptables off + + + +## Installing IPA Server + +Install IPA server packages and DNS dependencies +> yum install ipa-server bind bind-dyndb-ldap + +Run the following interactive setup to install IPA server with DNS +> ipa-server-install --setup-dns + + The IPA Master Server will be configured with: + Hostname: server.rhelbox.com + IP address: 192.168.56.110 + Domain name: rhelbox.com + Realm name: RHELBOX.COM + + BIND DNS server will be configured to serve IPA domain with: + Forwarders: No forwarders + Reverse zone: 56.168.192.in-addr.arpa. + +The installation may take some time. + +Check if IPA is installed correctly : +> kinit admin +> +> ipa user-find admin + + + +## Configuring DNS + +Edit */etc/resolv.conf* to add this at beginning of file : + + nameserver 192.168.56.110 + +Warning: NetworkManager changes resolv.conf on restart + +Add a DNS A record and PTR record for the client under rhelbox.com zone +> ipa dnsrecord-add rhelbox.com client --a-rec=192.168.56.101 --a-create-reverse + +Check if DNS resolution is working by running : + +> dig server.rhelbox.com + + ;; ANSWER SECTION: + server.rhelbox.com. 1200 IN A 192.168.56.110 + +> dig client.rhelbox.com + + ;; ANSWER SECTION: + client.rhelbox.com. 86400 IN A 192.168.56.101 + +Check if reverse resolution works : + +> dig -t ptr 101.56.168.192.in-addr.arpa. + + ;; ANSWER SECTION: + 101.56.168.192.in-addr.arpa. 86400 IN PTR client.rhelbox.com. + + +> dig -t ptr 110.56.168.192.in-addr.arpa. + + ;; ANSWER SECTION: + 110.56.168.192.in-addr.arpa. 86400 IN PTR server.rhelbox.com. + + + +## Adding users and groups + +Create *auth_reseller_admin* user group +> ipa group-add auth_reseller_admin --desc="Full access to all Swift accounts" + +Create *auth_rhs_test* user group +> ipa group-add auth_rhs_test --desc="Full access to rhs_test account" + +Create user *auth_admin* user as member of *auth_reseller_admin* user group +> ipa user-add auth_admin --first=Auth --last=Admin --password +> +> ipa group-add-member auth_reseller_admin --users=auth_admin + +Create user *rhs_test_admin* as member of *auth_rhs_test* user group +> ipa user-add rhs_test_admin --first=RHS --last=Admin --password +> +> ipa group-add-member auth_rhs_test --users=rhs_test_admin + +Create user *jsmith* with no relevant group membership +> ipa user-add rhs_test_admin --first=RHS --last=Admin --password + +You can verify users have been added by running +>ipa user-find admin + +NOTE: Every user has to change password on first login. + +[RHEL 6 Identity Management Guide]: https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/ diff --git a/doc/swiftkerbauth_guide.md b/doc/swiftkerbauth_guide.md new file mode 100644 index 0000000..eaebca5 --- /dev/null +++ b/doc/swiftkerbauth_guide.md @@ -0,0 +1,427 @@ +#swiftkerbauth + +* [Installing Kerberos module for Apache on IPA client] (#httpd-kerb-install) +* [Creating HTTP Service Principal on IPA server] (#http-principal) +* [Installing and configuring swiftkerbauth on IPA client] (#install-swiftkerbauth) +* [Using swiftkerbauth] (#use-swiftkerbauth) + + +## Installing Kerberos module for Apache on IPA client + +Install httpd server with kerberos module: +> yum install httpd mod_auth_kerb +> +> service httpd restart + +Check if auth_kerb_module is loaded : +> httpd -M | grep kerb + +Change httpd log level to debug by adding/changing the following in +*/etc/httpd/conf/httpd.conf* file + + LogLevel debug + +httpd logs are at */var/log/httpd/error_log* for troubleshooting + +If SELinux is enabled, allow Apache to connect to memcache and +activate the changes by running +>setsebool -P httpd_can_network_connect 1 +> +>setsebool -P httpd_can_network_memcache 1 + +***** + + +## Creating HTTP Service Principal on IPA server + +Add a HTTP Kerberos service principal : +> ipa service-add HTTP/client.rhelbox.com@RHELBOX.COM + +Retrieve the HTTP service principal to a keytab file: +> ipa-getkeytab -s server.rhelbox.com -p HTTP/client.rhelbox.com@RHELBOX.COM -k /tmp/http.keytab + +Copy keytab file to client: +> scp /tmp/http.keytab root@192.168.56.101:/etc/httpd/conf/http.keytab + +***** + + +##Installing and configuring swiftkerbauth on IPA client + +Prerequisites for installing swiftkerbauth +* swift (havana) +* gluster-swift (optional) + +You can install swiftkerbauth using one of these three ways: + +Installing swiftkerbauth from source: +> python setup.py install + +Installing swiftkerbauth using pip: +> pip install swiftkerbauth + +Installing swiftkerbauth from RPMs: +> ./makerpm.sh +> +> rpm -ivh dist/swiftkerbauth-1.0.0-1.noarch.rpm + +Edit */etc/httpd/conf.d/swift-auth.conf* and change KrbServiceName, KrbAuthRealms and Krb5KeyTab parameters accordingly. +More detail on configuring kerberos for apache can be found at: +[auth_kerb_module Configuration][] + +Make /etc/httpd/conf/http.keytab readable by any user : +> chmod 644 /etc/httpd/conf/http.keytab + +And preferably change owner of keytab file to apache : +> chown apache:apache /etc/httpd/conf/http.keytab + +Reload httpd +> service httpd reload + +Make authentication script executable: +> chmod +x /var/www/cgi-bin/swift-auth + +***** + + +##Using swiftkerbauth + +### Adding kerbauth filter in swift pipeline + +Edit */etc/swift/proxy-server.conf* and add a new filter section as follows: + + [filter:kerbauth] + use = egg:swiftkerbauth#kerbauth + ext_authentication_url = http://client.rhelbox.com/cgi-bin/swift-auth + +Add kerbauth to pipeline + + [pipeline:main] + pipeline = catch_errors healthcheck proxy-logging cache proxy-logging kerbauth proxy-server + +If the Swift server is not one of your Gluster nodes, edit +*/etc/swift/fs.conf* and change the following lines in the DEFAULT +section: + + mount_ip = RHS_NODE_HOSTNAME + remote_cluster = yes + +Restart swift to activate kerbauth filer +> swift-init main restart + + +###Examples + +####Authenticate user and get Kerberos ticket + +> kinit auth_admin + +NOTE: curl ignores user specified in -u option. All further curl commands +will use the currently authenticated auth_admin user. + +####Get an authentication token: +> curl -v -u : --negotiate --location-trusted http://client.rhelbox.com:8080/auth/v1.0 + + * About to connect() to client.rhelbox.com port 8080 (#0) + * Trying 192.168.56.101... + * connected + * Connected to client.rhelbox.com (192.168.56.101) port 8080 (#0) + > GET /auth/v1.0 HTTP/1.1 + > User-Agent: curl/7.27.0 + > Host: client.rhelbox.com:8080 + > Accept: */* + > + < HTTP/1.1 303 See Other + < Content-Type: text/html; charset=UTF-8 + < Location: http://client.rhelbox.com/cgi-bin/swift-auth + < Content-Length: 0 + < X-Trans-Id: txecd415aae89b4320b6145-0052417ea5 + < Date: Tue, 24 Sep 2013 11:59:33 GMT + < + * Connection #0 to host client.rhelbox.com left intact + * Issue another request to this URL: 'http://client.rhelbox.com/cgi-bin/swift-auth' + * About to connect() to client.rhelbox.com port 80 (#1) + * Trying 192.168.56.101... + * connected + * Connected to client.rhelbox.com (192.168.56.101) port 80 (#1) + > GET /cgi-bin/swift-auth HTTP/1.1 + > User-Agent: curl/7.27.0 + > Host: client.rhelbox.com + > Accept: */* + > + < HTTP/1.1 401 Unauthorized + < Date: Tue, 24 Sep 2013 11:59:33 GMT + < Server: Apache/2.4.6 (Fedora) mod_auth_kerb/5.4 + < WWW-Authenticate: Negotiate + < WWW-Authenticate: Basic realm="Swift Authentication" + < Content-Length: 381 + < Content-Type: text/html; charset=iso-8859-1 + < + * Ignoring the response-body + * Connection #1 to host client.rhelbox.com left intact + * Issue another request to this URL: 'http://client.rhelbox.com/cgi-bin/swift-auth' + * Re-using existing connection! (#1) with host (nil) + * Connected to (nil) (192.168.56.101) port 80 (#1) + * Server auth using GSS-Negotiate with user '' + > GET /cgi-bin/swift-auth HTTP/1.1 + > Authorization: Negotiate YIICYgYJKoZIhvcSAQICAQBuggJRMIICTaADAgEFoQMCAQ6iBwMFACAAAACjggFgYYIBXDCCAVigAwIBBaENGwtSSEVMQk9YLkNPTaIlMCOgAwIBA6EcMBobBEhUVFAbEmNsaWVudC5yaGVsYm94LmNvbaOCARkwggEVoAMCARKhAwIBAaKCAQcEggEDx9SH2R90RO4eAkhsNKow/DYfjv1rWhgxNRqj/My3yslASSgefls48VdDNHVVWqr1Kd6mB/9BIoumpA+of+KSAg2QfPtcWiVFj5n5Fa8fyCHyQPvV8c92KzUdrBPc8OVn0aldFp0I4P1MsYZbnddDRSH3kjVA5oSucHF59DhZWiGJV/F6sVimBSeoTBHQD38Cs5RhyDHNyUad9v3gZERVGCJXC76i7+yyaoIDA+N9s0hasHajhTnjs3XQBYfZFwp8lWl3Ub+sOtPO1Ng7mFlSAYXCM6ljlKTEaxRwaYoXUC1EoIqEOG/8pC9SJThS2M1G7MW1c5xm4lksNss72OH4gtPns6SB0zCB0KADAgESooHIBIHFrLtai5U8ajEWo1J9B26PnIUqLd+uA0KPd2Y2FjrH6rx4xT8qG2p8i36SVGubvwBVmfQ7lSJcXt6wUvb43qyPs/fMiSY7QxHxt7/btMgxQl6JWMagvXMhCNXnhEHNNaTdBcG5KFERDGeo0txaAD1bzZ4mnxCQmoqusGzZ6wdDw6+5wq1tK/hQTQUgk2NwxfXAg2J5K02/3fKjFR2h7zewI1pEyhhpeONRkkRETcyojkK2EbVzZ8kc3RsuwzFYsJ+9u5Qj3E4= + > User-Agent: curl/7.27.0 + > Host: client.rhelbox.com + > Accept: */* + > + < HTTP/1.1 200 OK + < Date: Tue, 24 Sep 2013 11:59:33 GMT + < Server: Apache/2.4.6 (Fedora) mod_auth_kerb/5.4 + < WWW-Authenticate: Negotiate YIGZBgkqhkiG9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRveeZTV/QRJSIOoOWPbZkEmtdug9V5ZcMGXWqAJvCAnrvw9gHbklMyLl8f8jU2e0wU3ehtchLEL4dVeAYgKsnUgw4wGhHu59AZBwSbHRKSpv3I6gWEZqC4NAEuZJFW9ipdUHOiclBQniVXXCsRF/5Y + < X-Auth-Token: AUTH_tk083b8abc92f4a514f34224a181ed568a + < X-Debug-Remote-User: auth_admin + < X-Debug-Groups: auth_admin,auth_reseller_admin + < X-Debug-Token-Life: 86400s + < X-Debug-Token-Expires: Wed Sep 25 17:29:33 2013 + < Content-Length: 0 + < Content-Type: text/html; charset=UTF-8 + < + * Connection #1 to host (nil) left intact + * Closing connection #0 + * Closing connection #1 + +The header *X-Auth-Token* in response contains the token *AUTH_tk083b8abc92f4a514f34224a181ed568a*. + +####PUT a container +>curl -v -X PUT -H 'X-Auth-Token: AUTH_tk083b8abc92f4a514f34224a181ed568a' http://client.rhelbox.com:8080/v1/AUTH_myvolume/c1 + + * About to connect() to client.rhelbox.com port 8080 (#0) + * Trying 192.168.56.101... + * connected + * Connected to client.rhelbox.com (192.168.56.101) port 8080 (#0) + > PUT /v1/AUTH_myvolume/c1 HTTP/1.1 + > User-Agent: curl/7.27.0 + > Host: client.rhelbox.com:8080 + > Accept: */* + > X-Auth-Token: AUTH_tk083b8abc92f4a514f34224a181ed568a + > + < HTTP/1.1 201 Created + < Content-Length: 0 + < Content-Type: text/html; charset=UTF-8 + < X-Trans-Id: txc420b0ebf9714445900e8-0052418863 + < Date: Tue, 24 Sep 2013 12:41:07 GMT + < + * Connection #0 to host client.rhelbox.com left intact + * Closing connection #0 + +####GET a container listing +> curl -v -X GET -H 'X-Auth-Token: AUTH_tk083b8abc92f4a514f34224a181ed568a' http://client.rhelbox.com:8080/v1/AUTH_myvolume + + * About to connect() to client.rhelbox.com port 8080 (#0) + * Trying 192.168.56.101... + * connected + * Connected to client.rhelbox.com (192.168.56.101) port 8080 (#0) + > GET /v1/AUTH_myvolume HTTP/1.1 + > User-Agent: curl/7.27.0 + > Host: client.rhelbox.com:8080 + > Accept: */* + > X-Auth-Token: AUTH_tk083b8abc92f4a514f34224a181ed568a + > + < HTTP/1.1 200 OK + < Content-Length: 3 + < X-Account-Container-Count: 0 + < Accept-Ranges: bytes + < X-Account-Object-Count: 0 + < X-Bytes-Used: 0 + < X-Timestamp: 1379997117.09468 + < X-Object-Count: 0 + < X-Account-Bytes-Used: 0 + < X-Type: Account + < Content-Type: text/plain; charset=utf-8 + < X-Container-Count: 0 + < X-Trans-Id: tx89826736a1ab4d6aae6e3-00524188dc + < Date: Tue, 24 Sep 2013 12:43:08 GMT + < + c1 + * Connection #0 to host client.rhelbox.com left intact + * Closing connection #0 + +####PUT an object in container +> curl -v -X PUT -H 'X-Auth-Token: AUTH_tk083b8abc92f4a514f34224a181ed568a' http://client.rhelbox.com:8080/v1/AUTH_myvolume/c1/object1 -d'Hello world' + + * About to connect() to client.rhelbox.com port 8080 (#0) + * Trying 192.168.56.101... + * connected + * Connected to client.rhelbox.com (192.168.56.101) port 8080 (#0) + > PUT /v1/AUTH_myvolume/c1/object1 HTTP/1.1 + > User-Agent: curl/7.27.0 + > Host: client.rhelbox.com:8080 + > Accept: */* + > X-Auth-Token: AUTH_tk083b8abc92f4a514f34224a181ed568a + > Content-Length: 11 + > Content-Type: application/x-www-form-urlencoded + > + * upload completely sent off: 11 out of 11 bytes + < HTTP/1.1 201 Created + < Last-Modified: Wed, 25 Sep 2013 06:08:00 GMT + < Content-Length: 0 + < Etag: 3e25960a79dbc69b674cd4ec67a72c62 + < Content-Type: text/html; charset=UTF-8 + < X-Trans-Id: tx01f1b5a430cf4af3897be-0052427dc0 + < Date: Wed, 25 Sep 2013 06:08:01 GMT + < + * Connection #0 to host client.rhelbox.com left intact + * Closing connection #0 + +####Give permission to jsmith to list and download objects from c1 container +> curl -v -X POST -H 'X-Auth-Token: AUTH_tk083b8abc92f4a514f34224a181ed568a' -H 'X-Container-Read: jsmith' http://client.rhelbox.com:8080/v1/AUTH_myvolume/c1 + + * About to connect() to client.rhelbox.com port 8080 (#0) + * Trying 192.168.56.101... + * connected + * Connected to client.rhelbox.com (192.168.56.101) port 8080 (#0) + > POST /v1/AUTH_myvolume/c1 HTTP/1.1 + > User-Agent: curl/7.27.0 + > Host: client.rhelbox.com:8080 + > Accept: */* + > X-Auth-Token: AUTH_tk083b8abc92f4a514f34224a181ed568a + > X-Container-Read: jsmith + > + < HTTP/1.1 204 No Content + < Content-Length: 0 + < Content-Type: text/html; charset=UTF-8 + < X-Trans-Id: txcedea3e2557d463eb591d-0052427f60 + < Date: Wed, 25 Sep 2013 06:14:56 GMT + < + * Connection #0 to host client.rhelbox.com left intact + * Closing connection #0 + +####Access container as jsmith + +> kinit jsmith + +Get token for jsmith +> curl -v -u : --negotiate --location-trusted http://client.rhelbox.com:8080/auth/v1.0 + + * About to connect() to client.rhelbox.com port 8080 (#0) + * Trying 192.168.56.101... + * connected + * Connected to client.rhelbox.com (192.168.56.101) port 8080 (#0) + > GET /auth/v1.0 HTTP/1.1 + > User-Agent: curl/7.27.0 + > Host: client.rhelbox.com:8080 + > Accept: */* + > + < HTTP/1.1 303 See Other + < Content-Type: text/html; charset=UTF-8 + < Location: http://client.rhelbox.com/cgi-bin/swift-auth + < Content-Length: 0 + < X-Trans-Id: txf51e1bf7f8c5496f8cc93-005242800b + < Date: Wed, 25 Sep 2013 06:17:47 GMT + < + * Connection #0 to host client.rhelbox.com left intact + * Issue another request to this URL: 'http://client.rhelbox.com/cgi-bin/swift-auth' + * About to connect() to client.rhelbox.com port 80 (#1) + * Trying 192.168.56.101... + * connected + * Connected to client.rhelbox.com (192.168.56.101) port 80 (#1) + > GET /cgi-bin/swift-auth HTTP/1.1 + > User-Agent: curl/7.27.0 + > Host: client.rhelbox.com + > Accept: */* + > + < HTTP/1.1 401 Unauthorized + < Date: Wed, 25 Sep 2013 06:17:47 GMT + < Server: Apache/2.4.6 (Fedora) mod_auth_kerb/5.4 + < WWW-Authenticate: Negotiate + < WWW-Authenticate: Basic realm="Swift Authentication" + < Content-Length: 381 + < Content-Type: text/html; charset=iso-8859-1 + < + * Ignoring the response-body + * Connection #1 to host client.rhelbox.com left intact + * Issue another request to this URL: 'http://client.rhelbox.com/cgi-bin/swift-auth' + * Re-using existing connection! (#1) with host (nil) + * Connected to (nil) (192.168.56.101) port 80 (#1) + * Server auth using GSS-Negotiate with user '' + > GET /cgi-bin/swift-auth HTTP/1.1 + > Authorization: Negotiate YIICWAYJKoZIhvcSAQICAQBuggJHMIICQ6ADAgEFoQMCAQ6iBwMFACAAAACjggFbYYIBVzCCAVOgAwIBBaENGwtSSEVMQk9YLkNPTaIlMCOgAwIBA6EcMBobBEhUVFAbEmNsaWVudC5yaGVsYm94LmNvbaOCARQwggEQoAMCARKhAwIBAaKCAQIEgf/+3OaXYCSEjcsjU3t3lOLcYG84GBP9Kj9YTHc7yVMlcam4ivCwMqCkzxgvNo2E3a5KSWyFwngeX4b/QFbCKPXA4sfBibZRkeMk5gr2f0MLI3gWEAIYq7bJLre04bnkD2F0MzijPJrOLIx1KmFe08UGWCEmnG2uj07lvIR1RwV/7dMM4J1B+KKvDVKA0LxahwPIpx8oOON2yMGcstrBAHBBk5pmpt1Gg9Lh7xdNPsjP0IfI5Q0zkGCRBKpvpXymP1lQpQXlHbqkdBYOmG4+p/R+vIosO4ui1G6GWE9t71h3AqW61CcCj3/oOjZsG56k8HMSNk/+3mfUTP86nzLRGkekgc4wgcugAwIBEqKBwwSBwPsG9nGloEnOsA1abP4R1/yUDcikjjwKiacvZ+cu7bWEzu3L376k08U8C2YIClyUJy3Grt68LxhnfZ65VCZ5J5IOLiXOJnHBIoJ1L4GMYp4EgZzHvI7R3U3DApMzNWZwc1MsSF5UGhmLwxSevDLetJHjgKzKNteRyVN/8CFgjSBEjGSN1Qgy1RZHuQR9d3JHPczONZ4+ZgStfy+I1m2IUIgW3+4JGFVafHiBQVwSWRNfdXFgI3wBz7slntd7r3qMWA== + > User-Agent: curl/7.27.0 + > Host: client.rhelbox.com + > Accept: */* + > + < HTTP/1.1 200 OK + < Date: Wed, 25 Sep 2013 06:17:47 GMT + < Server: Apache/2.4.6 (Fedora) mod_auth_kerb/5.4 + < WWW-Authenticate: Negotiate YIGYBgkqhkiG9xIBAgICAG+BiDCBhaADAgEFoQMCAQ+ieTB3oAMCARKicARuH2YpjFrtgIhGr5nO7gh/21EvGH9tayRo5A3pw5pxD1B1036ePLG/x98OdMrSflse5s8ttz8FmvRphCFJa8kfYtnWULgoFLF2F2a1zBdSo2oCA0R05YFwArNhkg6ou5o7wWZkERHK33CKlhudSj8= + < X-Auth-Token: AUTH_tkb5a20eb8207a819e76619431c8410447 + < X-Debug-Remote-User: jsmith + < X-Debug-Groups: jsmith + < X-Debug-Token-Life: 86400s + < X-Debug-Token-Expires: Thu Sep 26 11:47:47 2013 + < Content-Length: 0 + < Content-Type: text/html; charset=UTF-8 + < + * Connection #1 to host (nil) left intact + * Closing connection #0 + * Closing connection #1 + +List the container using authentication token for jsmith: +> curl -v -X GET -H 'X-Auth-Token: AUTH_tkb5a20eb8207a819e76619431c8410447' http://client.rhelbox.com:8080/v1/AUTH_myvolume/c1 + + * About to connect() to client.rhelbox.com port 8080 (#0) + * Trying 192.168.56.101... + * connected + * Connected to client.rhelbox.com (192.168.56.101) port 8080 (#0) + > GET /v1/AUTH_myvolume/c1 HTTP/1.1 + > User-Agent: curl/7.27.0 + > Host: client.rhelbox.com:8080 + > Accept: */* + > X-Auth-Token: AUTH_tkb5a20eb8207a819e76619431c8410447 + > + < HTTP/1.1 200 OK + < Content-Length: 8 + < X-Container-Object-Count: 0 + < Accept-Ranges: bytes + < X-Timestamp: 1 + < X-Container-Bytes-Used: 0 + < Content-Type: text/plain; charset=utf-8 + < X-Trans-Id: tx575215929c654d9f9f284-00524280a4 + < Date: Wed, 25 Sep 2013 06:20:20 GMT + < + object1 + * Connection #0 to host client.rhelbox.com left intact + * Closing connection #0 + +Downloading the object as jsmith: +> curl -v -X GET -H 'X-Auth-Token: AUTH_tkb5a20eb8207a819e76619431c8410447' http://client.rhelbox.com:8080/v1/AUTH_myvolume/c1/object1 + + * About to connect() to client.rhelbox.com port 8080 (#0) + * Trying 192.168.56.101... + * connected + * Connected to client.rhelbox.com (192.168.56.101) port 8080 (#0) + > GET /v1/AUTH_myvolume/c1/object1 HTTP/1.1 + > User-Agent: curl/7.27.0 + > Host: client.rhelbox.com:8080 + > Accept: */* + > X-Auth-Token: AUTH_tkb5a20eb8207a819e76619431c8410447 + > + < HTTP/1.1 200 OK + < Content-Length: 11 + < Accept-Ranges: bytes + < Last-Modified: Wed, 25 Sep 2013 06:08:00 GMT + < Etag: 3e25960a79dbc69b674cd4ec67a72c62 + < X-Timestamp: 1380089280.98829 + < Content-Type: application/x-www-form-urlencoded + < X-Trans-Id: tx19b5cc3847854f40a6ca8-00524281aa + < Date: Wed, 25 Sep 2013 06:24:42 GMT + < + * Connection #0 to host client.rhelbox.com left intact + Hello world* Closing connection #0 + +For curl to follow the redirect, you need to specify additional +options. With these, and with a current Kerberos ticket, you should +get the Kerberos user's cached authentication token, or a new one if +the previous token has expired. + +> curl -v -u : --negotiate --location-trusted -X GET http://client.rhelbox.com:8080/v1/AUTH_myvolume/c1/object1 + +The --negotiate option is for curl to perform Kerberos authentication and +--location-trusted is for curl to follow the redirect. + +[auth_kerb_module Configuration]: http://modauthkerb.sourceforge.net/configure.html diff --git a/setup.py b/setup.py index 01210df..65aab59 100644 --- a/setup.py +++ b/setup.py @@ -19,6 +19,9 @@ from setuptools import setup from swiftkerbauth import __version__ import os +with open('README.md') as file: + long_description = file.read() + # Ugly hack to exclude data_files if running in tox as non root def include_data_files(): @@ -40,6 +43,7 @@ setup( license='Apache License (2.0)', author='Red Hat, Inc.', author_email='gluster-users@gluster.org', + long_description=long_description, url='https://forge.gluster.org/swiftkerbauth', packages=['swiftkerbauth'], keywords='openstack swift kerberos', diff --git a/swiftkerbauth/kerbauth.py b/swiftkerbauth/kerbauth.py index 323a677..612299d 100644 --- a/swiftkerbauth/kerbauth.py +++ b/swiftkerbauth/kerbauth.py @@ -46,7 +46,7 @@ class KerbAuth(object): And add a kerbauth filter section, such as:: [filter:kerbauth] - use = egg:swift#kerbauth + use = egg:swiftkerbauth#kerbauth See the proxy-server.conf-sample for more information. -- cgit