summaryrefslogtreecommitdiffstats
path: root/doc/markdown/swiftkerbauth/architecture.md
diff options
context:
space:
mode:
authorChetan Risbud <crisbud@redhat.com>2013-12-23 15:46:22 +0530
committerLuis Pabon <lpabon@redhat.com>2014-01-21 10:09:44 -0800
commit4b988ce3c598c8b59bd0ce77ab7854291c66549f (patch)
tree37186e691abd7444c800d02acadf3d84c4fc2b0e /doc/markdown/swiftkerbauth/architecture.md
parent6a8e9a70e9489a8f17405adf64462899d6a4ca81 (diff)
Initial import of the swiftkerbauth
Imported code till commit f64a3354185f32928e2568d9ece4a52fa4746c05 Changed a code bit to import correct definitions. kerbauth unit tests do run along with gluster-swift. Install script does install swiftkerbauth. import swiftkerbauth from http://review.gluster.org/swiftkrbauth.git Change-Id: Ia89f2b77cc68df10dee2f41ce074f3381ac3c408 Signed-off-by: Chetan Risbud <crisbud@redhat.com> Reviewed-on: http://review.gluster.org/6597 Reviewed-by: Prashanth Pai <ppai@redhat.com> Reviewed-by: Luis Pabon <lpabon@redhat.com> Tested-by: Luis Pabon <lpabon@redhat.com>
Diffstat (limited to 'doc/markdown/swiftkerbauth/architecture.md')
-rw-r--r--doc/markdown/swiftkerbauth/architecture.md105
1 files changed, 105 insertions, 0 deletions
diff --git a/doc/markdown/swiftkerbauth/architecture.md b/doc/markdown/swiftkerbauth/architecture.md
new file mode 100644
index 0000000..fc6d764
--- /dev/null
+++ b/doc/markdown/swiftkerbauth/architecture.md
@@ -0,0 +1,105 @@
+# Architecture
+
+The Swift API is HTTP-based. As described in the Swift documentation
+[1], clients first make a request to an authentication URL, providing
+a username and password. The reply contains a token which is used in
+all subsequent requests.
+
+Swift has a chain of filters through which all client requests go. The
+filters to use are configured with the pipeline parameter in
+/etc/swift/proxy-server.conf:
+
+ [pipeline:main]
+ pipeline = healthcheck cache tempauth proxy-server
+
+For the single sign authentication, we added a new filter called
+"kerbauth" and put it into the filter pipeline in place of tempauth.
+
+The filter checks the URL for each client request. If it matches the
+authentication URL, the client is redirected to a URL on a different
+server (on the same machine). The URL is handled by a CGI script, which
+is set up to authenticate the client with Kerberos negotiation, retrieve
+the user's system groups [2], store them in a memcache ring shared with
+the Swift server, and return the authentication token to the client.
+
+When the client provides the token as part of a resource request, the
+kerbauth filter checks it against its memcache, grants administrator
+rights based on the group membership retrieved from memcache, and
+either grants or denies the resource access.
+
+[1] http://docs.openstack.org/api/openstack-object-storage/1.0/content/authentication-object-dev-guide.html
+
+[2] The user data and system groups are usually provided by Red Hat
+ Enterprise Linux identity Management or Microsoft Active
+ Directory. The script relies on the system configuration to be set
+ accordingly (/etc/nsswitch.conf).
+
+*****
+
+## kerbauth.py
+
+The script kerbauth.py began as a copy of the tempauth.py script from
+from tempauth middleware. It contains the following modifications, among
+others:
+
+In the __init__ method, we read the ext_authentication_url parameter
+from /etc/swift/proxy-server.conf. This is the URL that clients are
+redirected to when they access either the Swift authentication URL, or
+when they request a resource without a valid authentication token.
+
+The configuration in proxy-server.conf looks like this:
+
+ [filter:kerbauth]
+ use = egg:swiftkerbauth#kerbauth
+ ext_authentication_url = http://client.rhelbox.com/cgi-bin/swift-auth
+
+The authorize method was changed so that global administrator rights
+are granted if the user is a member of the auth_reseller_admin
+group. Administrator rights for a specific account like vol1 are
+granted if the user is a member of the auth_vol1 group. [3]
+
+The denied_response method was changed to return a HTTP redirect to
+the external authentication URL if no valid token was provided by the
+client.
+
+Most of the handle_get_token method was moved to the external
+authentication script. This method now returns a HTTP redirect.
+
+In the __call__ and get_groups method, we removed support for the
+HTTP_AUTHORIZATION header, which is only needed when Amazon S3 is
+used.
+
+Like tempauth.py, kerbauth.py uses a Swift wrapper to access
+memcache. This wrapper converts the key to an MD5 hash and uses the
+hash value to determine on which of a pre-defined list of servers to
+store the data.
+
+[3] "auth" is the default reseller prefix, and would be different if
+ the reseller_prefix parameter in proxy-server.conf was set.
+
+## swift-auth CGI script
+
+swift-auth resides on an Apache server and assumes that Apache is
+configured to authenticate the user before this script is
+executed. The script retrieves the username from the REMOTE_USER
+environment variable, and checks if there already is a token for this
+user in the memcache ring. If not, it generates a new one, retrieves
+the user's system groups with "id -Gn USERNAME", stores this
+information in the memcache ring, and returns the token to the client.
+
+To allow the CGI script to connect to memcache, the SELinux booleans
+httpd_can_network_connect and httpd_can_network_memcache had to be
+set.
+
+The tempauth filter uses the uuid module to generate token
+strings. This module creates and runs temporary files, which leads to
+AVC denial messages in /var/log/audit/audit.log when used from an
+Apache CGI script. While the module still works, the audit log would
+grow quickly. Instead of writing an SELinux policy module to allow or
+to silently ignore these accesses, the swift-auth script uses the
+"random" module for generating token strings.
+
+Red Hat Enterprise Linux 6 comes with Python 2.6 which only provides
+method to list the locally defined user groups. To include groups from
+Red Hat Enterprise Linux Identity Management and in the future from
+Active Directory, the "id" command is run in a subprocess.