diff options
author | Thiago da Silva <thiago@redhat.com> | 2014-04-22 14:15:02 -0400 |
---|---|---|
committer | Prashanth Pai <ppai@redhat.com> | 2016-01-06 07:53:12 -0800 |
commit | 2a8f9f0f530327039c32e444b6a27130b12666bd (patch) | |
tree | e24e38b5b3c0245a0acafc63fc50bacbf7de718a /doc/markdown/swiftkerbauth/swiftkerbauth_guide.md | |
parent | 4c6ca1db931377b75583f61a7bca262cfc27b0fa (diff) |
Update repo
This is a squashed commit imported from this repo:
https://github.com/openstack/swiftonfile/tree/icehouse
Contains the follwing commits from above mentioned repo:
eb50236 Merge "Backport: Fix metadata overall limits bug" into icehouse
79ea52a Backport: Fix metadata overall limits bug
bc43f0b Fix inconsistent data being returned on GET
ad0bb79 Import HTTPBadRequest from swift's module
74d02e6 Exclude .trashcan dir from container listing
b2dbc15 Catch ESTALE in addition to ENOENT
8d60b48 Properly handle read_metadata() exceptions
6762fc6 Fix object server leaking file descriptors
2842e82 Fix API incompatibility in update_metadata()
2beeef6 Merge "Remove swiftkerbauth code" into icehouse
93dbcb5 Update object-expirer.conf with explanations
c9d2f09 Merge "Check if /etc/swift exists in ring builder" into icehouse
d66c14c Remove swiftkerbauth code
3142ed2 Add object expiration functests
97153d1 Merge "Cleanup functest and undo old patch" into icehouse
bc234d0 Remove old travis config file and fix typo
260c8ef Check if /etc/swift exists in ring builder
637dac9 Cleanup functest and undo old patch
051e068 Merge pull request #35 from prashanthpai/backport-1
be104a3 Merge pull request #36 from prashanthpai/backport-2
ff76f42 fix issue with GET on large object (icehouse-backport)
04d0a99 Fix unlink call after successful rename
4c6ca1d updating README file with project name change
10b2680 Merge pull request #18 from thiagol11/icehouse
5bcab8f Updating version on __init__ file
5c2cba2 Merge pull request #15 from thiagol11/update_spec
52b00a8 updating spec file to add dependency on swift icehouse
ae7c93b Merge pull request #6 from prashanthpai/rebase
191e55b Revert: allow non-root user to run functests
cb7e968 Modify unit tests and func tests
d23fd1b Sync with OpenStack Swift v1.13.1
b6d1671 Merge pull request #12 from pushpesh/functionalnosetestremove
962622b Merge pull request #8 from thiagol11/update_readme
4560857 Merge pull request #9 from prashanthpai/spec-expirer
be0ae7e Minor update
65000f1 Removing functionalnosetests
8ab1069 Fix object-expirer.conf-gluster RPM build error
afee30f added new support filesystem section
527b01f updated README.md to Swift-On-File
9a240c7 Merge pull request #3 from thiagol11/add_jenkins_to_travis
34b5a8b removing blank lines
3568b64 fixing missing fi
d8f5b0f adding support to run jenkins triggered by travis
6f4a88c Removing functionalnosetests
8041944 Update README.md
c015148 Merge pull request #2 from thiagol11/master
3ddd952 fixing travis file to run correct unit test
c582669 adding travis status badge to README
8093096 adding py26 unit testing to travis
37835fd trigger travis build
cb6332a adding travis ci testing
All tests have been run sucessfully against this.
tox -e p2p8,py27,functest
Change-Id: I096b611da852d3eb3913844034b443b8272c2ac4
Signed-off-by: Prashanth Pai <ppai@redhat.com>
Reviewed-on: http://review.gluster.org/13188
Diffstat (limited to 'doc/markdown/swiftkerbauth/swiftkerbauth_guide.md')
-rw-r--r-- | doc/markdown/swiftkerbauth/swiftkerbauth_guide.md | 517 |
1 files changed, 0 insertions, 517 deletions
diff --git a/doc/markdown/swiftkerbauth/swiftkerbauth_guide.md b/doc/markdown/swiftkerbauth/swiftkerbauth_guide.md deleted file mode 100644 index 5da1827..0000000 --- a/doc/markdown/swiftkerbauth/swiftkerbauth_guide.md +++ /dev/null @@ -1,517 +0,0 @@ -#swiftkerbauth - -* [Installing Kerberos module for Apache] (#httpd-kerb-install) -* [Creating HTTP Service Principal] (#http-principal) -* [Installing and configuring swiftkerbauth] (#install-swiftkerbauth) -* [Using swiftkerbauth] (#use-swiftkerbauth) -* [Configurable Parameters] (#config-swiftkerbauth) -* [Functional tests] (#swfunctest) - -<a name="httpd-kerb-install" /> -## Installing Kerberos module for Apache on IPA client - -Install httpd server with kerberos module: -> yum install httpd mod_auth_kerb -> -> service httpd restart - -Check if auth_kerb_module is loaded : -> httpd -M | grep kerb - -Change httpd log level to debug by adding/changing the following in -*/etc/httpd/conf/httpd.conf* file - - LogLevel debug - -httpd logs are at */var/log/httpd/error_log* for troubleshooting - -If SELinux is enabled, allow Apache to connect to memcache and -activate the changes by running ->setsebool -P httpd_can_network_connect 1 -> ->setsebool -P httpd_can_network_memcache 1 - -***** - -<a name="http-principal" /> -## Creating HTTP Service Principal on IPA server - -Add a HTTP Kerberos service principal : -> ipa service-add HTTP/client.rhelbox.com@RHELBOX.COM - -Retrieve the HTTP service principal to a keytab file: -> ipa-getkeytab -s server.rhelbox.com -p HTTP/client.rhelbox.com@RHELBOX.COM -k /tmp/http.keytab - -Copy keytab file to client: -> scp /tmp/http.keytab root@192.168.56.101:/etc/httpd/conf/http.keytab - -## Creating HTTP Service Principal on Windows AD server - -Add a HTTP Kerberos service principal: -> c:\>ktpass.exe -princ HTTP/fcclient.winad.com@WINAD.COM -mapuser -> auth_admin@WINAD.COM -pass Redhat*123 -out c:\HTTP.keytab -crypto DES-CBC-CRC -> -kvno 0 - -Use winscp to copy HTTP.ketab file to /etc/httpd/conf/http.keytab - -***** - -<a name="install-swiftkerbauth" /> -##Installing and configuring swiftkerbauth on IPA client - -Prerequisites for installing swiftkerbauth -* swift (havana) -* gluster-swift (optional) - -You can install swiftkerbauth using one of these three ways: - -Installing swiftkerbauth from source: -> python setup.py install - -Installing swiftkerbauth using pip: -> pip install swiftkerbauth - -Installing swiftkerbauth from RPMs: -> ./makerpm.sh -> -> rpm -ivh dist/swiftkerbauth-1.0.0-1.noarch.rpm - -Edit */etc/httpd/conf.d/swift-auth.conf* and change KrbServiceName, KrbAuthRealms and Krb5KeyTab parameters accordingly. -More detail on configuring kerberos for apache can be found at: -[auth_kerb_module Configuration][] - -Make /etc/httpd/conf/http.keytab readable by any user : -> chmod 644 /etc/httpd/conf/http.keytab - -And preferably change owner of keytab file to apache : -> chown apache:apache /etc/httpd/conf/http.keytab - -Reload httpd -> service httpd reload - -Make authentication script executable: -> chmod +x /var/www/cgi-bin/swift-auth - -***** - -<a name="#use-swiftkerbauth" /> -##Using swiftkerbauth - -### Adding kerbauth filter in swift pipeline - -Edit */etc/swift/proxy-server.conf* and add a new filter section as follows: - - [filter:kerbauth] - use = egg:swiftkerbauth#kerbauth - ext_authentication_url = http://client.rhelbox.com/cgi-bin/swift-auth - auth_mode=passive - -Add kerbauth to pipeline - - [pipeline:main] - pipeline = catch_errors healthcheck proxy-logging cache proxy-logging kerbauth proxy-server - -If the Swift server is not one of your Gluster nodes, edit -*/etc/swift/fs.conf* and change the following lines in the DEFAULT -section: - - mount_ip = RHS_NODE_HOSTNAME - remote_cluster = yes - -Restart swift to activate kerbauth filer -> swift-init main restart - - -###Examples - -####Authenticate user and get Kerberos ticket - -> kinit auth_admin - -NOTE: curl ignores user specified in -u option. All further curl commands -will use the currently authenticated auth_admin user. - -####Get an authentication token: -> curl -v -u : --negotiate --location-trusted http://client.rhelbox.com:8080/auth/v1.0 - - * About to connect() to client.rhelbox.com port 8080 (#0) - * Trying 192.168.56.101... - * connected - * Connected to client.rhelbox.com (192.168.56.101) port 8080 (#0) - > GET /auth/v1.0 HTTP/1.1 - > User-Agent: curl/7.27.0 - > Host: client.rhelbox.com:8080 - > Accept: */* - > - < HTTP/1.1 303 See Other - < Content-Type: text/html; charset=UTF-8 - < Location: http://client.rhelbox.com/cgi-bin/swift-auth - < Content-Length: 0 - < X-Trans-Id: txecd415aae89b4320b6145-0052417ea5 - < Date: Tue, 24 Sep 2013 11:59:33 GMT - < - * Connection #0 to host client.rhelbox.com left intact - * Issue another request to this URL: 'http://client.rhelbox.com/cgi-bin/swift-auth' - * About to connect() to client.rhelbox.com port 80 (#1) - * Trying 192.168.56.101... - * connected - * Connected to client.rhelbox.com (192.168.56.101) port 80 (#1) - > GET /cgi-bin/swift-auth HTTP/1.1 - > User-Agent: curl/7.27.0 - > Host: client.rhelbox.com - > Accept: */* - > - < HTTP/1.1 401 Unauthorized - < Date: Tue, 24 Sep 2013 11:59:33 GMT - < Server: Apache/2.4.6 (Fedora) mod_auth_kerb/5.4 - < WWW-Authenticate: Negotiate - < WWW-Authenticate: Basic realm="Swift Authentication" - < Content-Length: 381 - < Content-Type: text/html; charset=iso-8859-1 - < - * Ignoring the response-body - * Connection #1 to host client.rhelbox.com left intact - * Issue another request to this URL: 'http://client.rhelbox.com/cgi-bin/swift-auth' - * Re-using existing connection! (#1) with host (nil) - * Connected to (nil) (192.168.56.101) port 80 (#1) - * Server auth using GSS-Negotiate with user '' - > GET /cgi-bin/swift-auth HTTP/1.1 - > Authorization: Negotiate YIICYgYJKoZIhvcSAQICAQBuggJRMIICTaADAgEFoQMCAQ6iBwMFACAAAACjggFgYYIBXDCCAVigAwIBBaENGwtSSEVMQk9YLkNPTaIlMCOgAwIBA6EcMBobBEhUVFAbEmNsaWVudC5yaGVsYm94LmNvbaOCARkwggEVoAMCARKhAwIBAaKCAQcEggEDx9SH2R90RO4eAkhsNKow/DYfjv1rWhgxNRqj/My3yslASSgefls48VdDNHVVWqr1Kd6mB/9BIoumpA+of+KSAg2QfPtcWiVFj5n5Fa8fyCHyQPvV8c92KzUdrBPc8OVn0aldFp0I4P1MsYZbnddDRSH3kjVA5oSucHF59DhZWiGJV/F6sVimBSeoTBHQD38Cs5RhyDHNyUad9v3gZERVGCJXC76i7+yyaoIDA+N9s0hasHajhTnjs3XQBYfZFwp8lWl3Ub+sOtPO1Ng7mFlSAYXCM6ljlKTEaxRwaYoXUC1EoIqEOG/8pC9SJThS2M1G7MW1c5xm4lksNss72OH4gtPns6SB0zCB0KADAgESooHIBIHFrLtai5U8ajEWo1J9B26PnIUqLd+uA0KPd2Y2FjrH6rx4xT8qG2p8i36SVGubvwBVmfQ7lSJcXt6wUvb43qyPs/fMiSY7QxHxt7/btMgxQl6JWMagvXMhCNXnhEHNNaTdBcG5KFERDGeo0txaAD1bzZ4mnxCQmoqusGzZ6wdDw6+5wq1tK/hQTQUgk2NwxfXAg2J5K02/3fKjFR2h7zewI1pEyhhpeONRkkRETcyojkK2EbVzZ8kc3RsuwzFYsJ+9u5Qj3E4= - > User-Agent: curl/7.27.0 - > Host: client.rhelbox.com - > Accept: */* - > - < HTTP/1.1 200 OK - < Date: Tue, 24 Sep 2013 11:59:33 GMT - < Server: Apache/2.4.6 (Fedora) mod_auth_kerb/5.4 - < WWW-Authenticate: Negotiate YIGZBgkqhkiG9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRveeZTV/QRJSIOoOWPbZkEmtdug9V5ZcMGXWqAJvCAnrvw9gHbklMyLl8f8jU2e0wU3ehtchLEL4dVeAYgKsnUgw4wGhHu59AZBwSbHRKSpv3I6gWEZqC4NAEuZJFW9ipdUHOiclBQniVXXCsRF/5Y - < X-Auth-Token: AUTH_tk083b8abc92f4a514f34224a181ed568a - < X-Debug-Remote-User: auth_admin - < X-Debug-Groups: auth_admin,auth_reseller_admin - < X-Debug-Token-Life: 86400s - < X-Debug-Token-Expires: Wed Sep 25 17:29:33 2013 - < Content-Length: 0 - < Content-Type: text/html; charset=UTF-8 - < - * Connection #1 to host (nil) left intact - * Closing connection #0 - * Closing connection #1 - -The header *X-Auth-Token* in response contains the token *AUTH_tk083b8abc92f4a514f34224a181ed568a*. - -####PUT a container ->curl -v -X PUT -H 'X-Auth-Token: AUTH_tk083b8abc92f4a514f34224a181ed568a' http://client.rhelbox.com:8080/v1/AUTH_myvolume/c1 - - * About to connect() to client.rhelbox.com port 8080 (#0) - * Trying 192.168.56.101... - * connected - * Connected to client.rhelbox.com (192.168.56.101) port 8080 (#0) - > PUT /v1/AUTH_myvolume/c1 HTTP/1.1 - > User-Agent: curl/7.27.0 - > Host: client.rhelbox.com:8080 - > Accept: */* - > X-Auth-Token: AUTH_tk083b8abc92f4a514f34224a181ed568a - > - < HTTP/1.1 201 Created - < Content-Length: 0 - < Content-Type: text/html; charset=UTF-8 - < X-Trans-Id: txc420b0ebf9714445900e8-0052418863 - < Date: Tue, 24 Sep 2013 12:41:07 GMT - < - * Connection #0 to host client.rhelbox.com left intact - * Closing connection #0 - -####GET a container listing -> curl -v -X GET -H 'X-Auth-Token: AUTH_tk083b8abc92f4a514f34224a181ed568a' http://client.rhelbox.com:8080/v1/AUTH_myvolume - - * About to connect() to client.rhelbox.com port 8080 (#0) - * Trying 192.168.56.101... - * connected - * Connected to client.rhelbox.com (192.168.56.101) port 8080 (#0) - > GET /v1/AUTH_myvolume HTTP/1.1 - > User-Agent: curl/7.27.0 - > Host: client.rhelbox.com:8080 - > Accept: */* - > X-Auth-Token: AUTH_tk083b8abc92f4a514f34224a181ed568a - > - < HTTP/1.1 200 OK - < Content-Length: 3 - < X-Account-Container-Count: 0 - < Accept-Ranges: bytes - < X-Account-Object-Count: 0 - < X-Bytes-Used: 0 - < X-Timestamp: 1379997117.09468 - < X-Object-Count: 0 - < X-Account-Bytes-Used: 0 - < X-Type: Account - < Content-Type: text/plain; charset=utf-8 - < X-Container-Count: 0 - < X-Trans-Id: tx89826736a1ab4d6aae6e3-00524188dc - < Date: Tue, 24 Sep 2013 12:43:08 GMT - < - c1 - * Connection #0 to host client.rhelbox.com left intact - * Closing connection #0 - -####PUT an object in container -> curl -v -X PUT -H 'X-Auth-Token: AUTH_tk083b8abc92f4a514f34224a181ed568a' http://client.rhelbox.com:8080/v1/AUTH_myvolume/c1/object1 -d'Hello world' - - * About to connect() to client.rhelbox.com port 8080 (#0) - * Trying 192.168.56.101... - * connected - * Connected to client.rhelbox.com (192.168.56.101) port 8080 (#0) - > PUT /v1/AUTH_myvolume/c1/object1 HTTP/1.1 - > User-Agent: curl/7.27.0 - > Host: client.rhelbox.com:8080 - > Accept: */* - > X-Auth-Token: AUTH_tk083b8abc92f4a514f34224a181ed568a - > Content-Length: 11 - > Content-Type: application/x-www-form-urlencoded - > - * upload completely sent off: 11 out of 11 bytes - < HTTP/1.1 201 Created - < Last-Modified: Wed, 25 Sep 2013 06:08:00 GMT - < Content-Length: 0 - < Etag: 3e25960a79dbc69b674cd4ec67a72c62 - < Content-Type: text/html; charset=UTF-8 - < X-Trans-Id: tx01f1b5a430cf4af3897be-0052427dc0 - < Date: Wed, 25 Sep 2013 06:08:01 GMT - < - * Connection #0 to host client.rhelbox.com left intact - * Closing connection #0 - -####Give permission to jsmith to list and download objects from c1 container -> curl -v -X POST -H 'X-Auth-Token: AUTH_tk083b8abc92f4a514f34224a181ed568a' -H 'X-Container-Read: jsmith' http://client.rhelbox.com:8080/v1/AUTH_myvolume/c1 - - * About to connect() to client.rhelbox.com port 8080 (#0) - * Trying 192.168.56.101... - * connected - * Connected to client.rhelbox.com (192.168.56.101) port 8080 (#0) - > POST /v1/AUTH_myvolume/c1 HTTP/1.1 - > User-Agent: curl/7.27.0 - > Host: client.rhelbox.com:8080 - > Accept: */* - > X-Auth-Token: AUTH_tk083b8abc92f4a514f34224a181ed568a - > X-Container-Read: jsmith - > - < HTTP/1.1 204 No Content - < Content-Length: 0 - < Content-Type: text/html; charset=UTF-8 - < X-Trans-Id: txcedea3e2557d463eb591d-0052427f60 - < Date: Wed, 25 Sep 2013 06:14:56 GMT - < - * Connection #0 to host client.rhelbox.com left intact - * Closing connection #0 - -####Access container as jsmith - -> kinit jsmith - -Get token for jsmith -> curl -v -u : --negotiate --location-trusted http://client.rhelbox.com:8080/auth/v1.0 - - * About to connect() to client.rhelbox.com port 8080 (#0) - * Trying 192.168.56.101... - * connected - * Connected to client.rhelbox.com (192.168.56.101) port 8080 (#0) - > GET /auth/v1.0 HTTP/1.1 - > User-Agent: curl/7.27.0 - > Host: client.rhelbox.com:8080 - > Accept: */* - > - < HTTP/1.1 303 See Other - < Content-Type: text/html; charset=UTF-8 - < Location: http://client.rhelbox.com/cgi-bin/swift-auth - < Content-Length: 0 - < X-Trans-Id: txf51e1bf7f8c5496f8cc93-005242800b - < Date: Wed, 25 Sep 2013 06:17:47 GMT - < - * Connection #0 to host client.rhelbox.com left intact - * Issue another request to this URL: 'http://client.rhelbox.com/cgi-bin/swift-auth' - * About to connect() to client.rhelbox.com port 80 (#1) - * Trying 192.168.56.101... - * connected - * Connected to client.rhelbox.com (192.168.56.101) port 80 (#1) - > GET /cgi-bin/swift-auth HTTP/1.1 - > User-Agent: curl/7.27.0 - > Host: client.rhelbox.com - > Accept: */* - > - < HTTP/1.1 401 Unauthorized - < Date: Wed, 25 Sep 2013 06:17:47 GMT - < Server: Apache/2.4.6 (Fedora) mod_auth_kerb/5.4 - < WWW-Authenticate: Negotiate - < WWW-Authenticate: Basic realm="Swift Authentication" - < Content-Length: 381 - < Content-Type: text/html; charset=iso-8859-1 - < - * Ignoring the response-body - * Connection #1 to host client.rhelbox.com left intact - * Issue another request to this URL: 'http://client.rhelbox.com/cgi-bin/swift-auth' - * Re-using existing connection! (#1) with host (nil) - * Connected to (nil) (192.168.56.101) port 80 (#1) - * Server auth using GSS-Negotiate with user '' - > GET /cgi-bin/swift-auth HTTP/1.1 - > Authorization: Negotiate YIICWAYJKoZIhvcSAQICAQBuggJHMIICQ6ADAgEFoQMCAQ6iBwMFACAAAACjggFbYYIBVzCCAVOgAwIBBaENGwtSSEVMQk9YLkNPTaIlMCOgAwIBA6EcMBobBEhUVFAbEmNsaWVudC5yaGVsYm94LmNvbaOCARQwggEQoAMCARKhAwIBAaKCAQIEgf/+3OaXYCSEjcsjU3t3lOLcYG84GBP9Kj9YTHc7yVMlcam4ivCwMqCkzxgvNo2E3a5KSWyFwngeX4b/QFbCKPXA4sfBibZRkeMk5gr2f0MLI3gWEAIYq7bJLre04bnkD2F0MzijPJrOLIx1KmFe08UGWCEmnG2uj07lvIR1RwV/7dMM4J1B+KKvDVKA0LxahwPIpx8oOON2yMGcstrBAHBBk5pmpt1Gg9Lh7xdNPsjP0IfI5Q0zkGCRBKpvpXymP1lQpQXlHbqkdBYOmG4+p/R+vIosO4ui1G6GWE9t71h3AqW61CcCj3/oOjZsG56k8HMSNk/+3mfUTP86nzLRGkekgc4wgcugAwIBEqKBwwSBwPsG9nGloEnOsA1abP4R1/yUDcikjjwKiacvZ+cu7bWEzu3L376k08U8C2YIClyUJy3Grt68LxhnfZ65VCZ5J5IOLiXOJnHBIoJ1L4GMYp4EgZzHvI7R3U3DApMzNWZwc1MsSF5UGhmLwxSevDLetJHjgKzKNteRyVN/8CFgjSBEjGSN1Qgy1RZHuQR9d3JHPczONZ4+ZgStfy+I1m2IUIgW3+4JGFVafHiBQVwSWRNfdXFgI3wBz7slntd7r3qMWA== - > User-Agent: curl/7.27.0 - > Host: client.rhelbox.com - > Accept: */* - > - < HTTP/1.1 200 OK - < Date: Wed, 25 Sep 2013 06:17:47 GMT - < Server: Apache/2.4.6 (Fedora) mod_auth_kerb/5.4 - < WWW-Authenticate: Negotiate YIGYBgkqhkiG9xIBAgICAG+BiDCBhaADAgEFoQMCAQ+ieTB3oAMCARKicARuH2YpjFrtgIhGr5nO7gh/21EvGH9tayRo5A3pw5pxD1B1036ePLG/x98OdMrSflse5s8ttz8FmvRphCFJa8kfYtnWULgoFLF2F2a1zBdSo2oCA0R05YFwArNhkg6ou5o7wWZkERHK33CKlhudSj8= - < X-Auth-Token: AUTH_tkb5a20eb8207a819e76619431c8410447 - < X-Debug-Remote-User: jsmith - < X-Debug-Groups: jsmith - < X-Debug-Token-Life: 86400s - < X-Debug-Token-Expires: Thu Sep 26 11:47:47 2013 - < Content-Length: 0 - < Content-Type: text/html; charset=UTF-8 - < - * Connection #1 to host (nil) left intact - * Closing connection #0 - * Closing connection #1 - -List the container using authentication token for jsmith: -> curl -v -X GET -H 'X-Auth-Token: AUTH_tkb5a20eb8207a819e76619431c8410447' http://client.rhelbox.com:8080/v1/AUTH_myvolume/c1 - - * About to connect() to client.rhelbox.com port 8080 (#0) - * Trying 192.168.56.101... - * connected - * Connected to client.rhelbox.com (192.168.56.101) port 8080 (#0) - > GET /v1/AUTH_myvolume/c1 HTTP/1.1 - > User-Agent: curl/7.27.0 - > Host: client.rhelbox.com:8080 - > Accept: */* - > X-Auth-Token: AUTH_tkb5a20eb8207a819e76619431c8410447 - > - < HTTP/1.1 200 OK - < Content-Length: 8 - < X-Container-Object-Count: 0 - < Accept-Ranges: bytes - < X-Timestamp: 1 - < X-Container-Bytes-Used: 0 - < Content-Type: text/plain; charset=utf-8 - < X-Trans-Id: tx575215929c654d9f9f284-00524280a4 - < Date: Wed, 25 Sep 2013 06:20:20 GMT - < - object1 - * Connection #0 to host client.rhelbox.com left intact - * Closing connection #0 - -Downloading the object as jsmith: -> curl -v -X GET -H 'X-Auth-Token: AUTH_tkb5a20eb8207a819e76619431c8410447' http://client.rhelbox.com:8080/v1/AUTH_myvolume/c1/object1 - - * About to connect() to client.rhelbox.com port 8080 (#0) - * Trying 192.168.56.101... - * connected - * Connected to client.rhelbox.com (192.168.56.101) port 8080 (#0) - > GET /v1/AUTH_myvolume/c1/object1 HTTP/1.1 - > User-Agent: curl/7.27.0 - > Host: client.rhelbox.com:8080 - > Accept: */* - > X-Auth-Token: AUTH_tkb5a20eb8207a819e76619431c8410447 - > - < HTTP/1.1 200 OK - < Content-Length: 11 - < Accept-Ranges: bytes - < Last-Modified: Wed, 25 Sep 2013 06:08:00 GMT - < Etag: 3e25960a79dbc69b674cd4ec67a72c62 - < X-Timestamp: 1380089280.98829 - < Content-Type: application/x-www-form-urlencoded - < X-Trans-Id: tx19b5cc3847854f40a6ca8-00524281aa - < Date: Wed, 25 Sep 2013 06:24:42 GMT - < - * Connection #0 to host client.rhelbox.com left intact - Hello world* Closing connection #0 - -For curl to follow the redirect, you need to specify additional -options. With these, and with a current Kerberos ticket, you should -get the Kerberos user's cached authentication token, or a new one if -the previous token has expired. - -> curl -v -u : --negotiate --location-trusted -X GET http://client.rhelbox.com:8080/v1/AUTH_myvolume/c1/object1 - -The --negotiate option is for curl to perform Kerberos authentication and ---location-trusted is for curl to follow the redirect. - -[auth_kerb_module Configuration]: http://modauthkerb.sourceforge.net/configure.html - - -#### Get an authentication token when auth_mode=passive: -> curl -v -H 'X-Auth-User: test:auth_admin' -H 'X-Auth-Key: Redhat*123' http://127.0.0.1:8080/auth/v1.0 - -**NOTE**: X-Storage-Url response header can be returned only in passive mode. - -<a name="config-swiftkerbauth" /> -##Configurable Parameters - -The kerbauth filter section in **/etc/swift/proxy-server.conf** looks something -like this: - - [filter:kerbauth] - use = egg:swiftkerbauth#kerbauth - ext_authentication_url = http://client.rhelbox.com/cgi-bin/swift-auth - auth_method = active - token_life = 86400 - debug_headers = yes - realm_name = RHELBOX.COM - -Of all the options listed above, specifying **ext\_authentication\_url** is -mandatory. The rest of the options are optional and have default values. - -#### ext\_authentication\_url -A URL specifying location of the swift-auth CGI script. Avoid using IP address. -Default value: None - -#### token_life -After how many seconds the cached information about an authentication token is -discarded. -Default value: 86400 - -#### debug_headers -When turned on, the response headers sent to the user will contain additional -debug information apart from the auth token. -Default value: yes - -#### auth_method -Set this to **"active"** when you want to allow access **only to clients -residing inside the domain**. In this mode, authentication is performed by -mod\_auth\_kerb using the Kerberos ticket bundled with the client request. -No username and password have to be specified to get a token. -Set this to **"passive"** when you want to allow access to clients residing -outside the domain. In this mode, authentication is performed by gleaning -username and password from request headers (X-Auth-User and X-Auth-Key) and -running kinit command against it. -Default value: passive - -#### realm_name -This is applicable only when the auth_method=passive. This option specifies -realm name if storage server belongs to more than one realm and realm name is not -part of the username specified in X-Auth-User header. - -<a name="swfunctest" /> -##Functional tests for SwiftkerbAuth - -Functional tests to be run on the storage node after SwiftKerbAuth is setup using -either IPA server or Windows AD. The gluster-swift/doc/markdown/swiftkerbauth -directory contains the SwiftkerbAuth setup documents. There are two modes of -working with SwiftKerbAuth. 'PASSIVE' mode indicates the client is outside the -domain configured using SwiftKerbAuth. Client provides the 'Username' and -'Password' while invoking a command. SwiftKerbAuth auth filter code then -would get the ticket granting ticket from AD server or IPA server. -In 'ACTIVE' mode of SwiftKerbAuth, User is already logged into storage node using -its kerberos credentials. That user is authenticated across AD/IPA server. - -In PASSIVE mode all the generic functional tests are run. ACTIVE mode has a -different way of acquiring Ticket Granting Ticket. And hence the different -framework of functional tests there. - -The accounts, users, passwords must be prepared on AD/IPA server as per -mentioned in test/functional_auth/swiftkerbauth/conf/test.conf - -Command to invoke SwiftKerbAuth functional tests is -> $tox -e swfunctest - -This would run both ACTIVE and PASSIVE mode functional test cases. |