summaryrefslogtreecommitdiffstats
path: root/gluster/swift/common/middleware/gswauth/swauth
diff options
context:
space:
mode:
authorPrashanth Pai <ppai@redhat.com>2016-08-05 14:25:08 +0530
committerThiago da Silva <thiago@redhat.com>2016-09-18 18:39:03 -0700
commit2318a57a1ea632f77d5f78dc11023fb3b7fc2ad0 (patch)
treec44ea8c7183e4080f1c574f58076a1088c670aa3 /gluster/swift/common/middleware/gswauth/swauth
parent83c50ae4ebd4d72988a781ec4183f1c62f6a63a4 (diff)
s3: Make s3 support configurable
Amazon S3 compatibility: This change makes S3 support tunable using a config option and is turned off by default. This is a manual backport of this upstream swauth change: https://review.openstack.org/#/c/326336/ Change-Id: I106e3274c6d68f4575c1bf1a9013f066e969cb17 Signed-off-by: Prashanth Pai <ppai@redhat.com> Reviewed-on: http://review.gluster.org/15098 Reviewed-by: Thiago da Silva <thiago@redhat.com> Tested-by: Thiago da Silva <thiago@redhat.com>
Diffstat (limited to 'gluster/swift/common/middleware/gswauth/swauth')
-rw-r--r--gluster/swift/common/middleware/gswauth/swauth/middleware.py18
1 files changed, 18 insertions, 0 deletions
diff --git a/gluster/swift/common/middleware/gswauth/swauth/middleware.py b/gluster/swift/common/middleware/gswauth/swauth/middleware.py
index 48f1d71..7a6d713 100644
--- a/gluster/swift/common/middleware/gswauth/swauth/middleware.py
+++ b/gluster/swift/common/middleware/gswauth/swauth/middleware.py
@@ -148,6 +148,18 @@ class Swauth(object):
'Invalid auth_type in config file: %s'
% self.auth_type)
self.auth_encoder.salt = conf.get('auth_type_salt', 'gswauthsalt')
+
+ # Due to security concerns, S3 support is disabled by default.
+ self.s3_support = conf.get('s3_support', 'off').lower() in TRUE_VALUES
+ if self.s3_support and self.auth_type != 'Plaintext' \
+ and not self.auth_encoder.salt:
+ # In future, we may want to randomize salt generation rather than
+ # use a statically set salt as done today.
+ msg = _('S3 support requires salt to be manually set in conf '
+ 'file using auth_type_salt config option.')
+ self.logger.warning(msg)
+ self.s3_support = False
+
self.allow_overrides = \
conf.get('allow_overrides', 't').lower() in TRUE_VALUES
self.agent = '%(orig)s Swauth'
@@ -205,6 +217,9 @@ class Swauth(object):
elif env.get('PATH_INFO', '').startswith(self.auth_prefix):
return self.handle(env, start_response)
s3 = env.get('HTTP_AUTHORIZATION')
+ if s3 and not self.s3_support:
+ msg = 'S3 support is disabled in gswauth.'
+ return HTTPBadRequest(body=msg)(env, start_response)
token = env.get('HTTP_X_AUTH_TOKEN', env.get('HTTP_X_STORAGE_TOKEN'))
if token and len(token) > authtypes.MAX_TOKEN_LENGTH:
return HTTPBadRequest(body='Token exceeds maximum length.')(
@@ -284,6 +299,9 @@ class Swauth(object):
groups = None
if env.get('HTTP_AUTHORIZATION'):
+ if not self.s3_support:
+ self.logger.warning('S3 support is disabled in gswauth.')
+ return None
if self.swauth_remote:
# TODO: Support S3-style authorization with swauth_remote mode
self.logger.warn('S3-style authorization not supported yet '