diff options
author | Prashanth Pai <ppai@redhat.com> | 2016-08-05 14:25:08 +0530 |
---|---|---|
committer | Thiago da Silva <thiago@redhat.com> | 2016-09-18 18:39:03 -0700 |
commit | 2318a57a1ea632f77d5f78dc11023fb3b7fc2ad0 (patch) | |
tree | c44ea8c7183e4080f1c574f58076a1088c670aa3 /gluster/swift/common/middleware/gswauth/swauth | |
parent | 83c50ae4ebd4d72988a781ec4183f1c62f6a63a4 (diff) |
s3: Make s3 support configurable
Amazon S3 compatibility:
This change makes S3 support tunable using a config option and is
turned off by default.
This is a manual backport of this upstream swauth change:
https://review.openstack.org/#/c/326336/
Change-Id: I106e3274c6d68f4575c1bf1a9013f066e969cb17
Signed-off-by: Prashanth Pai <ppai@redhat.com>
Reviewed-on: http://review.gluster.org/15098
Reviewed-by: Thiago da Silva <thiago@redhat.com>
Tested-by: Thiago da Silva <thiago@redhat.com>
Diffstat (limited to 'gluster/swift/common/middleware/gswauth/swauth')
-rw-r--r-- | gluster/swift/common/middleware/gswauth/swauth/middleware.py | 18 |
1 files changed, 18 insertions, 0 deletions
diff --git a/gluster/swift/common/middleware/gswauth/swauth/middleware.py b/gluster/swift/common/middleware/gswauth/swauth/middleware.py index 48f1d71..7a6d713 100644 --- a/gluster/swift/common/middleware/gswauth/swauth/middleware.py +++ b/gluster/swift/common/middleware/gswauth/swauth/middleware.py @@ -148,6 +148,18 @@ class Swauth(object): 'Invalid auth_type in config file: %s' % self.auth_type) self.auth_encoder.salt = conf.get('auth_type_salt', 'gswauthsalt') + + # Due to security concerns, S3 support is disabled by default. + self.s3_support = conf.get('s3_support', 'off').lower() in TRUE_VALUES + if self.s3_support and self.auth_type != 'Plaintext' \ + and not self.auth_encoder.salt: + # In future, we may want to randomize salt generation rather than + # use a statically set salt as done today. + msg = _('S3 support requires salt to be manually set in conf ' + 'file using auth_type_salt config option.') + self.logger.warning(msg) + self.s3_support = False + self.allow_overrides = \ conf.get('allow_overrides', 't').lower() in TRUE_VALUES self.agent = '%(orig)s Swauth' @@ -205,6 +217,9 @@ class Swauth(object): elif env.get('PATH_INFO', '').startswith(self.auth_prefix): return self.handle(env, start_response) s3 = env.get('HTTP_AUTHORIZATION') + if s3 and not self.s3_support: + msg = 'S3 support is disabled in gswauth.' + return HTTPBadRequest(body=msg)(env, start_response) token = env.get('HTTP_X_AUTH_TOKEN', env.get('HTTP_X_STORAGE_TOKEN')) if token and len(token) > authtypes.MAX_TOKEN_LENGTH: return HTTPBadRequest(body='Token exceeds maximum length.')( @@ -284,6 +299,9 @@ class Swauth(object): groups = None if env.get('HTTP_AUTHORIZATION'): + if not self.s3_support: + self.logger.warning('S3 support is disabled in gswauth.') + return None if self.swauth_remote: # TODO: Support S3-style authorization with swauth_remote mode self.logger.warn('S3-style authorization not supported yet ' |