7 files changed, 0 insertions, 1189 deletions

diff --git a/doc/markdown/auth_guide.md b/doc/markdown/auth_guide.md
index 274dd32..86c3650 100644
--- a/doc/markdown/auth_guide.md
+++ b/doc/markdown/auth_guide.md
@@ -12,13 +12,6 @@
     * [User roles](#gswauth_user_roles)
     * [GSwauth Tools](#gswauth_tools)
     * [Authenticating a user](#gswauth_authenticate)
-* [Swiftkerbauth](#swiftkerbauth)
-    * [Architecture](swiftkerbauth/architecture.md)
-    * [RHEL IPA Server Guide](swiftkerbauth/ipa_server.md)
-    * [RHEL IPA Client Guide](swiftkerbauth/ipa_client.md)
-    * [Windows AD Server Guide](swiftkerbauth/AD_server.md)
-    * [Windows AD Client Guide](swiftkerbauth/AD_client.md)
-    * [Swiftkerbauth Guide](swiftkerbauth/swiftkerbauth_guide.md)
 
 ## <a name="keystone" />Keystone ##
 The Standard Openstack authentication service
@@ -468,12 +461,3 @@ bash-4.2$ swift --os-auth-token=AUTH_tk7e68ef4698f14c7f95af07ab7b298610 --os-sto
 README.md
 ~~~
 **Note:** Reseller admins must always use the second method to acquire a token, in order to be given access to other accounts different than his own. The first method of using the username and password will give them access only to their own accounts.
-
-## <a name="swiftkerbauth" />Swiftkerbauth ##
-Kerberos authentication filter
-
-Carsten Clasohm implemented a new authentication filter for swift
-that uses Kerberos tickets for single sign on authentication, and
-grants administrator permissions based on the users group membership
-in a directory service like Red Hat Enterprise Linux Identity Management
-or Microsoft Active Directory.
diff --git a/doc/markdown/swiftkerbauth/AD_client.md b/doc/markdown/swiftkerbauth/AD_client.md
deleted file mode 100644
index 0947a1e..0000000
--- a/doc/markdown/swiftkerbauth/AD_client.md
+++ /dev/null
@@ -1,206 +0,0 @@
-#AD client setup guide
-
-###Contents
-* [Setup Overview] (#setup)
-* [Configure Network] (#network)
-* [Installing AD Client] (#AD-client)
-
-<a name="setup" />
-###Setup Overview
-
-This guide talks about adding fedora linux client to windows domain.
-The test setup included a client machine with Fedora 19 installed
-on it with all the latest packages updated. The crux is to add this linux
-machine to Windows Domain. This linux box is expected to act as RHS node and on which swiftkerbauth,
-apachekerbauth code would run.
-
-Set hostname (FQDN) to fcclient.winad.com
-
-    # hostnamectl set-hostname "fcclient.winad.com"
-
-    # hostname "fcclient.winad.com"
-
-
-<a name="network" />
-### Configure client
-
-* Deploy Fedora linux 19.
-
-* Update the system with latest packages.
-
-* Configure SELinux security parameters.
-
-* Install & configure samba
-
-* Configure DNS
-
-* Synchronize the time services
-
-* Join Domain
-
-* Install / Configure Kerberos Client
-
-
-The document assumes the installing Fedora Linux and configuring SELinux
-parameters to 'permissive' is known already.
-
-###Install & Configure Samba:
-    # yum -y install samba samba-client samba-common samba-winbind
-    samba-winbind-clients
-
-    # service start smb
-
-    # ps -aef | grep smb
-    # chkconfig smb on
-
-###Synchronize time services
-The kerberos authentication and most of the DNS functionality could fail with
-clock skew if times are not synchronized.
-
-    # cat /etc/ntp.conf
-    server ns1.bos.redhat.com
-    server 10.5.26.10
-
-    # service ntpd stop
-
-    # ntpdate 10.16.255.2
-
-    # service ntpd start
-
-    #chkconfig ntpd on
-
-Check if Windows server in the whole environment is also time synchronized with
-same source.
-
-    # C:\Users\Administrator>w32tm /query /status | find "Source"
-
-    Source: ns1.xxx.xxx.com
-
-###Configure DNS on client
-Improperly resolved hostname is the leading cause in authentication failures.
-Best practice is to configure fedora client to use Windows DNS.
-'nameserver' below is the IP address of the windows server.
-    # cat /etc/resolve.conf
-    domain server.winad.com
-    search server.winad.com
-    nameserver 10.nn.nnn.3
-
-###Set the hostname of the client properly (FQDN)
-    # cat /etc/sysconfig/network
-    HOSTNAME=fcclient.winad.com
-
-
-###Install & Configure kerberos client
-
-    # yum -y install krb5-workstation
-
-Edit the /etc/krb5.conf as follows:
-
-    # cat /etc/krb5.conf
-    [logging]
-    default = FILE:/var/log/krb5libs.log
-    kdc = FILE:/var/log/krb5kdc.log
-    admin_server = FILE:/var/log/kadmind.log
-
-    [libdefaults]
-    default_realm = WINAD.COM
-    dns_lookup_realm = false
-    dns_lookup_kdc = false
-    ticket_lifetime = 24h
-    renew_lifetime = 7d
-    forwardable = true
-
-    [realms]
-        WINAD.COM = {
-            kdc = server.winad.com
-            admin_server = server.winad.com
-        }
-    [domain_realm]
-        .demo = server.winad.com
-        demo = server.winad.com
-
-###Join Domain
-Fire command 'system-config-authentication' on client. This should display a
-graphical wizard. Below inputs would help configure this wizard.
-
-    - User account data base = winbind
-    - winbind domain = winad
-    - security model = ads
-    - winbind ads realm = winad.com
-    - winbind controller = server.winad.com
-    - template shell = /bin/bash
-    - let the other options be as is to default.
-    - Perform Join domain and appy settings and quit. Please note this join should
-      not see any errors. This makes the client fedora box to join the windows
-      domain.
-
-###Configure the kerberos client
-This would bring the users/groups from Windows Active directory to this
-fedora client.
-
-Edit /etc/samba/smb.conf file to have below parameters in the global section.
-
-    # cat /etc/samba/smb.conf
-    [global]
-    workgroup = winad
-    realm = winad.com
-    server string = Samba Server Version %v
-    security = ADS
-    allow trusted domains = No
-    password server = server.winad.com
-    log file = /var/log/samba/log.%m
-    max log size = 50
-    idmap uid = 10000­19999
-    idmap gid = 10000­19999
-    template shell = /bin/bash
-    winbind separator = +
-    winbind use default domain = Yes
-    idmap config REFARCH­AD:range = 10000000­19999999
-    idmap config REFARCH­AD:backend = rid
-    cups options = raw
-
-
-    # service smb stop
-
-    # service winbind stop
-
-    # tar -cvf /var/tmp/samba-cache-backup.tar /var/lib/samba
-
-    # ls -la /var/tmp/samba-cache-backup.tar
-
-    # rm ­-f /var/lib/samba/*
-
-
-Verify that no kerberos ticket available and cached.
-
-    # kdestroy
-
-    # klist
-
-Rejoin the domain.
-
-    # net join -S server -U Administrstor
-
-Test that client rejoined the domain.
-
-    # net ads info
-
-Restart smb and winbind service.
-
-    # wbinfo --domain-users
-
-Perform kinit for the domain users prepared on active directory. This is obtain
-the kerberos ticket for user 'auth_admin'
-
-    # kinit auth_admin
-
-    # id -Gn auth_admin
-
-###Notes
-Obtaining the HTTP service principal & keytab file and installing it with
-swiftkerbauth is added to swiftkerbauth_guide
-
-###References
-Reference Document for adding Linux box to windows domain :
-Integrating Red Hat Enterprise Linux 6
-with Active Directory
diff --git a/doc/markdown/swiftkerbauth/AD_server.md b/doc/markdown/swiftkerbauth/AD_server.md
deleted file mode 100644
index 66d90f2..0000000
--- a/doc/markdown/swiftkerbauth/AD_server.md
+++ /dev/null
@@ -1,119 +0,0 @@
-#Windows Active Directory & Domain Controller Server Guide
-
-###Contents
-* [Setup Overview] (#Setup)
-* [Installing Active Directory Services] (#AD-server)
-* [Configuring DNS] (#DNS)
-* [Adding Users and Groups] (#users-groups)
-
-
-<a name="Setup" />
-###Setup Overview
-
-The setup includes a server machine installed with Windows 2008 R2 Server, with
-Domain Controller, Active Directory services & DNS server installed alongwith.
-The steps to install windows operating system and above servers can be found
-on MicroSoft Documentation. This windows Active Directory server would act as an
-authentication server in the whole setup. This would provide the access control
-and permissions for users on certain data objects.
-
-
-Windows 2008 R2 deployment:
-
-http://technet.microsoft.com/en-us/library/dd283085.aspx
-
-
-Configuring Active Directory, Domain Services, DNS server:
-
-http://technet.microsoft.com/en-us/library/cc770946.aspx
-
-
-<a name="AD-server" />
-###Installing AD Server
-
-Administrators need to follow simple instructions in Server Manager on Windows
-2008, and should add Active Directory Domain Services & DNS server. It is
-recommended to use static IP for DNS server.  Preferred Hostname(FQDN) for
-Windows server could be of format hostname 'server.winad.com' where
-'winad.com' is a domain name.
-
-Following tips would help prepare a test setup neatly.
-
-    - Select Active Directory Domain services wizard in Server Manager
-    - Move on to install it with all the pre-requisits, e.g. .NET framework etc.
-    - Configure Active directory after installtion via exapanding the 'Roles'
-      section in the server manager.
-    - Create a new Domain in the New Forest.
-    - Type the FQDN, winad.com
-    - Set Forest functional level Windows 2008 R2.
-    - Selct additional options for this domain controller as DNS server.
-    - Leave the log locations to default provided by wizard.
-    - Set the Administrator Password carefully.
-    - Thats it. You are done configuring active directory.
-
-
-<a name="dns" />
-###Configuring DNS
-
-This section explains configuring the DNS server installed on Windows 2008 R2
-server. You must know know about
-
-    - Forward lookup zone
-
-    - Reverse lookup zone
-
-    - Zone type
-
-A forward lookup zone is simply a way to resolve hostnames to IP address.
-A reverse lookup zone is to lookup DNS hostname of the host IP.
-
-Following tips would help configure the Zones on DNS server.
-
-    - Create a Forward lookup zone.
-    - Create it a primary zone.
-    - Add the Clients using their ip addresses and FQDN to this forward lookup
-      zones.
-    - This would add type 'A' record for that host on DNS server.
-    - Similarly create a Reverser lookup zone.
-    - Add clients 'PTR' record to this zone via browsing through the forward
-      zones clients.
-
-The above setup can be tested on client once it joins the domain using 'dig'
-command as mentioned below.
-
-
-On client:
-
-    # dig fcclient.winad.com
-    This should yield you a Answer section mentioning its IP address.
-
-    Reverse lookup can be tested using
-
-    # 'dig -t ptr 101.56.168.192.in-addr.arpa.'
-    The answer section should state the FQDN of the client.
-
-    Repeat the above steps on client for Windows AD server as well.
-
-
-<a name="users-groups" />
-###Adding users and groups
-
-The following convention is to be followed in creating group names:
-
-    <reseller-prefix>\_<volume-name>
-
-    <reseller-prefix>\_<account-name>
-
-As of now, account=volume=group
-
-For example:
-
-    AUTH\_test
-
-Adding groups and users to the Windows domain is easy task.
-
-    - Start -> Administrative Tools -> Active Directory Users & Computers
-    - Expand the domain name which was prepared earlier. e.g winad.com
-    - Add groups with appropreate access rights.
-    - Add users to the group with appropreate permissions.
-    - Make sure you set password for users prepared on AD server.
diff --git a/doc/markdown/swiftkerbauth/architecture.md b/doc/markdown/swiftkerbauth/architecture.md
deleted file mode 100644
index fc6d764..0000000
--- a/doc/markdown/swiftkerbauth/architecture.md
+++ /dev/null
@@ -1,105 +0,0 @@
-# Architecture
-
-The Swift API is HTTP-based. As described in the Swift documentation
-[1], clients first make a request to an authentication URL, providing
-a username and password. The reply contains a token which is used in
-all subsequent requests.
-
-Swift has a chain of filters through which all client requests go. The
-filters to use are configured with the pipeline parameter in
-/etc/swift/proxy-server.conf:
-
-    [pipeline:main]
-    pipeline = healthcheck cache tempauth proxy-server
-
-For the single sign authentication, we added a new filter called
-"kerbauth" and put it into the filter pipeline in place of tempauth.
-
-The filter checks the URL for each client request. If it matches the
-authentication URL, the client is redirected to a URL on a different
-server (on the same machine). The URL is handled by a CGI script, which
-is set up to authenticate the client with Kerberos negotiation, retrieve
-the user's system groups [2], store them in a memcache ring shared with
-the Swift server, and return the authentication token to the client.
-
-When the client provides the token as part of a resource request, the
-kerbauth filter checks it against its memcache, grants administrator
-rights based on the group membership retrieved from memcache, and
-either grants or denies the resource access.
-
-[1] http://docs.openstack.org/api/openstack-object-storage/1.0/content/authentication-object-dev-guide.html
-
-[2] The user data and system groups are usually provided by Red Hat
-    Enterprise Linux identity Management or Microsoft Active
-    Directory. The script relies on the system configuration to be set
-    accordingly (/etc/nsswitch.conf).
-
-*****
-
-## kerbauth.py
-
-The script kerbauth.py began as a copy of the tempauth.py script from
-from tempauth middleware. It contains the following modifications, among
-others:
-
-In the __init__ method, we read the ext_authentication_url parameter
-from /etc/swift/proxy-server.conf. This is the URL that clients are
-redirected to when they access either the Swift authentication URL, or
-when they request a resource without a valid authentication token.
-
-The configuration in proxy-server.conf looks like this:
-
-    [filter:kerbauth]
-    use = egg:swiftkerbauth#kerbauth
-    ext_authentication_url = http://client.rhelbox.com/cgi-bin/swift-auth
-
-The authorize method was changed so that global administrator rights
-are granted if the user is a member of the auth_reseller_admin
-group. Administrator rights for a specific account like vol1 are
-granted if the user is a member of the auth_vol1 group. [3]
-
-The denied_response method was changed to return a HTTP redirect to
-the external authentication URL if no valid token was provided by the
-client.
-
-Most of the handle_get_token method was moved to the external
-authentication script. This method now returns a HTTP redirect.
-
-In the __call__ and get_groups method, we removed support for the
-HTTP_AUTHORIZATION header, which is only needed when Amazon S3 is
-used.
-
-Like tempauth.py, kerbauth.py uses a Swift wrapper to access
-memcache. This wrapper converts the key to an MD5 hash and uses the
-hash value to determine on which of a pre-defined list of servers to
-store the data.
-
-[3] "auth" is the default reseller prefix, and would be different if
-    the reseller_prefix parameter in proxy-server.conf was set.
-
-## swift-auth CGI script
-
-swift-auth resides on an Apache server and assumes that Apache is
-configured to authenticate the user before this script is
-executed. The script retrieves the username from the REMOTE_USER
-environment variable, and checks if there already is a token for this
-user in the memcache ring. If not, it generates a new one, retrieves
-the user's system groups with "id -Gn USERNAME", stores this
-information in the memcache ring, and returns the token to the client.
-
-To allow the CGI script to connect to memcache, the SELinux booleans
-httpd_can_network_connect and httpd_can_network_memcache had to be
-set.
-
-The tempauth filter uses the uuid module to generate token
-strings. This module creates and runs temporary files, which leads to
-AVC denial messages in /var/log/audit/audit.log when used from an
-Apache CGI script. While the module still works, the audit log would
-grow quickly. Instead of writing an SELinux policy module to allow or
-to silently ignore these accesses, the swift-auth script uses the
-"random" module for generating token strings.
-
-Red Hat Enterprise Linux 6 comes with Python 2.6 which only provides
-method to list the locally defined user groups. To include groups from
-Red Hat Enterprise Linux Identity Management and in the future from
-Active Directory, the "id" command is run in a subprocess.
diff --git a/doc/markdown/swiftkerbauth/ipa_client.md b/doc/markdown/swiftkerbauth/ipa_client.md
deleted file mode 100644
index f6afc42..0000000
--- a/doc/markdown/swiftkerbauth/ipa_client.md
+++ /dev/null
@@ -1,80 +0,0 @@
-#IPA Client Guide
-
-##Contents
-* [Setup Overview] (#setup)
-* [Configure Network] (#network)
-* [Installing IPA Client] (#ipa-client)
-
-<a name="setup" />
-##Setup Overview
-We have used a F18 box as IPA client machine and used FreeIPA client.
-This document borrows instructions from the following more detailed guide.
-[RHEL 6 Identity Management Guide][]
-
-
-<a name="network" />
-## Configure network
-
-Set hostname (FQDN) to client.rhelbox.com
-> hostnamectl set-hostname "client.rhelbox.com"
->
-> hostname "client.rhelbox.com"
-
-Add following to /etc/sysconfig/network:
-
-    HOSTNAME=client.rhelbox.com
-
-Add the following to /etc/hostname
-
-    client.rhelbox.com
-
-Add the following to /etc/hosts
-
-    192.168.56.110 server.rhelbox.com server
-    192.168.56.101 client.rhelbox.com client
-
-Logout and login again and verify hostname :
-> hostname --fqdn
-
-Edit */etc/resolv.conf* to add this at beginning of file
-
-    nameserver 192.168.56.110
-
-Warning: NetworkManager changes resolv.conf on restart
-
-Turn off firewall
-> service iptables stop
->
-> chkconfig iptables off
-
-<a name="ipa-client" />
-## Installing IPA Client
-
-Install IPA client packages:
-
-For RHEL:
-> yum install ipa-client ipa-admintools
-
-For Fedora:
-> yum install freeipa-client freeipa-admintools
-
-Install IPA client and add to domain:
->ipa-client-install --enable-dns-updates
-
-    Discovery was successful!
-    Hostname: client.rhelbox.com
-    Realm: RHELBOX.COM
-    DNS Domain: rhelbox.com
-    IPA Server: server.rhelbox.com
-    BaseDN: dc=rhelbox,dc=com
-
-    Continue to configure the system with these values? [no]: yes
-    User authorized to enroll computers: admin
-
-Check if client is configured correctly:
-> kinit admin
->
-> getent passwd admin
-
-
-[RHEL 6 Identity Management Guide]: https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/
diff --git a/doc/markdown/swiftkerbauth/ipa_server.md b/doc/markdown/swiftkerbauth/ipa_server.md
deleted file mode 100644
index 55e654e..0000000
--- a/doc/markdown/swiftkerbauth/ipa_server.md
+++ /dev/null
@@ -1,146 +0,0 @@
-#IPA Server Guide
-
-##Contents
-* [Setup Overview] (#setup)
-* [Configure Network] (#network)
-* [Installing IPA Server] (#ipa-server)
-* [Configuring DNS] (#dns)
-* [Adding Users and Groups] (#users-groups)
-
-
-<a name="setup" />
-##Setup Overview
-We have used a RHEL 6.4 box as IPA and DNS server. This document borrows
-instructions from the following more detailed guide.
-[RHEL 6 Identity Management Guide][]
-
-
-<a name="network" />
-## Configure network
-
-Change hostname (FQDN) to server.rhelbox.com
-> hostname "server.rhelbox.com"
-
-Add following to */etc/sysconfig/network* file
-
-    HOSTNAME=server.rhelbox.com
-
-Add the following to */etc/hosts* file
-
-    192.168.56.110 server.rhelbox.com server
-    192.168.56.101 client.rhelbox.com client
-
-Logout and login again and verify new hostname
-> hostname --fqdn
-
-Turn off firewall
-> service iptables stop
->
-> chkconfig iptables off
-
-
-<a name="ipa-server" />
-## Installing IPA Server
-
-Install IPA server packages and DNS dependencies
-> yum install ipa-server bind bind-dyndb-ldap
-
-Run the following interactive setup to install IPA server with DNS
-> ipa-server-install --setup-dns
-
-    The IPA Master Server will be configured with:
-    Hostname:      server.rhelbox.com
-    IP address:    192.168.56.110
-    Domain name:   rhelbox.com
-    Realm name:    RHELBOX.COM
-
-    BIND DNS server will be configured to serve IPA domain with:
-    Forwarders:    No forwarders
-    Reverse zone:  56.168.192.in-addr.arpa.
-
-The installation may take some time.
-
-Check if IPA is installed correctly :
-> kinit admin
->
-> ipa user-find admin
-
-
-<a name="dns" />
-## Configuring DNS
-
-Edit */etc/resolv.conf* to add this at beginning of file :
-
-    nameserver 192.168.56.110
-
-Warning: NetworkManager changes resolv.conf on restart
-
-Add a DNS A record and PTR record for the client under rhelbox.com zone
-> ipa dnsrecord-add rhelbox.com client --a-rec=192.168.56.101 --a-create-reverse
-
-Check if DNS resolution is working by running :
-
-> dig server.rhelbox.com
-
-    ;; ANSWER SECTION:
-    server.rhelbox.com. 1200    IN  A   192.168.56.110
-
-> dig client.rhelbox.com
-
-    ;; ANSWER SECTION:
-    client.rhelbox.com. 86400   IN  A   192.168.56.101
-
-Check if reverse resolution works :
-
-> dig -t ptr 101.56.168.192.in-addr.arpa.
-
-    ;; ANSWER SECTION:
-    101.56.168.192.in-addr.arpa. 86400 IN   PTR client.rhelbox.com.
-
-
-> dig -t ptr 110.56.168.192.in-addr.arpa.
-
-    ;; ANSWER SECTION:
-    110.56.168.192.in-addr.arpa. 86400 IN   PTR server.rhelbox.com.
-
-
-<a name="users-groups" />
-## Adding users and groups
-
-The following convention is to be followed in creating group names:
-
-    <reseller-prefix>\_<volume-name>
-
-    <reseller-prefix>\_<account-name>
-
-As of now, account=volume=group
-
-For example:
-
-    AUTH\_test
-
-Create *auth_reseller_admin* user group
-> ipa group-add auth_reseller_admin --desc="Full access to all Swift accounts"
-
-Create *auth_rhs_test* user group
-> ipa group-add auth_rhs_test --desc="Full access to rhs_test account"
-
-Create user *auth_admin* user as member of *auth_reseller_admin* user group
-> ipa user-add auth_admin --first=Auth --last=Admin --password
->
-> ipa group-add-member auth_reseller_admin --users=auth_admin
-
-Create user *rhs_test_admin* as member of *auth_rhs_test* user group
-> ipa user-add rhs_test_admin --first=RHS --last=Admin --password
->
-> ipa group-add-member auth_rhs_test --users=rhs_test_admin
-
-Create user *jsmith* with no relevant group membership
-> ipa user-add rhs_test_admin --first=RHS --last=Admin --password
-
-You can verify users have been added by running
->ipa user-find admin
-
-NOTE: Every user has to change password on first login.
-
-[RHEL 6 Identity Management Guide]: https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/
diff --git a/doc/markdown/swiftkerbauth/swiftkerbauth_guide.md b/doc/markdown/swiftkerbauth/swiftkerbauth_guide.md
deleted file mode 100644
index 5da1827..0000000
--- a/doc/markdown/swiftkerbauth/swiftkerbauth_guide.md
+++ /dev/null
@@ -1,517 +0,0 @@
-#swiftkerbauth
-
-* [Installing Kerberos module for Apache] (#httpd-kerb-install)
-* [Creating HTTP Service Principal] (#http-principal)
-* [Installing and configuring swiftkerbauth] (#install-swiftkerbauth)
-* [Using swiftkerbauth] (#use-swiftkerbauth)
-* [Configurable Parameters] (#config-swiftkerbauth)
-* [Functional tests] (#swfunctest)
-
-<a name="httpd-kerb-install" />
-## Installing Kerberos module for Apache on IPA client
-
-Install httpd server with kerberos module:
-> yum install httpd mod_auth_kerb
->
-> service httpd restart
-
-Check if auth_kerb_module is loaded :
-> httpd -M | grep kerb
-
-Change httpd log level to debug by adding/changing the following in
-*/etc/httpd/conf/httpd.conf* file
-
-    LogLevel debug
-
-httpd logs are at */var/log/httpd/error_log* for troubleshooting
-
-If SELinux is enabled, allow Apache to connect to memcache and
-activate the changes by running
->setsebool -P httpd_can_network_connect 1
->
->setsebool -P httpd_can_network_memcache 1
-
-*****
-
-<a name="http-principal" />
-## Creating HTTP Service Principal on IPA server
-
-Add a HTTP Kerberos service principal :
-> ipa service-add HTTP/client.rhelbox.com@RHELBOX.COM
-
-Retrieve the HTTP service principal to a keytab file:
-> ipa-getkeytab -s server.rhelbox.com -p HTTP/client.rhelbox.com@RHELBOX.COM -k /tmp/http.keytab
-
-Copy keytab file to client:
-> scp /tmp/http.keytab root@192.168.56.101:/etc/httpd/conf/http.keytab
-
-## Creating HTTP Service Principal on Windows AD server
-
-Add a HTTP Kerberos service principal:
-> c:\>ktpass.exe -princ HTTP/fcclient.winad.com@WINAD.COM -mapuser
-> auth_admin@WINAD.COM -pass Redhat*123 -out c:\HTTP.keytab -crypto DES-CBC-CRC
-> -kvno 0
-
-Use winscp to copy HTTP.ketab file to /etc/httpd/conf/http.keytab
-
-*****
-
-<a name="install-swiftkerbauth" />
-##Installing and configuring swiftkerbauth on IPA client
-
-Prerequisites for installing swiftkerbauth
-* swift (havana)
-* gluster-swift (optional)
-
-You can install swiftkerbauth using one of these three ways:
-
-Installing swiftkerbauth from source:
-> python setup.py install
-
-Installing swiftkerbauth using pip:
-> pip install swiftkerbauth
-
-Installing swiftkerbauth from RPMs:
-> ./makerpm.sh
->
-> rpm -ivh dist/swiftkerbauth-1.0.0-1.noarch.rpm
-
-Edit */etc/httpd/conf.d/swift-auth.conf* and change KrbServiceName, KrbAuthRealms and Krb5KeyTab parameters accordingly.
-More detail on configuring kerberos for apache can be found at:
-[auth_kerb_module Configuration][]
-
-Make /etc/httpd/conf/http.keytab readable by any user :
-> chmod 644 /etc/httpd/conf/http.keytab
-
-And preferably change owner of keytab file to apache :
-> chown apache:apache /etc/httpd/conf/http.keytab
-
-Reload httpd
-> service httpd reload
-
-Make authentication script executable:
-> chmod +x /var/www/cgi-bin/swift-auth
-
-*****
-
-<a name="#use-swiftkerbauth" />
-##Using swiftkerbauth
-
-### Adding kerbauth filter in swift pipeline
-
-Edit */etc/swift/proxy-server.conf* and add a new filter section as follows:
-
-    [filter:kerbauth]
-    use = egg:swiftkerbauth#kerbauth
-    ext_authentication_url = http://client.rhelbox.com/cgi-bin/swift-auth
-    auth_mode=passive
-
-Add kerbauth to pipeline
-
-    [pipeline:main]
-    pipeline = catch_errors healthcheck proxy-logging cache proxy-logging kerbauth proxy-server
-
-If the Swift server is not one of your Gluster nodes, edit
-*/etc/swift/fs.conf* and change the following lines in the DEFAULT
-section:
-
-    mount_ip = RHS_NODE_HOSTNAME
-    remote_cluster = yes
-
-Restart swift to activate kerbauth filer
-> swift-init main restart
-
-
-###Examples
-
-####Authenticate user and get Kerberos ticket
-
-> kinit auth_admin
-
-NOTE: curl ignores user specified in -u option. All further curl commands
-will use the currently authenticated auth_admin user.
-
-####Get an authentication token:
-> curl -v -u : --negotiate --location-trusted http://client.rhelbox.com:8080/auth/v1.0
-
-    * About to connect() to client.rhelbox.com port 8080 (#0)
-    *   Trying 192.168.56.101...
-    * connected
-    * Connected to client.rhelbox.com (192.168.56.101) port 8080 (#0)
-    > GET /auth/v1.0 HTTP/1.1
-    > User-Agent: curl/7.27.0
-    > Host: client.rhelbox.com:8080
-    > Accept: */*
-    >
-    < HTTP/1.1 303 See Other
-    < Content-Type: text/html; charset=UTF-8
-    < Location: http://client.rhelbox.com/cgi-bin/swift-auth
-    < Content-Length: 0
-    < X-Trans-Id: txecd415aae89b4320b6145-0052417ea5
-    < Date: Tue, 24 Sep 2013 11:59:33 GMT
-    <
-    * Connection #0 to host client.rhelbox.com left intact
-    * Issue another request to this URL: 'http://client.rhelbox.com/cgi-bin/swift-auth'
-    * About to connect() to client.rhelbox.com port 80 (#1)
-    *   Trying 192.168.56.101...
-    * connected
-    * Connected to client.rhelbox.com (192.168.56.101) port 80 (#1)
-    > GET /cgi-bin/swift-auth HTTP/1.1
-    > User-Agent: curl/7.27.0
-    > Host: client.rhelbox.com
-    > Accept: */*
-    >
-    < HTTP/1.1 401 Unauthorized
-    < Date: Tue, 24 Sep 2013 11:59:33 GMT
-    < Server: Apache/2.4.6 (Fedora) mod_auth_kerb/5.4
-    < WWW-Authenticate: Negotiate
-    < WWW-Authenticate: Basic realm="Swift Authentication"
-    < Content-Length: 381
-    < Content-Type: text/html; charset=iso-8859-1
-    <
-    * Ignoring the response-body
-    * Connection #1 to host client.rhelbox.com left intact
-    * Issue another request to this URL: 'http://client.rhelbox.com/cgi-bin/swift-auth'
-    * Re-using existing connection! (#1) with host (nil)
-    * Connected to (nil) (192.168.56.101) port 80 (#1)
-    * Server auth using GSS-Negotiate with user ''
-    > GET /cgi-bin/swift-auth HTTP/1.1
-    > Authorization: Negotiate YIICYgYJKoZIhvcSAQICAQBuggJRMIICTaADAgEFoQMCAQ6iBwMFACAAAACjggFgYYIBXDCCAVigAwIBBaENGwtSSEVMQk9YLkNPTaIlMCOgAwIBA6EcMBobBEhUVFAbEmNsaWVudC5yaGVsYm94LmNvbaOCARkwggEVoAMCARKhAwIBAaKCAQcEggEDx9SH2R90RO4eAkhsNKow/DYfjv1rWhgxNRqj/My3yslASSgefls48VdDNHVVWqr1Kd6mB/9BIoumpA+of+KSAg2QfPtcWiVFj5n5Fa8fyCHyQPvV8c92KzUdrBPc8OVn0aldFp0I4P1MsYZbnddDRSH3kjVA5oSucHF59DhZWiGJV/F6sVimBSeoTBHQD38Cs5RhyDHNyUad9v3gZERVGCJXC76i7+yyaoIDA+N9s0hasHajhTnjs3XQBYfZFwp8lWl3Ub+sOtPO1Ng7mFlSAYXCM6ljlKTEaxRwaYoXUC1EoIqEOG/8pC9SJThS2M1G7MW1c5xm4lksNss72OH4gtPns6SB0zCB0KADAgESooHIBIHFrLtai5U8ajEWo1J9B26PnIUqLd+uA0KPd2Y2FjrH6rx4xT8qG2p8i36SVGubvwBVmfQ7lSJcXt6wUvb43qyPs/fMiSY7QxHxt7/btMgxQl6JWMagvXMhCNXnhEHNNaTdBcG5KFERDGeo0txaAD1bzZ4mnxCQmoqusGzZ6wdDw6+5wq1tK/hQTQUgk2NwxfXAg2J5K02/3fKjFR2h7zewI1pEyhhpeONRkkRETcyojkK2EbVzZ8kc3RsuwzFYsJ+9u5Qj3E4=
-    > User-Agent: curl/7.27.0
-    > Host: client.rhelbox.com
-    > Accept: */*
-    >
-    < HTTP/1.1 200 OK
-    < Date: Tue, 24 Sep 2013 11:59:33 GMT
-    < Server: Apache/2.4.6 (Fedora) mod_auth_kerb/5.4
-    < WWW-Authenticate: Negotiate YIGZBgkqhkiG9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRveeZTV/QRJSIOoOWPbZkEmtdug9V5ZcMGXWqAJvCAnrvw9gHbklMyLl8f8jU2e0wU3ehtchLEL4dVeAYgKsnUgw4wGhHu59AZBwSbHRKSpv3I6gWEZqC4NAEuZJFW9ipdUHOiclBQniVXXCsRF/5Y
-    < X-Auth-Token: AUTH_tk083b8abc92f4a514f34224a181ed568a
-    < X-Debug-Remote-User: auth_admin
-    < X-Debug-Groups: auth_admin,auth_reseller_admin
-    < X-Debug-Token-Life: 86400s
-    < X-Debug-Token-Expires: Wed Sep 25 17:29:33 2013
-    < Content-Length: 0
-    < Content-Type: text/html; charset=UTF-8
-    <
-    * Connection #1 to host (nil) left intact
-    * Closing connection #0
-    * Closing connection #1
-
-The header *X-Auth-Token* in response contains the token *AUTH_tk083b8abc92f4a514f34224a181ed568a*.
-
-####PUT a container
->curl -v -X PUT -H 'X-Auth-Token: AUTH_tk083b8abc92f4a514f34224a181ed568a' http://client.rhelbox.com:8080/v1/AUTH_myvolume/c1
-
-    * About to connect() to client.rhelbox.com port 8080 (#0)
-    *   Trying 192.168.56.101...
-    * connected
-    * Connected to client.rhelbox.com (192.168.56.101) port 8080 (#0)
-    > PUT /v1/AUTH_myvolume/c1 HTTP/1.1
-    > User-Agent: curl/7.27.0
-    > Host: client.rhelbox.com:8080
-    > Accept: */*
-    > X-Auth-Token: AUTH_tk083b8abc92f4a514f34224a181ed568a
-    >
-    < HTTP/1.1 201 Created
-    < Content-Length: 0
-    < Content-Type: text/html; charset=UTF-8
-    < X-Trans-Id: txc420b0ebf9714445900e8-0052418863
-    < Date: Tue, 24 Sep 2013 12:41:07 GMT
-    <
-    * Connection #0 to host client.rhelbox.com left intact
-    * Closing connection #0
-
-####GET a container listing
-> curl -v -X GET -H 'X-Auth-Token: AUTH_tk083b8abc92f4a514f34224a181ed568a' http://client.rhelbox.com:8080/v1/AUTH_myvolume
-
-    * About to connect() to client.rhelbox.com port 8080 (#0)
-    *   Trying 192.168.56.101...
-    * connected
-    * Connected to client.rhelbox.com (192.168.56.101) port 8080 (#0)
-    > GET /v1/AUTH_myvolume HTTP/1.1
-    > User-Agent: curl/7.27.0
-    > Host: client.rhelbox.com:8080
-    > Accept: */*
-    > X-Auth-Token: AUTH_tk083b8abc92f4a514f34224a181ed568a
-    >
-    < HTTP/1.1 200 OK
-    < Content-Length: 3
-    < X-Account-Container-Count: 0
-    < Accept-Ranges: bytes
-    < X-Account-Object-Count: 0
-    < X-Bytes-Used: 0
-    < X-Timestamp: 1379997117.09468
-    < X-Object-Count: 0
-    < X-Account-Bytes-Used: 0
-    < X-Type: Account
-    < Content-Type: text/plain; charset=utf-8
-    < X-Container-Count: 0
-    < X-Trans-Id: tx89826736a1ab4d6aae6e3-00524188dc
-    < Date: Tue, 24 Sep 2013 12:43:08 GMT
-    <
-    c1
-    * Connection #0 to host client.rhelbox.com left intact
-    * Closing connection #0
-
-####PUT an object in container
-> curl -v -X PUT -H 'X-Auth-Token: AUTH_tk083b8abc92f4a514f34224a181ed568a' http://client.rhelbox.com:8080/v1/AUTH_myvolume/c1/object1 -d'Hello world'
-
-    * About to connect() to client.rhelbox.com port 8080 (#0)
-    *   Trying 192.168.56.101...
-    * connected
-    * Connected to client.rhelbox.com (192.168.56.101) port 8080 (#0)
-    > PUT /v1/AUTH_myvolume/c1/object1 HTTP/1.1
-    > User-Agent: curl/7.27.0
-    > Host: client.rhelbox.com:8080
-    > Accept: */*
-    > X-Auth-Token: AUTH_tk083b8abc92f4a514f34224a181ed568a
-    > Content-Length: 11
-    > Content-Type: application/x-www-form-urlencoded
-    >
-    * upload completely sent off: 11 out of 11 bytes
-    < HTTP/1.1 201 Created
-    < Last-Modified: Wed, 25 Sep 2013 06:08:00 GMT
-    < Content-Length: 0
-    < Etag: 3e25960a79dbc69b674cd4ec67a72c62
-    < Content-Type: text/html; charset=UTF-8
-    < X-Trans-Id: tx01f1b5a430cf4af3897be-0052427dc0
-    < Date: Wed, 25 Sep 2013 06:08:01 GMT
-    <
-    * Connection #0 to host client.rhelbox.com left intact
-    * Closing connection #0
-
-####Give permission to jsmith to list and download objects from c1 container
-> curl -v -X POST -H 'X-Auth-Token: AUTH_tk083b8abc92f4a514f34224a181ed568a' -H 'X-Container-Read: jsmith' http://client.rhelbox.com:8080/v1/AUTH_myvolume/c1
-
-    * About to connect() to client.rhelbox.com port 8080 (#0)
-    *   Trying 192.168.56.101...
-    * connected
-    * Connected to client.rhelbox.com (192.168.56.101) port 8080 (#0)
-    > POST /v1/AUTH_myvolume/c1 HTTP/1.1
-    > User-Agent: curl/7.27.0
-    > Host: client.rhelbox.com:8080
-    > Accept: */*
-    > X-Auth-Token: AUTH_tk083b8abc92f4a514f34224a181ed568a
-    > X-Container-Read: jsmith
-    >
-    < HTTP/1.1 204 No Content
-    < Content-Length: 0
-    < Content-Type: text/html; charset=UTF-8
-    < X-Trans-Id: txcedea3e2557d463eb591d-0052427f60
-    < Date: Wed, 25 Sep 2013 06:14:56 GMT
-    <
-    * Connection #0 to host client.rhelbox.com left intact
-    * Closing connection #0
-
-####Access container as jsmith
-
-> kinit jsmith
-
-Get token for jsmith
-> curl -v -u : --negotiate --location-trusted http://client.rhelbox.com:8080/auth/v1.0
-
-    * About to connect() to client.rhelbox.com port 8080 (#0)
-    *   Trying 192.168.56.101...
-    * connected
-    * Connected to client.rhelbox.com (192.168.56.101) port 8080 (#0)
-    > GET /auth/v1.0 HTTP/1.1
-    > User-Agent: curl/7.27.0
-    > Host: client.rhelbox.com:8080
-    > Accept: */*
-    >
-    < HTTP/1.1 303 See Other
-    < Content-Type: text/html; charset=UTF-8
-    < Location: http://client.rhelbox.com/cgi-bin/swift-auth
-    < Content-Length: 0
-    < X-Trans-Id: txf51e1bf7f8c5496f8cc93-005242800b
-    < Date: Wed, 25 Sep 2013 06:17:47 GMT
-    <
-    * Connection #0 to host client.rhelbox.com left intact
-    * Issue another request to this URL: 'http://client.rhelbox.com/cgi-bin/swift-auth'
-    * About to connect() to client.rhelbox.com port 80 (#1)
-    *   Trying 192.168.56.101...
-    * connected
-    * Connected to client.rhelbox.com (192.168.56.101) port 80 (#1)
-    > GET /cgi-bin/swift-auth HTTP/1.1
-    > User-Agent: curl/7.27.0
-    > Host: client.rhelbox.com
-    > Accept: */*
-    >
-    < HTTP/1.1 401 Unauthorized
-    < Date: Wed, 25 Sep 2013 06:17:47 GMT
-    < Server: Apache/2.4.6 (Fedora) mod_auth_kerb/5.4
-    < WWW-Authenticate: Negotiate
-    < WWW-Authenticate: Basic realm="Swift Authentication"
-    < Content-Length: 381
-    < Content-Type: text/html; charset=iso-8859-1
-    <
-    * Ignoring the response-body
-    * Connection #1 to host client.rhelbox.com left intact
-    * Issue another request to this URL: 'http://client.rhelbox.com/cgi-bin/swift-auth'
-    * Re-using existing connection! (#1) with host (nil)
-    * Connected to (nil) (192.168.56.101) port 80 (#1)
-    * Server auth using GSS-Negotiate with user ''
-    > GET /cgi-bin/swift-auth HTTP/1.1
-    > Authorization: Negotiate YIICWAYJKoZIhvcSAQICAQBuggJHMIICQ6ADAgEFoQMCAQ6iBwMFACAAAACjggFbYYIBVzCCAVOgAwIBBaENGwtSSEVMQk9YLkNPTaIlMCOgAwIBA6EcMBobBEhUVFAbEmNsaWVudC5yaGVsYm94LmNvbaOCARQwggEQoAMCARKhAwIBAaKCAQIEgf/+3OaXYCSEjcsjU3t3lOLcYG84GBP9Kj9YTHc7yVMlcam4ivCwMqCkzxgvNo2E3a5KSWyFwngeX4b/QFbCKPXA4sfBibZRkeMk5gr2f0MLI3gWEAIYq7bJLre04bnkD2F0MzijPJrOLIx1KmFe08UGWCEmnG2uj07lvIR1RwV/7dMM4J1B+KKvDVKA0LxahwPIpx8oOON2yMGcstrBAHBBk5pmpt1Gg9Lh7xdNPsjP0IfI5Q0zkGCRBKpvpXymP1lQpQXlHbqkdBYOmG4+p/R+vIosO4ui1G6GWE9t71h3AqW61CcCj3/oOjZsG56k8HMSNk/+3mfUTP86nzLRGkekgc4wgcugAwIBEqKBwwSBwPsG9nGloEnOsA1abP4R1/yUDcikjjwKiacvZ+cu7bWEzu3L376k08U8C2YIClyUJy3Grt68LxhnfZ65VCZ5J5IOLiXOJnHBIoJ1L4GMYp4EgZzHvI7R3U3DApMzNWZwc1MsSF5UGhmLwxSevDLetJHjgKzKNteRyVN/8CFgjSBEjGSN1Qgy1RZHuQR9d3JHPczONZ4+ZgStfy+I1m2IUIgW3+4JGFVafHiBQVwSWRNfdXFgI3wBz7slntd7r3qMWA==
-    > User-Agent: curl/7.27.0
-    > Host: client.rhelbox.com
-    > Accept: */*
-    >
-    < HTTP/1.1 200 OK
-    < Date: Wed, 25 Sep 2013 06:17:47 GMT
-    < Server: Apache/2.4.6 (Fedora) mod_auth_kerb/5.4
-    < WWW-Authenticate: Negotiate YIGYBgkqhkiG9xIBAgICAG+BiDCBhaADAgEFoQMCAQ+ieTB3oAMCARKicARuH2YpjFrtgIhGr5nO7gh/21EvGH9tayRo5A3pw5pxD1B1036ePLG/x98OdMrSflse5s8ttz8FmvRphCFJa8kfYtnWULgoFLF2F2a1zBdSo2oCA0R05YFwArNhkg6ou5o7wWZkERHK33CKlhudSj8=
-    < X-Auth-Token: AUTH_tkb5a20eb8207a819e76619431c8410447
-    < X-Debug-Remote-User: jsmith
-    < X-Debug-Groups: jsmith
-    < X-Debug-Token-Life: 86400s
-    < X-Debug-Token-Expires: Thu Sep 26 11:47:47 2013
-    < Content-Length: 0
-    < Content-Type: text/html; charset=UTF-8
-    <
-    * Connection #1 to host (nil) left intact
-    * Closing connection #0
-    * Closing connection #1
-
-List the container using authentication token for jsmith:
-> curl -v -X GET -H 'X-Auth-Token: AUTH_tkb5a20eb8207a819e76619431c8410447' http://client.rhelbox.com:8080/v1/AUTH_myvolume/c1
-
-    * About to connect() to client.rhelbox.com port 8080 (#0)
-    *   Trying 192.168.56.101...
-    * connected
-    * Connected to client.rhelbox.com (192.168.56.101) port 8080 (#0)
-    > GET /v1/AUTH_myvolume/c1 HTTP/1.1
-    > User-Agent: curl/7.27.0
-    > Host: client.rhelbox.com:8080
-    > Accept: */*
-    > X-Auth-Token: AUTH_tkb5a20eb8207a819e76619431c8410447
-    >
-    < HTTP/1.1 200 OK
-    < Content-Length: 8
-    < X-Container-Object-Count: 0
-    < Accept-Ranges: bytes
-    < X-Timestamp: 1
-    < X-Container-Bytes-Used: 0
-    < Content-Type: text/plain; charset=utf-8
-    < X-Trans-Id: tx575215929c654d9f9f284-00524280a4
-    < Date: Wed, 25 Sep 2013 06:20:20 GMT
-    <
-    object1
-    * Connection #0 to host client.rhelbox.com left intact
-    * Closing connection #0
-
-Downloading the object as jsmith:
-> curl -v -X GET -H 'X-Auth-Token: AUTH_tkb5a20eb8207a819e76619431c8410447' http://client.rhelbox.com:8080/v1/AUTH_myvolume/c1/object1
-
-    * About to connect() to client.rhelbox.com port 8080 (#0)
-    *   Trying 192.168.56.101...
-    * connected
-    * Connected to client.rhelbox.com (192.168.56.101) port 8080 (#0)
-    > GET /v1/AUTH_myvolume/c1/object1 HTTP/1.1
-    > User-Agent: curl/7.27.0
-    > Host: client.rhelbox.com:8080
-    > Accept: */*
-    > X-Auth-Token: AUTH_tkb5a20eb8207a819e76619431c8410447
-    >
-    < HTTP/1.1 200 OK
-    < Content-Length: 11
-    < Accept-Ranges: bytes
-    < Last-Modified: Wed, 25 Sep 2013 06:08:00 GMT
-    < Etag: 3e25960a79dbc69b674cd4ec67a72c62
-    < X-Timestamp: 1380089280.98829
-    < Content-Type: application/x-www-form-urlencoded
-    < X-Trans-Id: tx19b5cc3847854f40a6ca8-00524281aa
-    < Date: Wed, 25 Sep 2013 06:24:42 GMT
-    <
-    * Connection #0 to host client.rhelbox.com left intact
-    Hello world* Closing connection #0
-
-For curl to follow the redirect, you need to specify additional
-options. With these, and with a current Kerberos ticket, you should
-get the Kerberos user's cached authentication token, or a new one if
-the previous token has expired.
-
-> curl -v -u : --negotiate --location-trusted -X GET http://client.rhelbox.com:8080/v1/AUTH_myvolume/c1/object1
-
-The --negotiate option is for curl to perform Kerberos authentication and
---location-trusted is for curl to follow the redirect.
-
-[auth_kerb_module Configuration]: http://modauthkerb.sourceforge.net/configure.html
-
-
-#### Get an authentication token when auth_mode=passive:
-> curl -v -H 'X-Auth-User: test:auth_admin' -H 'X-Auth-Key: Redhat*123' http://127.0.0.1:8080/auth/v1.0
-
-**NOTE**: X-Storage-Url response header can be returned only in passive mode.
-
-<a name="config-swiftkerbauth" />
-##Configurable Parameters
-
-The kerbauth filter section in **/etc/swift/proxy-server.conf** looks something
-like this:
-
-    [filter:kerbauth]
-    use = egg:swiftkerbauth#kerbauth
-    ext_authentication_url = http://client.rhelbox.com/cgi-bin/swift-auth
-    auth_method = active
-    token_life = 86400
-    debug_headers = yes
-    realm_name = RHELBOX.COM
-
-Of all the options listed above, specifying **ext\_authentication\_url** is
-mandatory. The rest of the options are optional and have default values.
-
-#### ext\_authentication\_url
-A URL specifying location of the swift-auth CGI script. Avoid using IP address.  
-Default value: None
-
-#### token_life
-After how many seconds the cached information about an authentication token is
-discarded.  
-Default value: 86400
-
-#### debug_headers
-When turned on, the response headers sent to the user will contain additional
-debug information apart from the auth token.  
-Default value: yes
-
-#### auth_method
-Set this to **"active"** when you want to allow access **only to clients
-residing inside the domain**. In this mode, authentication is performed by
-mod\_auth\_kerb using the Kerberos ticket bundled with the client request.
-No username and password have to be specified to get a token.  
-Set this to **"passive"** when you want to allow access to clients residing
-outside the domain. In this mode, authentication is performed by gleaning
-username and password from request headers (X-Auth-User and X-Auth-Key) and
-running kinit command against it.   
-Default value: passive
-
-#### realm_name
-This is applicable only when the auth_method=passive. This option specifies
-realm name if storage server belongs to more than one realm and realm name is not
-part of the username specified in X-Auth-User header.
-
-<a name="swfunctest" />
-##Functional tests for SwiftkerbAuth
-
-Functional tests to be run on the storage node after SwiftKerbAuth is setup using
-either IPA server or Windows AD. The gluster-swift/doc/markdown/swiftkerbauth
-directory contains the SwiftkerbAuth setup documents. There are two modes of
-working with SwiftKerbAuth. 'PASSIVE' mode indicates the client is outside the
-domain configured using SwiftKerbAuth. Client provides the 'Username' and
-'Password' while invoking a command. SwiftKerbAuth auth filter code then
-would get the ticket granting ticket from AD server or IPA server.
-In 'ACTIVE' mode of SwiftKerbAuth, User is already logged into storage node using
-its kerberos credentials. That user is authenticated across AD/IPA server.
-
-In PASSIVE mode all the generic functional tests are run. ACTIVE mode has a
-different way of acquiring Ticket Granting Ticket. And hence the different
-framework of functional tests there.
-
-The accounts, users, passwords must be prepared on AD/IPA server as per
-mentioned in test/functional_auth/swiftkerbauth/conf/test.conf
-
-Command to invoke SwiftKerbAuth functional tests is
-> $tox -e swfunctest
-
-This would run both ACTIVE and PASSIVE mode functional test cases.