From 16130773316f25c94c79b28b73572121241e3ca6 Mon Sep 17 00:00:00 2001 From: Thiago da Silva Date: Fri, 1 Nov 2013 15:31:27 -0400 Subject: Update auth_guide.md adding first draft of gswauth section to authentication guide Change-Id: I801c9f4add18a5e5f5c735e61cf99fc3a5b935c2 Signed-off-by: Thiago da Silva Reviewed-on: http://review.gluster.org/6222 Reviewed-by: Luis Pabon Tested-by: Luis Pabon --- doc/markdown/auth_guide.md | 95 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 95 insertions(+) create mode 100644 doc/markdown/auth_guide.md diff --git a/doc/markdown/auth_guide.md b/doc/markdown/auth_guide.md new file mode 100644 index 0000000..b5f2778 --- /dev/null +++ b/doc/markdown/auth_guide.md @@ -0,0 +1,95 @@ +# Authentication Services Start Guide + +## Contents +* [Keystone](#keystone) +* [Swiftkerbauth](#swiftkerbauth) +* [GSwauth](#gswauth) + * [Overview](#gswauth_overview) + * [Quick Install](#gswauth_quick_install) + * [How to use it](#swauth_use) + + +## Keystone +The Standard Openstack authentication service + +TBD + + +## Swiftkerbauth +Kerberos authentication filter for Swift + +TBD + + +## GSwauth + + +### Overview +An easily deployable GlusterFS aware authentication service based on [Swauth](http://gholt.github.com/swauth/). +GSwauth is a WSGI Middleware that uses Swift itself as a backing store to +maintain its metadata. + +This model has the benefit of having the metadata available to all proxy servers +and saving the data to a GlusterFS volume. To protect the metadata, the GlusterFS +volume should only be able to be mounted by the systems running the proxy servers. + +Currently, gluster-swift has a strict mapping of one account to a GlusterFS volume. +Future releases, this will be enhanced to support multiple accounts per GlusterFS +volume. + +See for more information on Swauth. + + +###Quick Install + +1. GSwauth is installed by default with Gluster for Swift. + +2. Create and start the `gsmetadata` gluster volume + ``` + gluster volume create gsmetadata `hostname`:`brick` + gluster volume start gsmetadata + ``` + +3. run `gluster-swift-gen-builders` with all volumes that should be + accessible by gluster-swift, including `gsmetadata` + ``` + gluster-swift-gen-builders gsmetadata `other volumes` + ``` + +4. Change your proxy-server.conf pipeline to have gswauth instead of tempauth: + + Was: + ``` + [pipeline:main] + pipeline = catch_errors cache tempauth proxy-server + ``` + Change To: + ``` + [pipeline:main] + pipeline = catch_errors cache gswauth proxy-server + ``` + +5. Add to your proxy-server.conf the section for the Swauth WSGI filter: +``` + [filter:gswauth] + + use = egg:gluster_swift#gswauth + set log_name = gswauth + super_admin_key = swauthkey + metadata_volume = gsmetadata + auth_type = sha1 + auth_type_salt = swauthsalt +``` +6. Restart your proxy server ``swift-init proxy reload`` + + +###How to use it +1. Initialize the GSwauth backing store in Gluster-Swift + ``swauth-prep -K swauthkey`` + +1. Add an account/user. The account name must match the Glusterfs volume name + the user will be given access to. In this example we use the volume ``test`` + ``swauth-add-user -A http://127.0.0.1:8080/auth/ -K swauthkey -a test user1 password1`` + +1. Ensure it works + ``swift -A http://127.0.0.1:8080/auth/v1.0 -U test:user1 -K password stat`` -- cgit