From 03128e172e0242eba396e8487bdd8d6b0da52db3 Mon Sep 17 00:00:00 2001 From: Chetan Risbud Date: Thu, 23 Jan 2014 12:42:53 +0530 Subject: Rebase swiftkerbauth imported code with upstream Few changes have been merged to upstream swiftkerbauth repo. This commit brings it down to gluster-swift repo. Bringing below changes to gluster-swift repo in one go. http://review.gluster.org/#/c/6296/ http://review.gluster.org/#/c/6370/ http://review.gluster.org/#/c/6595/ http://review.gluster.org/#/c/6713/ http://review.gluster.org/#/c/6732/ Change-Id: I10dc12d75ec63fca313339fbc71e4f18071af552 Signed-off-by: Chetan Risbud Reviewed-on: http://review.gluster.org/6764 Reviewed-by: Prashanth Pai --- doc/markdown/swiftkerbauth/AD_server.md | 12 +++++ doc/markdown/swiftkerbauth/ipa_server.md | 12 +++++ doc/markdown/swiftkerbauth/swiftkerbauth_guide.md | 58 ++++++++++++++++++++++- 3 files changed, 81 insertions(+), 1 deletion(-) (limited to 'doc') diff --git a/doc/markdown/swiftkerbauth/AD_server.md b/doc/markdown/swiftkerbauth/AD_server.md index c34f0f1..66d90f2 100644 --- a/doc/markdown/swiftkerbauth/AD_server.md +++ b/doc/markdown/swiftkerbauth/AD_server.md @@ -98,6 +98,18 @@ On client: ###Adding users and groups +The following convention is to be followed in creating group names: + + \_ + + \_ + +As of now, account=volume=group + +For example: + + AUTH\_test + Adding groups and users to the Windows domain is easy task. - Start -> Administrative Tools -> Active Directory Users & Computers diff --git a/doc/markdown/swiftkerbauth/ipa_server.md b/doc/markdown/swiftkerbauth/ipa_server.md index ef12b53..55e654e 100644 --- a/doc/markdown/swiftkerbauth/ipa_server.md +++ b/doc/markdown/swiftkerbauth/ipa_server.md @@ -107,6 +107,18 @@ Check if reverse resolution works : ## Adding users and groups +The following convention is to be followed in creating group names: + + \_ + + \_ + +As of now, account=volume=group + +For example: + + AUTH\_test + Create *auth_reseller_admin* user group > ipa group-add auth_reseller_admin --desc="Full access to all Swift accounts" diff --git a/doc/markdown/swiftkerbauth/swiftkerbauth_guide.md b/doc/markdown/swiftkerbauth/swiftkerbauth_guide.md index ef76ad0..12845a6 100644 --- a/doc/markdown/swiftkerbauth/swiftkerbauth_guide.md +++ b/doc/markdown/swiftkerbauth/swiftkerbauth_guide.md @@ -4,6 +4,7 @@ * [Creating HTTP Service Principal on IPA server] (#http-principal) * [Installing and configuring swiftkerbauth on IPA client] (#install-swiftkerbauth) * [Using swiftkerbauth] (#use-swiftkerbauth) +* [Configurable Parameters] (#config-swiftkerbauth) ## Installing Kerberos module for Apache on IPA client @@ -47,7 +48,8 @@ Copy keytab file to client: Add a HTTP Kerberos service principal: > c:\>ktpass.exe -princ HTTP/fcclient.winad.com@WINAD.COM -mapuser -> auth_admin@WINAD.COM -pass Redhat*123 -out c:\HTTP.keytab +> auth_admin@WINAD.COM -pass Redhat*123 -out c:\HTTP.keytab -crypto DES-CBC-CRC +> -kvno 0 Use winscp to copy HTTP.ketab file to /etc/httpd/conf/http.keytab @@ -101,6 +103,7 @@ Edit */etc/swift/proxy-server.conf* and add a new filter section as follows: [filter:kerbauth] use = egg:swiftkerbauth#kerbauth ext_authentication_url = http://client.rhelbox.com/cgi-bin/swift-auth + auth_mode=passive Add kerbauth to pipeline @@ -433,3 +436,56 @@ The --negotiate option is for curl to perform Kerberos authentication and --location-trusted is for curl to follow the redirect. [auth_kerb_module Configuration]: http://modauthkerb.sourceforge.net/configure.html + + +#### Get an authentication token when auth_mode=passive: +> curl -v -H 'X-Auth-User: test:auth_admin' -H 'X-Auth-Key: Redhat*123' http://127.0.0.1:8080/auth/v1.0 + +**NOTE**: X-Storage-Url response header can be returned only in passive mode. + + +##Configurable Parameters + +The kerbauth filter section in **/etc/swift/proxy-server.conf** looks something +like this: + + [filter:kerbauth] + use = egg:swiftkerbauth#kerbauth + ext_authentication_url = http://client.rhelbox.com/cgi-bin/swift-auth + auth_method = active + token_life = 86400 + debug_headers = yes + realm_name = RHELBOX.COM + +Of all the options listed above, specifying **ext\_authentication\_url** is +mandatory. The rest of the options are optional and have default values. + +#### ext\_authentication\_url +A URL specifying location of the swift-auth CGI script. Avoid using IP address. +Default value: None + +#### token_life +After how many seconds the cached information about an authentication token is +discarded. +Default value: 86400 + +#### debug_headers +When turned on, the response headers sent to the user will contain additional +debug information apart from the auth token. +Default value: yes + +#### auth_method +Set this to **"active"** when you want to allow access **only to clients +residing inside the domain**. In this mode, authentication is performed by +mod\_auth\_kerb using the Kerberos ticket bundled with the client request. +No username and password have to be specified to get a token. +Set this to **"passive"** when you want to allow access to clients residing +outside the domain. In this mode, authentication is performed by gleaning +username and password from request headers (X-Auth-User and X-Auth-Key) and +running kinit command against it. +Default value: passive + +#### realm_name +This is applicable only when the auth_method=passive. This option specifies +realm name if RHS server belongs to more than one realm and realm name is not +part of the username specified in X-Auth-User header. -- cgit