summaryrefslogtreecommitdiffstats
path: root/doc/markdown/auth_guide.md
blob: b5f27780f6c1c0cff306e40dddb17e6620f8cfd0 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
# Authentication Services Start Guide

## Contents
* [Keystone](#keystone)
* [Swiftkerbauth](#swiftkerbauth)
* [GSwauth](#gswauth)
 * [Overview](#gswauth_overview)
 * [Quick Install](#gswauth_quick_install)
 * [How to use it](#swauth_use)

<a name="keystone" />
## Keystone
The Standard Openstack authentication service

TBD

<a name="swiftkerbauth" />
## Swiftkerbauth
Kerberos authentication filter for Swift

TBD

<a name="gswauth" />
## GSwauth

<a name="gswauth_overview" />
### Overview
An easily deployable GlusterFS aware authentication service based on [Swauth](http://gholt.github.com/swauth/).
GSwauth is a WSGI Middleware that uses Swift itself as a backing store to
maintain its metadata.

This model has the benefit of having the metadata available to all proxy servers
and saving the data to a GlusterFS volume. To protect the metadata, the GlusterFS
volume should only be able to be mounted by the systems running the proxy servers.

Currently, gluster-swift has a strict mapping of one account to a GlusterFS volume.
Future releases, this will be enhanced to support multiple accounts per GlusterFS
volume.

See <http://gholt.github.com/swauth/> for more information on Swauth.

<a name="gswauth_quick_install" />
###Quick Install

1. GSwauth is installed by default with Gluster for Swift.

2. Create and start the `gsmetadata` gluster volume
    ```
    gluster volume create gsmetadata `hostname`:`brick`
    gluster volume start gsmetadata
    ```

3. run `gluster-swift-gen-builders` with all volumes that should be
    accessible by gluster-swift, including `gsmetadata`
    ```
    gluster-swift-gen-builders gsmetadata `other volumes`
    ```

4. Change your proxy-server.conf pipeline to have gswauth instead of tempauth:

    Was:
    ```
    [pipeline:main]
    pipeline = catch_errors cache tempauth proxy-server
    ```
    Change To:
    ```
    [pipeline:main]
    pipeline = catch_errors cache gswauth proxy-server
    ```

5. Add to your proxy-server.conf the section for the Swauth WSGI filter:
```
    [filter:gswauth]

    use = egg:gluster_swift#gswauth
    set log_name = gswauth
    super_admin_key = swauthkey
    metadata_volume = gsmetadata
    auth_type = sha1
    auth_type_salt = swauthsalt
```
6. Restart your proxy server ``swift-init proxy reload``

<a name="swauth_use" />
###How to use it
1. Initialize the GSwauth backing store in Gluster-Swift
    ``swauth-prep -K swauthkey``

1. Add an account/user. The account name must match the Glusterfs volume name
   the user will be given access to. In this example we use the volume ``test``
    ``swauth-add-user -A http://127.0.0.1:8080/auth/ -K swauthkey -a test user1 password1``

1. Ensure it works
    ``swift -A http://127.0.0.1:8080/auth/v1.0 -U test:user1 -K password stat``