From 373032fc97d27c79895e6114670760aa717f9f61 Mon Sep 17 00:00:00 2001 From: Prashanth Pai Date: Tue, 24 Sep 2013 11:47:50 +0530 Subject: Add documentation The following guides were added: * Setting up a RHEL 6.x IdM server with a Fedora 18 client * Setting up and configuring swiftkerbauth * Architecture of Swiftkerbauth Change-Id: I50665e584ff9513b5a20d1eda546c73c93f14638 Signed-off-by: Prashanth Pai Reviewed-on: http://review.gluster.org/6040 Reviewed-by: Luis Pabon Tested-by: Luis Pabon --- doc/DOCUMENTATION | 299 ------------------------------------------------------ 1 file changed, 299 deletions(-) delete mode 100644 doc/DOCUMENTATION (limited to 'doc/DOCUMENTATION') diff --git a/doc/DOCUMENTATION b/doc/DOCUMENTATION deleted file mode 100644 index 5b36b24..0000000 --- a/doc/DOCUMENTATION +++ /dev/null @@ -1,299 +0,0 @@ -Kerberos Authentication Filter for Red Hat Storage and OpenStack Swift ----------------------------------------------------------------------- - -Red Hat Storage not only provides file system access to its data, but -also object-level access. The latter is implemented with OpenStack -Swift, and allows containers and objects to be stored and retrieved -with an HTTP-based API. - -Red Hat Storage 2.0 comes with a simple authentication filter that -defines user accounts as a static list in the Swift configuration -file. For this project, we implemented a new authentication filter -that uses Kerberos tickets for single sign on authentication, and -grants administrator permissions based on the user's group membership -in a directory service like Red Hat Enterprise Linux Identity -Management or Microsoft Active Directory. - -* Building - -To build the swiftkerbauth and apachekerbauth RPM packages, change -into the respective directory and run - - ./build.sh - -* Installation - -** Swift Server - -Install the swiftkerbauth RPM on all Red Hat Storage nodes that will -provide object-level access via Swift. - -To active the Kerberos authentication filter, add "kerbauth" in the -/etc/swift/proxy-server.conf pipeline parameter: - - [pipeline:main] - pipeline = healthcheck cache kerbauth proxy-server - -Set the URL of the Apache server that will be used for authentication -with the ext_authentication_url parameter in the same file: - - [filter:kerbauth] - paste.filter_factory = swiftkerbauth:filter_factory - ext_authentication_url = http://AUTHENTICATION_SERVER/cgi-bin/swift-auth - -If the Swift server is not one of your Gluster nodes, edit -/etc/swift/fs.conf and change the following lines in the DEFAULT -section: - - mount_ip = RHS_NODE_HOSTNAME - remote_cluster = yes - -Activate the changes by running - - swift-init main restart - -For troubleshooting, check /var/log/messages. - -** Authentication Server - -On the authentication server, install the apachekerbauth package. - -Edit /etc/httpd/conf.d/swift-auth.conf and set the KrbAuthRealms and -Krb5KeyTab parameters. - -The keytab must contain a HTTP/$HOSTNAME principal. Usually, you will -have to create the Kerberos principal on the KDC, export it, and copy -it to a keytab file on the Apache server. - -If SELinux is enabled, allow Apache to connect to memcache and -activate the changes by running - - setsebool -P httpd_can_network_connect 1 - setsebool -P httpd_can_network_memcache 1 - - service httpd reload - -For troubleshooting, see /var/log/httpd/error_log. - -* Testing - -The tests were done with curl on a machine set up as an IDM client, -using the Gluster volume rhs_ufo1. - -In IDM, we created the following user groups: - -- auth_reseller_admin - Users in this group get full access to all Swift accounts. - -- auth_rhs_ufo1 - Users in this group get full access to the rhs_ufo1 Swift account. - -Next, we created the following users in IDM: - -- auth_admin - Member of the auth_reseller_admin group - -- rhs_ufo1_admin - Member of the auth_rhs_ufo1 group - -- jsmith - No relevant group membership - -The authentication tokens were then retrieved with the following -commands: - - kinit auth_admin - curl -v -u : --negotiate --location-trusted \ - http://rhs1.example.com:8080/auth/v1.0 - - kinit rhs_ufo1_admin - curl -v -u : --negotiate --location-trusted \ - http://rhs1.example.com:8080/auth/v1.0 - - kinit jsmith - curl -v -u : --negotiate --location-trusted \ - http://rhs1.example.com:8080/auth/v1.0 - -Each of these commands should output the following two lines: - -< X-Auth-Token: AUTH_tk4097146ed3814e026209556eeb121fe0 -... -
1365195860 / auth_admin,auth_reseller_admin
- -The first line contains the authentication token that is used in -subsequent requests. - -The second line is printed by the swift-auth CGI script for debugging -- it lists the token expiration (in seconds since January 1, 1970) and -the user's groups. - -Next, we try to get information about the Swift account, replacing the -AUTH_tk* with one of the tokens we got with the commands above. This -should display statistics, and the list of container names when used -with the the admin users. For jsmith, you should get a 403 Forbidden -error. - - curl -v -X GET \ - -H 'X-Auth-Token: AUTH_tk4097146ed3814e026209556eeb121fe0' \ - http://rhs1.example.com:8080/v1/AUTH_rhs_ufo1 - -With one of the admin accounts, create a new container and a new -object in that container: - - curl -v -X PUT \ - -H 'X-Auth-Token: AUTH_tk4097146ed3814e026209556eeb121fe0' \ - http://rhs1.example.com:8080/v1/AUTH_rhs_ufo1/pictures - - curl -v -X PUT \ - -H 'X-Auth-Token: AUTH_tk4097146ed3814e026209556eeb121fe0' \ - -H 'Content-Length: 0' \ - http://rhs1.example.com:8080/v1/AUTH_rhs_ufo1/pictures/pic1.png - -Grant permission for jsmith to list and download objects from the -pictures container: - - curl -v -X POST \ - -H 'X-Auth-Token: AUTH_tkdbf7725c1e4ad1ebe9ab0d7098d425f2' \ - -H 'X-Container-Read: jsmith' \ - http://rhs1.example.com:8080/v1/AUTH_rhs_ufo1/pictures - -List the container contents using the authentication token for jsmith: - - curl -v -X GET \ - -H 'X-Auth-Token: AUTH_tkef8b417ac0c2a73a80ab3b8db85254e2' \ - http://rhs1.example.com:8080/v1/AUTH_rhs_ufo1/pictures - -Try to access a resource without an authentication token. This will -return a 303 redirect: - - curl -v -X GET \ - http://rhs1.example.com:8080/v1/AUTH_rhs_ufo1/pictures/pic1.png - -For curl to follow the redirect, you need to specify additional -options. With these, and with a current Kerberos ticket, you should -get the Kerberos user's cached authentication token, or a new one if -the previous token has expired. - - curl -v -u : --negotiate --location-trusted -X GET \ - http://rhs1.example.com:8080/v1/AUTH_rhs_ufo1/pictures/pic1.png - -* Implementation Details - -** Architecture - -The Swift API is HTTP-based. As described in the Swift documentation -[1], clients first make a request to an authentication URL, providing -a username and password. The reply contains a token which is used in -all subsequent requests. - -Swift has a chain of filters through which all client requests go. The -filters to use are configured with the pipeline parameter in -/etc/swift/proxy-server.conf: - - [pipeline:main] - pipeline = healthcheck cache tempauth proxy-server - -For the single sign authentication, we added a new filter called -"kerbauth" and put it into the filter pipeline in place of tempauth. - -The filter checks the URL for each client request. If it matches the -authentication URL, the client is redirected to a URL on a different -server. The URL is handled by a CGI script, which is set up to -authenticate the client with Kerberos negotiation, retrieve the user's -system groups [2], store them in a memcache ring shared with the Swift -server, and return the authentication token to the client. - -When the client provides the token as part of a resource request, the -kerbauth filter checks it against its memcache, grants administrator -rights based on the group membership retrieved from memcache, and -either grants or denies the resource access. - -[1] http://docs.openstack.org/api/openstack-object-storage/1.0/content/authentication-object-dev-guide.html - -[2] The user data and system groups are usually provided by Red Hat - Enterprise Linux identity Management or Microsoft Active - Directory. The script relies on the system configuration to be set - accordingly (/etc/nsswitch.conf). - -** swiftkerbauth.py - -The script /usr/lib/python2.6/site-packages/swiftkerbauth.py began as -a copy of the tempauth.py script from -/usr/lib/python2.6/site-packages/swift/common/middleware. It contains -the following modifications, among others: - -In the __init__ method, we read the ext_authentication_url parameter -from /etc/swift/proxy-server.conf. This is the URL that clients are -redirected to when they access either the Swift authentication URL, or -when they request a resource without a valid authentication token. - -The configuration in proxy-server.conf looks like this: - - [filter:kerbauth] - paste.filter_factory = swiftkerbauth:filter_factory - ext_authentication_url = http://rhel6-4.localdomain/cgi-bin/swift-auth - -The authorize method was changed so that global administrator rights -are granted if the user is a member of the auth_reseller_admin -group. Administrator rights for a specific account like vol1 are -granted if the user is a member of the auth_vol1 group. [3] - -The denied_response method was changed to return a HTTP redirect to -the external authentication URL if no valid token was provided by the -client. - -Most of the handle_get_token method was moved to the external -authentication script. This method now returns a HTTP redirect. - -In the __call__ and get_groups method, we removed support for the -HTTP_AUTHORIZATION header, which is only needed when Amazon S3 is -used. - -Like tempauth.py, swiftkerbauth.py uses a Swift wrapper to access -memcache. This wrapper converts the key to an MD5 hash and uses the -hash value to determine on which of a pre-defined list of servers to -store the data. - -[3] "auth" is the default reseller prefix, and would be different if - the reseller_prefix parameter in proxy-server.conf was set. - -** swift-auth CGI Script - -swift-auth resides on an Apache server and assumes that Apache is -configured to authenticate the user before this script is -executed. The script retrieves the username from the REMOTE_USER -environment variable, and checks if there already is a token for this -user in the memcache ring. If not, it generates a new one, retrieves -the user's system groups with "id -Gn USERNAME", stores this -information in the memcache ring, and returns the token to the client. - -For the Swift filter to be able to find the information, it was -important to use the Swift memcached module. Because we don't want to -require a full Swift installation on the authentication server, -/usr/lib/python2.6/site-packages/swift/common/memcached.py from the -Swift server was copied to /var/www/cgi-bin on the Apache server. - -To allow the CGI script to connect to memcache, the SELinux booleans -httpd_can_network_connect and httpd_can_network_memcache had to be -set. - -The tempauth filter uses the uuid module to generate token -strings. This module creates and runs temporary files, which leads to -AVC denial messages in /var/log/audit/audit.log when used from an -Apache CGI script. While the module still works, the audit log would -grow quickly. Instead of writing an SELinux policy module to allow or -to silently ignore these accesses, the swift-auth script uses the -"random" module for generating token strings. - -Red Hat Enterprise Linux 6 comes with Python 2.6 which only provides -method to list the locally defined user groups. To include groups from -Red Hat Enterprise Linux Identity Management and in the future from -Active Directory, the "id" command is run in a subprocess. - -* Reference Material - -Red Hat Storage Administration Guide: -https://access.redhat.com/knowledge/docs/Red_Hat_Storage/ - -Swift Documentation: -http://docs.openstack.org/developer/swift/ -- cgit