2a84fe7c69
Previously, Swift3 used client-facing HTTP headers to pass the S3 access key, signature, and normalized request through the WSGI pipeline. However, swauth did not validate that Swift3 actually set the headers; as a result, an attacker who has captured a single valid request through the S3 API may impersonate the user that issued the request indefinitely through the Swift API. Now, the S3 authentication information will be taken from a separate, client-inaccessible namespace in the WSGI environment as defined in the related change. UpgradeImpact This addresses a breaking API change in Swift3. No currently deployed version of Swift3 will work with this. When upgrading swauth, operators will need to upgrade Swift3 as well. Change-Id: Ie5481a316397f46734e9dd0e77a8a87197ceec16 Related-Change: Ia3fbb4938f0daa8845cba4137a01cc43bc1a713c
Swauth
An Auth Service for Swift as WSGI Middleware that uses Swift itself as a backing store. Docs at: https://swauth.readthedocs.io/ or ask in #openstack-swauth on freenode IRC.
See also https://github.com/openstack/keystone for the standard OpenStack auth service.
NOTE
Be sure to review the docs at: https://swauth.readthedocs.io/
Quick Install
-
Install Swauth with
sudo python setup.py installorsudo python setup.py developor via whatever packaging system you may be using. -
Alter your proxy-server.conf pipeline to have swauth instead of tempauth:
Was:
[pipeline:main] pipeline = catch_errors cache tempauth proxy-serverChange To:
[pipeline:main] pipeline = catch_errors cache swauth proxy-server -
Add to your proxy-server.conf the section for the Swauth WSGI filter:
[filter:swauth] use = egg:swauth#swauth set log_name = swauth super_admin_key = swauthkey
-
Be sure your proxy server allows account management:
[app:proxy-server] ... allow_account_management = true
-
Restart your proxy server
swift-init proxy reload -
Initialize the Swauth backing store in Swift
swauth-prep -K swauthkey -
Add an account/user
swauth-add-user -A http://127.0.0.1:8080/auth/ -K swauthkey -a test tester testing -
Ensure it works
swift -A http://127.0.0.1:8080/auth/v1.0 -U test:tester -K testing stat -v
Web Admin Install
-
If you installed from packages, you'll need to cd to the webadmin directory the package installed. This is
/usr/share/doc/python-swauth/webadminwith the Lucid packages. If you installed from source, you'll need to cd to the webadmin directory in the source directory. -
Upload the Web Admin files with
swift -A http://127.0.0.1:8080/auth/v1.0 -U .super_admin:.super_admin -K swauthkey upload .webadmin . -
Open
http://127.0.0.1:8080/auth/in your browser.
Swift3 Middleware Compatibility
Swift3 middleware can be used with
swauth when auth_type in swauth is configured to be Plaintext (default).
[pipeline:main]
pipeline = catch_errors cache swift3 swauth proxy-server
It can be used with auth_type set to Sha1/Sha512 too but with certain caveats
and security concern. Hence, s3 support is disabled by default and you have to
explicitly enable it in your configuration.
Refer to swift3 compatibility section
in documentation for further details