swiftonfile/doc/markdown/swiftkerbauth/swiftkerbauth_guide.md

#swiftkerbauth

• [Installing Kerberos module for Apache] (#httpd-kerb-install)
• [Creating HTTP Service Principal] (#http-principal)
• [Installing and configuring swiftkerbauth] (#install-swiftkerbauth)
• [Using swiftkerbauth] (#use-swiftkerbauth)
• [Configurable Parameters] (#config-swiftkerbauth)
• [Functional tests] (#swfunctest)

## Installing Kerberos module for Apache on IPA client

Install httpd server with kerberos module:

yum install httpd mod_auth_kerb

service httpd restart

Check if auth_kerb_module is loaded :

httpd -M | grep kerb

Change httpd log level to debug by adding/changing the following in /etc/httpd/conf/httpd.conf file

LogLevel debug

httpd logs are at /var/log/httpd/error_log for troubleshooting

If SELinux is enabled, allow Apache to connect to memcache and activate the changes by running

setsebool -P httpd_can_network_connect 1

setsebool -P httpd_can_network_memcache 1

---

## Creating HTTP Service Principal on IPA server

Add a HTTP Kerberos service principal :

ipa service-add HTTP/client.rhelbox.com@RHELBOX.COM

Retrieve the HTTP service principal to a keytab file:

ipa-getkeytab -s server.rhelbox.com -p HTTP/client.rhelbox.com@RHELBOX.COM -k /tmp/http.keytab

Copy keytab file to client:

scp /tmp/http.keytab root@192.168.56.101:/etc/httpd/conf/http.keytab

Creating HTTP Service Principal on Windows AD server

Add a HTTP Kerberos service principal:

c:>ktpass.exe -princ HTTP/fcclient.winad.com@WINAD.COM -mapuser auth_admin@WINAD.COM -pass Redhat*123 -out c:\HTTP.keytab -crypto DES-CBC-CRC -kvno 0

Use winscp to copy HTTP.ketab file to /etc/httpd/conf/http.keytab

---

##Installing and configuring swiftkerbauth on IPA client

Prerequisites for installing swiftkerbauth

• swift (havana)
• gluster-swift (optional)

You can install swiftkerbauth using one of these three ways:

Installing swiftkerbauth from source:

python setup.py install

Installing swiftkerbauth using pip:

pip install swiftkerbauth

Installing swiftkerbauth from RPMs:

./makerpm.sh

rpm -ivh dist/swiftkerbauth-1.0.0-1.noarch.rpm

Edit /etc/httpd/conf.d/swift-auth.conf and change KrbServiceName, KrbAuthRealms and Krb5KeyTab parameters accordingly. More detail on configuring kerberos for apache can be found at: auth_kerb_module Configuration

Make /etc/httpd/conf/http.keytab readable by any user :

chmod 644 /etc/httpd/conf/http.keytab

And preferably change owner of keytab file to apache :

chown apache:apache /etc/httpd/conf/http.keytab

Reload httpd

service httpd reload

Make authentication script executable:

chmod +x /var/www/cgi-bin/swift-auth

---

##Using swiftkerbauth

Adding kerbauth filter in swift pipeline

Edit /etc/swift/proxy-server.conf and add a new filter section as follows:

[filter:kerbauth]
use = egg:swiftkerbauth#kerbauth
ext_authentication_url = http://client.rhelbox.com/cgi-bin/swift-auth
auth_mode=passive

Add kerbauth to pipeline

[pipeline:main]
pipeline = catch_errors healthcheck proxy-logging cache proxy-logging kerbauth proxy-server

If the Swift server is not one of your Gluster nodes, edit /etc/swift/fs.conf and change the following lines in the DEFAULT section:

mount_ip = RHS_NODE_HOSTNAME
remote_cluster = yes

Restart swift to activate kerbauth filer

swift-init main restart

###Examples

####Authenticate user and get Kerberos ticket

kinit auth_admin

NOTE: curl ignores user specified in -u option. All further curl commands will use the currently authenticated auth_admin user.

####Get an authentication token:

curl -v -u : --negotiate --location-trusted http://client.rhelbox.com:8080/auth/v1.0

* About to connect() to client.rhelbox.com port 8080 (#0)
*   Trying 192.168.56.101...
* connected
* Connected to client.rhelbox.com (192.168.56.101) port 8080 (#0)
> GET /auth/v1.0 HTTP/1.1
> User-Agent: curl/7.27.0
> Host: client.rhelbox.com:8080
> Accept: */*
>
< HTTP/1.1 303 See Other
< Content-Type: text/html; charset=UTF-8
< Location: http://client.rhelbox.com/cgi-bin/swift-auth
< Content-Length: 0
< X-Trans-Id: txecd415aae89b4320b6145-0052417ea5
< Date: Tue, 24 Sep 2013 11:59:33 GMT
<
* Connection #0 to host client.rhelbox.com left intact
* Issue another request to this URL: 'http://client.rhelbox.com/cgi-bin/swift-auth'
* About to connect() to client.rhelbox.com port 80 (#1)
*   Trying 192.168.56.101...
* connected
* Connected to client.rhelbox.com (192.168.56.101) port 80 (#1)
> GET /cgi-bin/swift-auth HTTP/1.1
> User-Agent: curl/7.27.0
> Host: client.rhelbox.com
> Accept: */*
>
< HTTP/1.1 401 Unauthorized
< Date: Tue, 24 Sep 2013 11:59:33 GMT
< Server: Apache/2.4.6 (Fedora) mod_auth_kerb/5.4
< WWW-Authenticate: Negotiate
< WWW-Authenticate: Basic realm="Swift Authentication"
< Content-Length: 381
< Content-Type: text/html; charset=iso-8859-1
<
* Ignoring the response-body
* Connection #1 to host client.rhelbox.com left intact
* Issue another request to this URL: 'http://client.rhelbox.com/cgi-bin/swift-auth'
* Re-using existing connection! (#1) with host (nil)
* Connected to (nil) (192.168.56.101) port 80 (#1)
* Server auth using GSS-Negotiate with user ''
> GET /cgi-bin/swift-auth HTTP/1.1
> Authorization: Negotiate YIICYgYJKoZIhvcSAQICAQBuggJRMIICTaADAgEFoQMCAQ6iBwMFACAAAACjggFgYYIBXDCCAVigAwIBBaENGwtSSEVMQk9YLkNPTaIlMCOgAwIBA6EcMBobBEhUVFAbEmNsaWVudC5yaGVsYm94LmNvbaOCARkwggEVoAMCARKhAwIBAaKCAQcEggEDx9SH2R90RO4eAkhsNKow/DYfjv1rWhgxNRqj/My3yslASSgefls48VdDNHVVWqr1Kd6mB/9BIoumpA+of+KSAg2QfPtcWiVFj5n5Fa8fyCHyQPvV8c92KzUdrBPc8OVn0aldFp0I4P1MsYZbnddDRSH3kjVA5oSucHF59DhZWiGJV/F6sVimBSeoTBHQD38Cs5RhyDHNyUad9v3gZERVGCJXC76i7+yyaoIDA+N9s0hasHajhTnjs3XQBYfZFwp8lWl3Ub+sOtPO1Ng7mFlSAYXCM6ljlKTEaxRwaYoXUC1EoIqEOG/8pC9SJThS2M1G7MW1c5xm4lksNss72OH4gtPns6SB0zCB0KADAgESooHIBIHFrLtai5U8ajEWo1J9B26PnIUqLd+uA0KPd2Y2FjrH6rx4xT8qG2p8i36SVGubvwBVmfQ7lSJcXt6wUvb43qyPs/fMiSY7QxHxt7/btMgxQl6JWMagvXMhCNXnhEHNNaTdBcG5KFERDGeo0txaAD1bzZ4mnxCQmoqusGzZ6wdDw6+5wq1tK/hQTQUgk2NwxfXAg2J5K02/3fKjFR2h7zewI1pEyhhpeONRkkRETcyojkK2EbVzZ8kc3RsuwzFYsJ+9u5Qj3E4=
> User-Agent: curl/7.27.0
> Host: client.rhelbox.com
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Tue, 24 Sep 2013 11:59:33 GMT
< Server: Apache/2.4.6 (Fedora) mod_auth_kerb/5.4
< WWW-Authenticate: Negotiate YIGZBgkqhkiG9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRveeZTV/QRJSIOoOWPbZkEmtdug9V5ZcMGXWqAJvCAnrvw9gHbklMyLl8f8jU2e0wU3ehtchLEL4dVeAYgKsnUgw4wGhHu59AZBwSbHRKSpv3I6gWEZqC4NAEuZJFW9ipdUHOiclBQniVXXCsRF/5Y
< X-Auth-Token: AUTH_tk083b8abc92f4a514f34224a181ed568a
< X-Debug-Remote-User: auth_admin
< X-Debug-Groups: auth_admin,auth_reseller_admin
< X-Debug-Token-Life: 86400s
< X-Debug-Token-Expires: Wed Sep 25 17:29:33 2013
< Content-Length: 0
< Content-Type: text/html; charset=UTF-8
<
* Connection #1 to host (nil) left intact
* Closing connection #0
* Closing connection #1

The header X-Auth-Token in response contains the token AUTH_tk083b8abc92f4a514f34224a181ed568a.

####PUT a container

curl -v -X PUT -H 'X-Auth-Token: AUTH_tk083b8abc92f4a514f34224a181ed568a' http://client.rhelbox.com:8080/v1/AUTH_myvolume/c1

* About to connect() to client.rhelbox.com port 8080 (#0)
*   Trying 192.168.56.101...
* connected
* Connected to client.rhelbox.com (192.168.56.101) port 8080 (#0)
> PUT /v1/AUTH_myvolume/c1 HTTP/1.1
> User-Agent: curl/7.27.0
> Host: client.rhelbox.com:8080
> Accept: */*
> X-Auth-Token: AUTH_tk083b8abc92f4a514f34224a181ed568a
>
< HTTP/1.1 201 Created
< Content-Length: 0
< Content-Type: text/html; charset=UTF-8
< X-Trans-Id: txc420b0ebf9714445900e8-0052418863
< Date: Tue, 24 Sep 2013 12:41:07 GMT
<
* Connection #0 to host client.rhelbox.com left intact
* Closing connection #0

####GET a container listing

curl -v -X GET -H 'X-Auth-Token: AUTH_tk083b8abc92f4a514f34224a181ed568a' http://client.rhelbox.com:8080/v1/AUTH_myvolume

* About to connect() to client.rhelbox.com port 8080 (#0)
*   Trying 192.168.56.101...
* connected
* Connected to client.rhelbox.com (192.168.56.101) port 8080 (#0)
> GET /v1/AUTH_myvolume HTTP/1.1
> User-Agent: curl/7.27.0
> Host: client.rhelbox.com:8080
> Accept: */*
> X-Auth-Token: AUTH_tk083b8abc92f4a514f34224a181ed568a
>
< HTTP/1.1 200 OK
< Content-Length: 3
< X-Account-Container-Count: 0
< Accept-Ranges: bytes
< X-Account-Object-Count: 0
< X-Bytes-Used: 0
< X-Timestamp: 1379997117.09468
< X-Object-Count: 0
< X-Account-Bytes-Used: 0
< X-Type: Account
< Content-Type: text/plain; charset=utf-8
< X-Container-Count: 0
< X-Trans-Id: tx89826736a1ab4d6aae6e3-00524188dc
< Date: Tue, 24 Sep 2013 12:43:08 GMT
<
c1
* Connection #0 to host client.rhelbox.com left intact
* Closing connection #0

####PUT an object in container

curl -v -X PUT -H 'X-Auth-Token: AUTH_tk083b8abc92f4a514f34224a181ed568a' http://client.rhelbox.com:8080/v1/AUTH_myvolume/c1/object1 -d'Hello world'

* About to connect() to client.rhelbox.com port 8080 (#0)
*   Trying 192.168.56.101...
* connected
* Connected to client.rhelbox.com (192.168.56.101) port 8080 (#0)
> PUT /v1/AUTH_myvolume/c1/object1 HTTP/1.1
> User-Agent: curl/7.27.0
> Host: client.rhelbox.com:8080
> Accept: */*
> X-Auth-Token: AUTH_tk083b8abc92f4a514f34224a181ed568a
> Content-Length: 11
> Content-Type: application/x-www-form-urlencoded
>
* upload completely sent off: 11 out of 11 bytes
< HTTP/1.1 201 Created
< Last-Modified: Wed, 25 Sep 2013 06:08:00 GMT
< Content-Length: 0
< Etag: 3e25960a79dbc69b674cd4ec67a72c62
< Content-Type: text/html; charset=UTF-8
< X-Trans-Id: tx01f1b5a430cf4af3897be-0052427dc0
< Date: Wed, 25 Sep 2013 06:08:01 GMT
<
* Connection #0 to host client.rhelbox.com left intact
* Closing connection #0

####Give permission to jsmith to list and download objects from c1 container

curl -v -X POST -H 'X-Auth-Token: AUTH_tk083b8abc92f4a514f34224a181ed568a' -H 'X-Container-Read: jsmith' http://client.rhelbox.com:8080/v1/AUTH_myvolume/c1

* About to connect() to client.rhelbox.com port 8080 (#0)
*   Trying 192.168.56.101...
* connected
* Connected to client.rhelbox.com (192.168.56.101) port 8080 (#0)
> POST /v1/AUTH_myvolume/c1 HTTP/1.1
> User-Agent: curl/7.27.0
> Host: client.rhelbox.com:8080
> Accept: */*
> X-Auth-Token: AUTH_tk083b8abc92f4a514f34224a181ed568a
> X-Container-Read: jsmith
>
< HTTP/1.1 204 No Content
< Content-Length: 0
< Content-Type: text/html; charset=UTF-8
< X-Trans-Id: txcedea3e2557d463eb591d-0052427f60
< Date: Wed, 25 Sep 2013 06:14:56 GMT
<
* Connection #0 to host client.rhelbox.com left intact
* Closing connection #0

####Access container as jsmith

kinit jsmith

Get token for jsmith

curl -v -u : --negotiate --location-trusted http://client.rhelbox.com:8080/auth/v1.0

* About to connect() to client.rhelbox.com port 8080 (#0)
*   Trying 192.168.56.101...
* connected
* Connected to client.rhelbox.com (192.168.56.101) port 8080 (#0)
> GET /auth/v1.0 HTTP/1.1
> User-Agent: curl/7.27.0
> Host: client.rhelbox.com:8080
> Accept: */*
>
< HTTP/1.1 303 See Other
< Content-Type: text/html; charset=UTF-8
< Location: http://client.rhelbox.com/cgi-bin/swift-auth
< Content-Length: 0
< X-Trans-Id: txf51e1bf7f8c5496f8cc93-005242800b
< Date: Wed, 25 Sep 2013 06:17:47 GMT
<
* Connection #0 to host client.rhelbox.com left intact
* Issue another request to this URL: 'http://client.rhelbox.com/cgi-bin/swift-auth'
* About to connect() to client.rhelbox.com port 80 (#1)
*   Trying 192.168.56.101...
* connected
* Connected to client.rhelbox.com (192.168.56.101) port 80 (#1)
> GET /cgi-bin/swift-auth HTTP/1.1
> User-Agent: curl/7.27.0
> Host: client.rhelbox.com
> Accept: */*
>
< HTTP/1.1 401 Unauthorized
< Date: Wed, 25 Sep 2013 06:17:47 GMT
< Server: Apache/2.4.6 (Fedora) mod_auth_kerb/5.4
< WWW-Authenticate: Negotiate
< WWW-Authenticate: Basic realm="Swift Authentication"
< Content-Length: 381
< Content-Type: text/html; charset=iso-8859-1
<
* Ignoring the response-body
* Connection #1 to host client.rhelbox.com left intact
* Issue another request to this URL: 'http://client.rhelbox.com/cgi-bin/swift-auth'
* Re-using existing connection! (#1) with host (nil)
* Connected to (nil) (192.168.56.101) port 80 (#1)
* Server auth using GSS-Negotiate with user ''
> GET /cgi-bin/swift-auth HTTP/1.1
> Authorization: Negotiate YIICWAYJKoZIhvcSAQICAQBuggJHMIICQ6ADAgEFoQMCAQ6iBwMFACAAAACjggFbYYIBVzCCAVOgAwIBBaENGwtSSEVMQk9YLkNPTaIlMCOgAwIBA6EcMBobBEhUVFAbEmNsaWVudC5yaGVsYm94LmNvbaOCARQwggEQoAMCARKhAwIBAaKCAQIEgf/+3OaXYCSEjcsjU3t3lOLcYG84GBP9Kj9YTHc7yVMlcam4ivCwMqCkzxgvNo2E3a5KSWyFwngeX4b/QFbCKPXA4sfBibZRkeMk5gr2f0MLI3gWEAIYq7bJLre04bnkD2F0MzijPJrOLIx1KmFe08UGWCEmnG2uj07lvIR1RwV/7dMM4J1B+KKvDVKA0LxahwPIpx8oOON2yMGcstrBAHBBk5pmpt1Gg9Lh7xdNPsjP0IfI5Q0zkGCRBKpvpXymP1lQpQXlHbqkdBYOmG4+p/R+vIosO4ui1G6GWE9t71h3AqW61CcCj3/oOjZsG56k8HMSNk/+3mfUTP86nzLRGkekgc4wgcugAwIBEqKBwwSBwPsG9nGloEnOsA1abP4R1/yUDcikjjwKiacvZ+cu7bWEzu3L376k08U8C2YIClyUJy3Grt68LxhnfZ65VCZ5J5IOLiXOJnHBIoJ1L4GMYp4EgZzHvI7R3U3DApMzNWZwc1MsSF5UGhmLwxSevDLetJHjgKzKNteRyVN/8CFgjSBEjGSN1Qgy1RZHuQR9d3JHPczONZ4+ZgStfy+I1m2IUIgW3+4JGFVafHiBQVwSWRNfdXFgI3wBz7slntd7r3qMWA==
> User-Agent: curl/7.27.0
> Host: client.rhelbox.com
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Wed, 25 Sep 2013 06:17:47 GMT
< Server: Apache/2.4.6 (Fedora) mod_auth_kerb/5.4
< WWW-Authenticate: Negotiate YIGYBgkqhkiG9xIBAgICAG+BiDCBhaADAgEFoQMCAQ+ieTB3oAMCARKicARuH2YpjFrtgIhGr5nO7gh/21EvGH9tayRo5A3pw5pxD1B1036ePLG/x98OdMrSflse5s8ttz8FmvRphCFJa8kfYtnWULgoFLF2F2a1zBdSo2oCA0R05YFwArNhkg6ou5o7wWZkERHK33CKlhudSj8=
< X-Auth-Token: AUTH_tkb5a20eb8207a819e76619431c8410447
< X-Debug-Remote-User: jsmith
< X-Debug-Groups: jsmith
< X-Debug-Token-Life: 86400s
< X-Debug-Token-Expires: Thu Sep 26 11:47:47 2013
< Content-Length: 0
< Content-Type: text/html; charset=UTF-8
<
* Connection #1 to host (nil) left intact
* Closing connection #0
* Closing connection #1

List the container using authentication token for jsmith:

curl -v -X GET -H 'X-Auth-Token: AUTH_tkb5a20eb8207a819e76619431c8410447' http://client.rhelbox.com:8080/v1/AUTH_myvolume/c1

* About to connect() to client.rhelbox.com port 8080 (#0)
*   Trying 192.168.56.101...
* connected
* Connected to client.rhelbox.com (192.168.56.101) port 8080 (#0)
> GET /v1/AUTH_myvolume/c1 HTTP/1.1
> User-Agent: curl/7.27.0
> Host: client.rhelbox.com:8080
> Accept: */*
> X-Auth-Token: AUTH_tkb5a20eb8207a819e76619431c8410447
>
< HTTP/1.1 200 OK
< Content-Length: 8
< X-Container-Object-Count: 0
< Accept-Ranges: bytes
< X-Timestamp: 1
< X-Container-Bytes-Used: 0
< Content-Type: text/plain; charset=utf-8
< X-Trans-Id: tx575215929c654d9f9f284-00524280a4
< Date: Wed, 25 Sep 2013 06:20:20 GMT
<
object1
* Connection #0 to host client.rhelbox.com left intact
* Closing connection #0

Downloading the object as jsmith:

curl -v -X GET -H 'X-Auth-Token: AUTH_tkb5a20eb8207a819e76619431c8410447' http://client.rhelbox.com:8080/v1/AUTH_myvolume/c1/object1

* About to connect() to client.rhelbox.com port 8080 (#0)
*   Trying 192.168.56.101...
* connected
* Connected to client.rhelbox.com (192.168.56.101) port 8080 (#0)
> GET /v1/AUTH_myvolume/c1/object1 HTTP/1.1
> User-Agent: curl/7.27.0
> Host: client.rhelbox.com:8080
> Accept: */*
> X-Auth-Token: AUTH_tkb5a20eb8207a819e76619431c8410447
>
< HTTP/1.1 200 OK
< Content-Length: 11
< Accept-Ranges: bytes
< Last-Modified: Wed, 25 Sep 2013 06:08:00 GMT
< Etag: 3e25960a79dbc69b674cd4ec67a72c62
< X-Timestamp: 1380089280.98829
< Content-Type: application/x-www-form-urlencoded
< X-Trans-Id: tx19b5cc3847854f40a6ca8-00524281aa
< Date: Wed, 25 Sep 2013 06:24:42 GMT
<
* Connection #0 to host client.rhelbox.com left intact
Hello world* Closing connection #0

For curl to follow the redirect, you need to specify additional options. With these, and with a current Kerberos ticket, you should get the Kerberos user's cached authentication token, or a new one if the previous token has expired.

curl -v -u : --negotiate --location-trusted -X GET http://client.rhelbox.com:8080/v1/AUTH_myvolume/c1/object1

The --negotiate option is for curl to perform Kerberos authentication and --location-trusted is for curl to follow the redirect.

Get an authentication token when auth_mode=passive:

curl -v -H 'X-Auth-User: test:auth_admin' -H 'X-Auth-Key: Redhat*123' http://127.0.0.1:8080/auth/v1.0

NOTE: X-Storage-Url response header can be returned only in passive mode.

##Configurable Parameters

The kerbauth filter section in /etc/swift/proxy-server.conf looks something like this:

[filter:kerbauth]
use = egg:swiftkerbauth#kerbauth
ext_authentication_url = http://client.rhelbox.com/cgi-bin/swift-auth
auth_method = active
token_life = 86400
debug_headers = yes
realm_name = RHELBOX.COM

Of all the options listed above, specifying ext_authentication_url is mandatory. The rest of the options are optional and have default values.

ext_authentication_url

A URL specifying location of the swift-auth CGI script. Avoid using IP address.
Default value: None

token_life

After how many seconds the cached information about an authentication token is discarded.
Default value: 86400

debug_headers

When turned on, the response headers sent to the user will contain additional debug information apart from the auth token.
Default value: yes

auth_method

Set this to "active" when you want to allow access only to clients residing inside the domain. In this mode, authentication is performed by mod_auth_kerb using the Kerberos ticket bundled with the client request. No username and password have to be specified to get a token.
Set this to "passive" when you want to allow access to clients residing outside the domain. In this mode, authentication is performed by gleaning username and password from request headers (X-Auth-User and X-Auth-Key) and running kinit command against it.
Default value: passive

realm_name

This is applicable only when the auth_method=passive. This option specifies realm name if storage server belongs to more than one realm and realm name is not part of the username specified in X-Auth-User header.

##Functional tests for SwiftkerbAuth

Functional tests to be run on the storage node after SwiftKerbAuth is setup using either IPA server or Windows AD. The gluster-swift/doc/markdown/swiftkerbauth directory contains the SwiftkerbAuth setup documents. There are two modes of working with SwiftKerbAuth. 'PASSIVE' mode indicates the client is outside the domain configured using SwiftKerbAuth. Client provides the 'Username' and 'Password' while invoking a command. SwiftKerbAuth auth filter code then would get the ticket granting ticket from AD server or IPA server. In 'ACTIVE' mode of SwiftKerbAuth, User is already logged into storage node using its kerberos credentials. That user is authenticated across AD/IPA server.

In PASSIVE mode all the generic functional tests are run. ACTIVE mode has a different way of acquiring Ticket Granting Ticket. And hence the different framework of functional tests there.

The accounts, users, passwords must be prepared on AD/IPA server as per mentioned in test/functional_auth/swiftkerbauth/conf/test.conf

Command to invoke SwiftKerbAuth functional tests is

$tox -e swfunctest

This would run both ACTIVE and PASSIVE mode functional test cases.