TOKEN-BASED AUTH MIDDLEWARE
This WSGI component:
Refer to: http://keystone.openstack.org/middlewarearchitecture.html
Bases: object
Auth Middleware that handles authenticating client calls.
Return admin token, possibly fetching a new one.
:return admin token id :raise ServiceError when unable to retrieve token from keystone
Bases: exceptions.Exception
Bases: exceptions.Exception
Returns a WSGI filter app for use with paste.deploy.
Bases: keystone.common.wsgi.Middleware
A trivial filter that checks for a pre-defined admin token.
Sets ‘is_admin’ to true in the context, expected to be checked by methods that are admin-only.
Bases: keystone.common.wsgi.Middleware
Middleware to allow method arguments to be passed as serialized JSON.
Accepting arguments as JSON is useful for accepting data that may be more complex than simple primitives.
In this case we accept it as urlencoded data under the key ‘json’ as in json=<urlencoded_json> but this could be extended to accept raw JSON in the POST body.
Filters out the parameters self, context and anything beginning with an underscore.
Bases: keystone.common.wsgi.Middleware
Middleware filter to handle URL normalization.
Normalizes URLs.
Bases: keystone.common.wsgi.Middleware
Middleware to allow method arguments to be passed as POST parameters.
Filters out the parameters self, context and anything beginning with an underscore.
Bases: keystone.common.wsgi.Middleware
Bases: keystone.common.wsgi.Middleware
De/serializes XML to/from JSON.
Transform the request from XML to JSON.
Transform the response from JSON to XML.
S3 TOKEN MIDDLEWARE
This WSGI component:
Bases: object
Auth Middleware that handles S3 authenticating client calls.
Bases: exceptions.Exception
Returns a WSGI filter app for use with paste.deploy.
Bases: object
Swift middleware to Keystone authorization system.
In Swift’s proxy-server.conf add this middleware to your pipeline:
[pipeline:main]
pipeline = catch_errors cache authtoken keystone proxy-server
Make sure you have the authtoken middleware before the swiftauth middleware. authtoken will take care of validating the user and swiftauth will authorize access. If support is required for unvalidated users (as with anonymous access) or for tempurl/formpost middleware, authtoken will need to be configured with delay_auth_decision set to 1. See the documentation for more detail on how to configure the authtoken middleware.
Set account auto creation to true:
[app:proxy-server]
account_autocreate = true
And add a swift authorization filter section, such as:
[filter:keystone]
paste.filter_factory = keystone.middleware.auth_token:filter_factory
operator_roles = admin, swiftoperator
This maps tenants to account in Swift.
The user whose able to give ACL / create Containers permissions will be the one that are inside the operator_roles setting which by default includes the admin and the swiftoperator roles.
The option is_admin if set to true will allow the username that has the same name as the account name to be the owner.
Example: If we have the account called hellocorp with a user hellocorp that user will be admin on that account and can give ACL to all other users for hellocorp.
If you need to have a different reseller_prefix to be able to mix different auth servers you can configure the option reseller_prefix in your swiftauth entry like this :
reseller_prefix = NEWAUTH_
Make sure you have a underscore at the end of your new reseller_prefix option.
Parameters: |
|
---|
Authorize an anonymous request.
Returns: | None if authorization is granted, an error page otherwise. |
---|
Deny WSGI Response.
Returns a standard WSGI response callable with the status of 403 or 401 depending on whether the REMOTE_USER is set or not.
Returns a WSGI filter app for use with paste.deploy.