Ask Your Question
0

SwiftOperator as Admin, wrong set-up or problem?

asked 2015-06-22 08:44:46 -0500

shellzero gravatar image

updated 2015-06-22 09:36:31 -0500

Dear All,

I will try to be synthetic. I'm develop my middle-ware for Swift, called testMid.py in ../swift/common/middleware/testMid.py. I want to be very simple to clarify the situation. The file.py is the follow:

class Authorization(object):
    def __init__(self, app, conf):
            self.app = app
            self.logger = conf
    def __call__(self, environ, start_response):
            environ['swift-authorize'] = self.authorize
            return self.app(environ, start_response)
    def authorize(self, req):
            if req.method == 'GET':
                    return HTTPForbidden(request=req)
            if req.remote_user:
                    return HTTPForbidden(request=req)
            else:
                    return HTTPUnauthorized(request=req)
def test_factory(global_conf, **local_conf):
        conf = global_conf.copy()
        conf.update(local_conf)
        def test_filter(app):
                return Authorization(app, conf)
        return test_filter

And the Swift proxy-server.conf configuration:

[DEFAULT]
log_level = DEBUG
bind_ip = ***
bind_port = ***
workers = 8
user = ***

[pipeline:main]
pipeline = healthcheck testMid cache authtoken keystone proxy-server

[app:proxy-server]
use = egg:swift#proxy
allow_account_management = true
account_autocreate = true

[filter:testMid]
paste.filter_factory = swift.common.middleware.testMid:test_factory

[filter:cache]
use = egg:swift#memcache
memcache_servers = 127.0.0.1:11211

[filter:catch_errors]
use = egg:swift#catch_errors

[filter:healthcheck]
use = egg:swift#healthcheck

[filter:keystone]
use = egg:swift#keystoneauth
operator_roles = administrator, SwiftOperator
is_admin = true
cache = swift.cache

[filter:authtoken]
paste.filter_factory = keystoneclient.middleware.auth_token:filter_factory
admin_tenant_name = ***
admin_user = ***
admin_password = ***
auth_host = ***
auth_port = ***
auth_protocol = ***
auth_uri = ***
signing_dir = /tmp/keystone-signing-swift

Now, when I'm going to execute simple command on swift with relative environments path setted up right (it's sure), and the right SwiftOperator User (it's sure), Swift say me this:

Jun 22 15:20:41 *** proxy-server: Auth Token confirmed use of v2.0 apis
Jun 22 15:20:42 *** proxy-server: Storing token in cache
Jun 22 15:20:42 *** proxy-server: Received request from user: *** with project_id : *** and roles: SwiftOperator 
Jun 22 15:20:42 *** proxy-server: Using identity: {'roles': [u'SwiftOperator'], 'user': u'***', 'tenant': (u'***', u'***')} (txn: ***-***)

And It bypass my authorization that should DENY the final result instead Swift shows it. How should I do? Thanks in advance.

Jun 22 15:20:42 *** proxy-server: allow user with role swiftoperator as account admin (txn: ***-***) (client_ip: ***)
edit retag flag offensive close merge delete

2 answers

Sort by ยป oldest newest most voted
0

answered 2015-06-25 06:46:23 -0500

shellzero gravatar image

Mmm.. It is strange, I don't understand why my middleware doesn't load swift.authorize instead the example of others auth middleware yes.. And the code that I have developed is quite the same..

edit flag offensive delete link more
0

answered 2015-06-22 10:04:29 -0500

mpetason gravatar image

It depends on what the role has permissions to do. You could use something like the link below to setup Policy if you want to get away from permissions:

https://github.com/stackforge/swiftpo...

This may help with what you are looking for.

edit flag offensive delete link more

Comments

Dear mpetason, I want to leave the normal authentication (e.g. LDAP) but for each or some swift command (e.g. by command line interface) I want to decide if allow or deny that one, using my middleware. The problem is that the authorization function is not considered by swift; the code seems bypassed

shellzero gravatar imageshellzero ( 2015-06-23 06:17:47 -0500 )edit

If you look to the other services they use a policy.json to manage this. They assign roles to available actions within OpenStack. This may be something you would want to include. I'm not a developer so I can't help much beyond that. Hopefully someone else can provide more info.

mpetason gravatar imagempetason ( 2015-06-23 10:39:53 -0500 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2015-06-22 08:44:46 -0500

Seen: 229 times

Last updated: Jun 25 '15