 0ae1ad63c1
			
		
	
	0ae1ad63c1
	
	
	
		
			
			Beginning with the Queens release, the keystone install guide recommends running all interfaces on the same port.This patch updates the swift install guide to reflect that change Change-Id: Id00cfd2c921da352abdbbbb6668b921f3cb31a1a Closes-bug: #1754104
		
			
				
	
	
		
			383 lines
		
	
	
		
			16 KiB
		
	
	
	
		
			ReStructuredText
		
	
	
	
	
	
			
		
		
	
	
			383 lines
		
	
	
		
			16 KiB
		
	
	
	
		
			ReStructuredText
		
	
	
	
	
	
| ===============
 | |
| The Auth System
 | |
| ===============
 | |
| 
 | |
| --------
 | |
| Overview
 | |
| --------
 | |
| 
 | |
| Swift supports a number of auth systems that share the following common
 | |
| characteristics:
 | |
| 
 | |
| * The authentication/authorization part can be an external system or a
 | |
|   subsystem run within Swift as WSGI middleware
 | |
| * The user of Swift passes in an auth token with each request
 | |
| * Swift validates each token with the external auth system or auth subsystem
 | |
|   and caches the result
 | |
| * The token does not change from request to request, but does expire
 | |
| 
 | |
| The token can be passed into Swift using the X-Auth-Token or the
 | |
| X-Storage-Token header. Both have the same format: just a simple string
 | |
| representing the token. Some auth systems use UUID tokens, some an MD5 hash of
 | |
| something unique, some use "something else" but the salient point is that the
 | |
| token is a string which can be sent as-is back to the auth system for
 | |
| validation.
 | |
| 
 | |
| Swift will make calls to the auth system, giving the auth token to be
 | |
| validated. For a valid token, the auth system responds with an overall
 | |
| expiration time in seconds from now. To avoid the overhead in validating the same
 | |
| token over and over again, Swift will cache the
 | |
| token for a configurable time, but no longer than the expiration
 | |
| time.
 | |
| 
 | |
| The Swift project includes two auth systems:
 | |
| 
 | |
| - :ref:`temp_auth`
 | |
| - :ref:`keystone_auth`
 | |
| 
 | |
| It is also possible to write your own auth system as described in
 | |
| :ref:`extending_auth`.
 | |
| 
 | |
| .. _temp_auth:
 | |
| 
 | |
| --------
 | |
| TempAuth
 | |
| --------
 | |
| 
 | |
| TempAuth is used primarily in Swift's functional test environment and can be
 | |
| used in other test environments (such as :doc:`development_saio`). It is not
 | |
| recommended to use TempAuth in a production system. However, TempAuth is fully
 | |
| functional and can be used as a model to develop your own auth system.
 | |
| 
 | |
| TempAuth has the concept of admin and non-admin users
 | |
| within an account.  Admin users can do anything within the account.
 | |
| Non-admin users can only perform read operations. However, some
 | |
| privileged metadata such as X-Container-Sync-Key is not accessible to
 | |
| non-admin users.
 | |
| 
 | |
| Users with the special group ``.reseller_admin`` can operate on any account.
 | |
| For an example usage please see :mod:`swift.common.middleware.tempauth`.
 | |
| If a request is coming from a reseller the auth system sets the request environ
 | |
| reseller_request to True. This can be used by other middlewares.
 | |
| 
 | |
| Other users may be granted the ability to perform operations on
 | |
| an account or container via ACLs. TempAuth supports two types of ACL:
 | |
| 
 | |
| - Per container ACLs based on the
 | |
|   container's ``X-Container-Read`` and ``X-Container-Write`` metadata. See
 | |
|   :ref:`container_acls` for more information.
 | |
| 
 | |
| - Per account ACLs based on the account's ``X-Account-Access-Control``
 | |
|   metadata. For more information see :ref:`account_acls`.
 | |
| 
 | |
| TempAuth will now allow OPTIONS requests to go through without a token.
 | |
| 
 | |
| The TempAuth middleware is responsible for creating its own tokens. A user
 | |
| makes a request containing their username and password and TempAuth
 | |
| responds with a token. This token is then used to perform subsequent
 | |
| requests on the user's account, containers and objects.
 | |
| 
 | |
| .. _keystone_auth:
 | |
| 
 | |
| -------------
 | |
| Keystone Auth
 | |
| -------------
 | |
| 
 | |
| Swift is able to authenticate against OpenStack Keystone_. In this
 | |
| environment, Keystone is responsible for creating and validating
 | |
| tokens. The :ref:`keystoneauth` middleware is responsible for
 | |
| implementing the auth system within Swift as described here.
 | |
| 
 | |
| The :ref:`keystoneauth` middleware supports per container based ACLs on the
 | |
| container's ``X-Container-Read`` and ``X-Container-Write`` metadata.
 | |
| For more information see :ref:`container_acls`.
 | |
| 
 | |
| The account-level ACL is not supported by Keystone auth.
 | |
| 
 | |
| In order to use the ``keystoneauth`` middleware the ``auth_token``
 | |
| middleware from KeystoneMiddleware_ will need to be configured.
 | |
| 
 | |
| The ``authtoken`` middleware performs the authentication token
 | |
| validation and retrieves actual user authentication information. It
 | |
| can be found in the KeystoneMiddleware_ distribution.
 | |
| 
 | |
| The :ref:`keystoneauth` middleware performs authorization and mapping the
 | |
| Keystone roles to Swift's ACLs.
 | |
| 
 | |
| .. _KeystoneMiddleware: https://docs.openstack.org/keystonemiddleware/latest/
 | |
| .. _Keystone: https://docs.openstack.org/keystone/latest/
 | |
| 
 | |
| .. _configuring_keystone_auth:
 | |
| 
 | |
| Configuring Swift to use Keystone
 | |
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 | |
| 
 | |
| Configuring Swift to use Keystone_
 | |
| is relatively straightforward.  The first
 | |
| step is to ensure that you have the ``auth_token`` middleware installed. It can
 | |
| either be dropped in your python path or installed via the KeystoneMiddleware_
 | |
| package.
 | |
| 
 | |
| You need at first make sure you have a service endpoint of type
 | |
| ``object-store`` in Keystone pointing to your Swift proxy. For example
 | |
| having this in your ``/etc/keystone/default_catalog.templates`` ::
 | |
| 
 | |
|   catalog.RegionOne.object_store.name = Swift Service
 | |
|   catalog.RegionOne.object_store.publicURL = http://swiftproxy:8080/v1/AUTH_$(tenant_id)s
 | |
|   catalog.RegionOne.object_store.adminURL = http://swiftproxy:8080/
 | |
|   catalog.RegionOne.object_store.internalURL = http://swiftproxy:8080/v1/AUTH_$(tenant_id)s
 | |
| 
 | |
| On your Swift proxy server you will want to adjust your main pipeline
 | |
| and add auth_token and keystoneauth in your
 | |
| ``/etc/swift/proxy-server.conf`` like this ::
 | |
| 
 | |
|   [pipeline:main]
 | |
|   pipeline = [....] authtoken keystoneauth proxy-logging proxy-server
 | |
| 
 | |
| add the configuration for the authtoken middleware::
 | |
| 
 | |
|   [filter:authtoken]
 | |
|   paste.filter_factory = keystonemiddleware.auth_token:filter_factory
 | |
|   www_authenticate_uri = http://keystonehost:5000/
 | |
|   auth_url = http://keystonehost:5000/
 | |
|   auth_plugin = password
 | |
|   project_domain_id = default
 | |
|   user_domain_id = default
 | |
|   project_name = service
 | |
|   username = swift
 | |
|   password = password
 | |
|   cache = swift.cache
 | |
|   include_service_catalog = False
 | |
|   delay_auth_decision = True
 | |
| 
 | |
| The actual values for these variables will need to be set depending on
 | |
| your situation, but in short:
 | |
| 
 | |
| * ``www_authenticate_uri`` should point to a Keystone service from which users may
 | |
|   retrieve tokens. This value is used in the `WWW-Authenticate` header that
 | |
|   auth_token sends with any denial response.
 | |
| * ``auth_url`` points to the Keystone Admin service. This information is
 | |
|   used by the middleware to actually query Keystone about the validity of the
 | |
|   authentication tokens. It is not necessary to append any Keystone API version
 | |
|   number to this URI.
 | |
| * The auth credentials (``project_domain_id``, ``user_domain_id``,
 | |
|   ``username``, ``project_name``, ``password``) will be used to retrieve an
 | |
|   admin token. That token will be used to authorize user tokens behind the
 | |
|   scenes. These credentials must match the Keystone credentials for the Swift
 | |
|   service. The example values shown here assume a user named 'swift' with admin
 | |
|   role on a project named 'service', both being in the Keystone domain with id
 | |
|   'default'. Refer to the `KeystoneMiddleware documentation
 | |
|   <https://docs.openstack.org/keystonemiddleware/latest/middlewarearchitecture.html#configuration>`_
 | |
|   for other examples.
 | |
| 
 | |
| * ``cache`` is set to ``swift.cache``. This means that the middleware
 | |
|   will get the Swift memcache from the request environment.
 | |
| * ``include_service_catalog`` defaults to ``True`` if not set. This means
 | |
|   that when validating a token, the service catalog is retrieved
 | |
|   and stored in the ``X-Service-Catalog`` header. Since Swift does not
 | |
|   use the ``X-Service-Catalog`` header, there is no point in getting
 | |
|   the service catalog. We recommend you set ``include_service_catalog``
 | |
|   to ``False``.
 | |
| 
 | |
| 
 | |
| .. note::
 | |
| 
 | |
|     The authtoken config variable ``delay_auth_decision`` must be set to
 | |
|     ``True``. The default is ``False``, but that breaks public access,
 | |
|     :ref:`staticweb`, :ref:`formpost`, :ref:`tempurl`, and authenticated
 | |
|     capabilities requests (using :ref:`discoverability`).
 | |
| 
 | |
| and you can finally add the keystoneauth configuration. Here is a simple
 | |
| configuration::
 | |
| 
 | |
|   [filter:keystoneauth]
 | |
|   use = egg:swift#keystoneauth
 | |
|   operator_roles = admin, swiftoperator
 | |
| 
 | |
| Use an appropriate list of roles in operator_roles. For example, in
 | |
| some systems, the role ``_member_`` or ``Member`` is used to indicate
 | |
| that the user is allowed to operate on project resources.
 | |
| 
 | |
| OpenStack Service Using Composite Tokens
 | |
| ----------------------------------------
 | |
| 
 | |
| Some OpenStack services such as Cinder and Glance may use
 | |
| a "service account". In this mode, you configure a separate account where
 | |
| the service stores project data that it manages. This account is not used
 | |
| directly by the end-user. Instead, all access is done through the service.
 | |
| 
 | |
| To access the "service" account, the service must present two tokens: one from
 | |
| the end-user and another from its own service user. Only when both tokens are
 | |
| present can the account be accessed. This section describes how to set the
 | |
| configuration options to correctly control access to both the "normal" and
 | |
| "service" accounts.
 | |
| 
 | |
| In this example, end users use the ``AUTH_`` prefix in account names,
 | |
| whereas services use the ``SERVICE_`` prefix::
 | |
| 
 | |
|   [filter:keystoneauth]
 | |
|   use = egg:swift#keystoneauth
 | |
|   reseller_prefix = AUTH, SERVICE
 | |
|   operator_roles = admin, swiftoperator
 | |
|   SERVICE_service_roles = service
 | |
| 
 | |
| The actual values for these variable will need to be set depending on your
 | |
| situation as follows:
 | |
| 
 | |
| * The first item in the reseller_prefix list must match Keystone's endpoint
 | |
|   (see ``/etc/keystone/default_catalog.templates`` above). Normally
 | |
|   this is ``AUTH``.
 | |
| * The second item in the reseller_prefix list is the prefix used by the
 | |
|   OpenStack services(s). You must configure this value (``SERVICE`` in the
 | |
|   example) with whatever the other OpenStack service(s) use.
 | |
| * Set the operator_roles option to contain a role or roles that end-user's
 | |
|   have on project's they use.
 | |
| * Set the SERVICE_service_roles value to a role or roles that only the
 | |
|   OpenStack service user has. Do not use a role that is assigned to
 | |
|   "normal" end users. In this example, the role ``service`` is used.
 | |
|   The service user is granted this role to a *single* project only. You do
 | |
|   not need to make the service user a member of every project.
 | |
| 
 | |
| This configuration works as follows:
 | |
| 
 | |
| * The end-user presents a user token to an OpenStack service. The service
 | |
|   then makes a Swift request to the account with the ``SERVICE`` prefix.
 | |
| * The service forwards the original user token with the request. It also
 | |
|   adds it's own service token.
 | |
| * Swift validates both tokens. When validated, the user token gives the
 | |
|   ``admin`` or ``swiftoperator`` role(s). When validated, the service token
 | |
|   gives the ``service`` role.
 | |
| * Swift interprets the above configuration as follows:
 | |
| 
 | |
|   * Did the user token provide one of the roles listed in operator_roles?
 | |
|   * Did the service token have the ``service`` role as described by the
 | |
|     ``SERVICE_service_roles`` options.
 | |
| 
 | |
| * If both conditions are met, the request is granted. Otherwise, Swift
 | |
|   rejects the request.
 | |
| 
 | |
| In the above example, all services share the same account. You can separate
 | |
| each service into its own account. For example, the following provides a
 | |
| dedicated account for each of the Glance and Cinder services. In addition,
 | |
| you must assign the ``glance_service`` and ``cinder_service`` to the
 | |
| appropriate service users::
 | |
| 
 | |
|   [filter:keystoneauth]
 | |
|   use = egg:swift#keystoneauth
 | |
|   reseller_prefix = AUTH, IMAGE, VOLUME
 | |
|   operator_roles = admin, swiftoperator
 | |
|   IMAGE_service_roles = glance_service
 | |
|   VOLUME_service_roles = cinder_service
 | |
| 
 | |
| 
 | |
| Access control using keystoneauth
 | |
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 | |
| 
 | |
| By default the only users able to perform operations (e.g. create a container)
 | |
| on an account are those having a Keystone role for the corresponding Keystone
 | |
| project that matches one of the roles specified in the ``operator_roles``
 | |
| option.
 | |
| 
 | |
| Users who have one of the ``operator_roles`` will be able to set container ACLs
 | |
| to grant other users permission to read and/or write objects in specific
 | |
| containers, using ``X-Container-Read`` and ``X-Container-Write`` headers
 | |
| respectively. In addition to the ACL formats described
 | |
| :mod:`here <swift.common.middleware.acl>`, keystoneauth supports ACLs using the
 | |
| format::
 | |
| 
 | |
|  other_project_id:other_user_id.
 | |
| 
 | |
| where ``other_project_id`` is the UUID of a Keystone project and
 | |
| ``other_user_id`` is the UUID of a Keystone user. This will allow the other
 | |
| user to access a container provided their token is scoped on the other
 | |
| project. Both ``other_project_id`` and ``other_user_id`` may be replaced with
 | |
| the wildcard character ``*`` which will match any project or user respectively.
 | |
| 
 | |
| Be sure to use Keystone UUIDs rather than names in container ACLs.
 | |
| 
 | |
| .. note::
 | |
| 
 | |
|     For backwards compatibility, keystoneauth will by default grant container
 | |
|     ACLs expressed as ``other_project_name:other_user_name`` (i.e. using
 | |
|     Keystone names rather than UUIDs) in the special case when both the other
 | |
|     project and the other user are in Keystone's default domain and the project
 | |
|     being accessed is also in the default domain.
 | |
| 
 | |
|     For further information see :ref:`keystoneauth`
 | |
| 
 | |
| Users with the Keystone role defined in ``reseller_admin_role``
 | |
| (``ResellerAdmin`` by default) can operate on any account. The auth system
 | |
| sets the request environ reseller_request to True if a request is coming
 | |
| from a user with this role. This can be used by other middlewares.
 | |
| 
 | |
| Troubleshooting tips for keystoneauth deployment
 | |
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 | |
| 
 | |
| Some common mistakes can result in API requests failing when first deploying
 | |
| keystone with Swift:
 | |
| 
 | |
| * Incorrect configuration of the Swift endpoint in the Keystone service.
 | |
| 
 | |
|   By default, keystoneauth expects the account part of a URL to have the form
 | |
|   ``AUTH_<keystone_project_id>``. Sometimes the ``AUTH_`` prefix is missed when
 | |
|   configuring Swift endpoints in Keystone, as described in the `Install  Guide
 | |
|   <http://docs.openstack.org/>`_. This is easily diagnosed by inspecting the
 | |
|   proxy-server log file for a failed request URL and checking that the URL
 | |
|   includes the ``AUTH_`` prefix (or whatever reseller prefix may have been
 | |
|   configured for keystoneauth)::
 | |
| 
 | |
|       GOOD:
 | |
|       proxy-server: 127.0.0.1 127.0.0.1 07/Sep/2016/16/06/58 HEAD /v1/AUTH_cfb8d9d45212408b90bc0776117aec9e HTTP/1.0 204 ...
 | |
| 
 | |
|       BAD:
 | |
|       proxy-server: 127.0.0.1 127.0.0.1 07/Sep/2016/16/07/35 HEAD /v1/cfb8d9d45212408b90bc0776117aec9e HTTP/1.0 403 ...
 | |
| 
 | |
| 
 | |
| * Incorrect configuration of the ``authtoken`` middleware options in the Swift
 | |
|   proxy server.
 | |
| 
 | |
|   The ``authtoken`` middleware communicates with the Keystone service to
 | |
|   validate tokens that are presented with client requests. To do this
 | |
|   ``authtoken`` must authenticate itself with Keystone using the credentials
 | |
|   configured in the ``[filter:authtoken]`` section of
 | |
|   ``/etc/swift/proxy-server.conf``. Errors in these credentials can result in
 | |
|   ``authtoken`` failing to validate tokens and may be revealed in the proxy
 | |
|   server logs by a message such as::
 | |
| 
 | |
|       proxy-server: Identity server rejected authorization
 | |
| 
 | |
|   .. note::
 | |
| 
 | |
|       More detailed log messaging may be seen by setting the ``authtoken``
 | |
|       option ``log_level = debug``.
 | |
| 
 | |
|   The ``authtoken`` configuration options may be checked by attempting to use
 | |
|   them to communicate directly with Keystone using an ``openstack`` command
 | |
|   line. For example, given the ``authtoken`` configuration sample shown in
 | |
|   :ref:`configuring_keystone_auth`, the following command should return a
 | |
|   service catalog::
 | |
| 
 | |
|       openstack --os-identity-api-version=3 --os-auth-url=http://keystonehost:5000/ \
 | |
|           --os-username=swift --os-user-domain-id=default \
 | |
|           --os-project-name=service --os-project-domain-id=default \
 | |
|           --os-password=password catalog show object-store
 | |
| 
 | |
|   If this ``openstack`` command fails then it is likely that there is a problem
 | |
|   with the ``authtoken`` configuration.
 | |
| 
 | |
| .. _extending_auth:
 | |
| 
 | |
| --------------
 | |
| Extending Auth
 | |
| --------------
 | |
| 
 | |
| TempAuth is written as wsgi middleware, so implementing your own auth is as
 | |
| easy as writing new wsgi middleware, and plugging it in to the proxy server.
 | |
| The `Swauth <https://github.com/openstack/swauth>`_ project is an example of
 | |
| an additional auth service.
 | |
| 
 | |
| See :doc:`development_auth` for detailed information on extending the
 | |
| auth system.
 | |
| 
 | |
| 
 |