Merge "Update swift token middleware." into redux
This commit is contained in:
commit
1ed067cb57
|
@ -1,6 +1,5 @@
|
|||
#!/usr/bin/env python
|
||||
# vim: tabstop=4 shiftwidth=4 softtabstop=4
|
||||
#
|
||||
|
||||
# Copyright (c) 2010-2011 OpenStack, LLC.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
|
|
|
@ -1,6 +1,5 @@
|
|||
#!/usr/bin/env python
|
||||
# vim: tabstop=4 shiftwidth=4 softtabstop=4
|
||||
#
|
||||
|
||||
# Copyright (c) 2010-2011 OpenStack, LLC.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
|
|
|
@ -1,7 +1,6 @@
|
|||
#!/usr/bin/env python
|
||||
# vim: tabstop=4 shiftwidth=4 softtabstop=4
|
||||
#
|
||||
# Copyright (c) 2010-2011 OpenStack, LLC.
|
||||
|
||||
# Copyright (c) 2012 OpenStack, LLC.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
|
@ -16,220 +15,183 @@
|
|||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
import webob
|
||||
|
||||
"""
|
||||
TOKEN-BASED AUTH MIDDLEWARE FOR SWIFT
|
||||
|
||||
Authentication on incoming request
|
||||
* grab token from X-Auth-Token header
|
||||
* TODO: grab the memcache servers from the request env
|
||||
* TODOcheck for auth information in memcache
|
||||
* check for auth information from keystone
|
||||
* return if unauthorized
|
||||
* decorate the request for authorization in swift
|
||||
* forward to the swift proxy app
|
||||
|
||||
Authorization via callback
|
||||
* check the path and extract the tenant
|
||||
* get the auth information stored in keystone.identity during
|
||||
authentication
|
||||
* TODO: check if the user is an account admin or a reseller admin
|
||||
* determine what object-type to authorize (account, container, object)
|
||||
* use knowledge of tenant, admin status, and container acls to authorize
|
||||
|
||||
"""
|
||||
|
||||
import json
|
||||
from urlparse import urlparse
|
||||
from webob.exc import HTTPUnauthorized, HTTPNotFound, HTTPExpectationFailed
|
||||
|
||||
from keystone.common.bufferedhttp import http_connect_raw as http_connect
|
||||
|
||||
from swift.common.middleware.acl import clean_acl, parse_acl, referrer_allowed
|
||||
from swift.common.utils import get_logger, split_path
|
||||
from swift.common import utils as swift_utils
|
||||
from swift.common.middleware import acl as swift_acl
|
||||
|
||||
|
||||
PROTOCOL_NAME = 'Swift Token Authentication'
|
||||
class SwiftAuth(object):
|
||||
"""Swift middleware to Keystone authorization system.
|
||||
|
||||
|
||||
class AuthProtocol(object):
|
||||
"""Handles authenticating and aurothrizing client calls.
|
||||
|
||||
Add to your pipeline in paste config like:
|
||||
In Swift's proxy-server.conf add the middleware to your pipeline::
|
||||
|
||||
[pipeline:main]
|
||||
pipeline = catch_errors healthcheck cache keystone proxy-server
|
||||
pipeline = catch_errors cache tokenauth swiftauth proxy-server
|
||||
|
||||
[filter:keystone]
|
||||
Set account auto creation to true::
|
||||
|
||||
[app:proxy-server]
|
||||
account_autocreate = true
|
||||
|
||||
And add a swift authorization filter section, such as::
|
||||
|
||||
[filter:swiftauth]
|
||||
use = egg:keystone#swiftauth
|
||||
keystone_url = http://127.0.0.1:8080
|
||||
keystone_admin_token = 999888777666
|
||||
operator_roles = admin, SwiftOperator
|
||||
is_admin = true
|
||||
|
||||
If Swift memcache is to be used for caching tokens, add the additional
|
||||
property in the tokenauth filter:
|
||||
|
||||
[filter:tokenauth]
|
||||
paste.filter_factory = keystone.middleware.auth_token:filter_factory
|
||||
...
|
||||
cache = swift.cache
|
||||
|
||||
This maps tenants to account in Swift.
|
||||
|
||||
The user whose able to give ACL / create Containers permissions
|
||||
will be the one that are inside the operator_roles
|
||||
setting which by default includes the Admin and the SwiftOperator
|
||||
roles.
|
||||
|
||||
The option is_admin if set to true will allow the
|
||||
username that has the same name as the account name to be the owner.
|
||||
|
||||
Example: If we have the account called hellocorp with a user
|
||||
hellocorp that user will be admin on that account and can give ACL
|
||||
to all other users for hellocorp.
|
||||
|
||||
:param app: The next WSGI app in the pipeline
|
||||
:param conf: The dict of configuration values
|
||||
"""
|
||||
|
||||
def __init__(self, app, conf):
|
||||
"""Store valuable bits from the conf and set up logging."""
|
||||
self.app = app
|
||||
self.keystone_url = urlparse(conf.get('keystone_url'))
|
||||
self.admin_token = conf.get('keystone_admin_token')
|
||||
self.reseller_prefix = conf.get('reseller_prefix', 'AUTH')
|
||||
self.log = get_logger(conf, log_route='keystone')
|
||||
self.log.info('Keystone middleware started')
|
||||
self.conf = conf
|
||||
self.logger = swift_utils.get_logger(conf, log_route='keystoneauth')
|
||||
self.reseller_prefix = conf.get('reseller_prefix', 'AUTH').strip()
|
||||
self.operator_roles = conf.get('operator_roles',
|
||||
'admin, SwiftOperator')
|
||||
config_is_admin = conf.get('is_admin', "false").lower()
|
||||
self.is_admin = config_is_admin in ('true', 't', '1', 'on', 'yes', 'y')
|
||||
cfg_synchosts = conf.get('allowed_sync_hosts', '127.0.0.1')
|
||||
self.allowed_sync_hosts = [h.strip() for h in cfg_synchosts.split(',')
|
||||
if h.strip()]
|
||||
|
||||
def __call__(self, env, start_response):
|
||||
"""Authenticate the incoming request.
|
||||
def __call__(self, environ, start_response):
|
||||
identity = self._keystone_identity(environ)
|
||||
|
||||
If authentication fails return an appropriate http status here,
|
||||
otherwise forward through the rest of the app.
|
||||
"""
|
||||
if not identity:
|
||||
environ['swift.authorize'] = self.denied_response
|
||||
return self.app(environ, start_response)
|
||||
|
||||
self.log.debug('Keystone middleware called')
|
||||
token = self._get_claims(env)
|
||||
self.log.debug('token: %s', token)
|
||||
if token:
|
||||
identity = self._validate_claims(token)
|
||||
if identity:
|
||||
self.log.debug('request authenticated: %r', identity)
|
||||
return self.perform_authenticated_request(identity, env,
|
||||
start_response)
|
||||
else:
|
||||
self.log.debug('anonymous request')
|
||||
return self.unauthorized_request(env, start_response)
|
||||
self.log.debug('no auth token in request headers')
|
||||
return self.perform_unidentified_request(env, start_response)
|
||||
self.logger.debug("Using identity: %r" % (identity))
|
||||
environ['keystone.identity'] = identity
|
||||
environ['REMOTE_USER'] = identity.get('tenant')
|
||||
environ['swift.authorize'] = self.authorize
|
||||
environ['swift.clean_acl'] = swift_acl.clean_acl
|
||||
return self.app(environ, start_response)
|
||||
|
||||
def unauthorized_request(self, env, start_response):
|
||||
"""Clinet provided a token that wasn't acceptable, error out."""
|
||||
return HTTPUnauthorized()(env, start_response)
|
||||
def _keystone_identity(self, environ):
|
||||
"""Extract the identity from the Keystone auth component."""
|
||||
if environ.get('HTTP_X_IDENTITY_STATUS') != 'Confirmed':
|
||||
return
|
||||
roles = []
|
||||
if 'HTTP_X_ROLE' in environ:
|
||||
roles = environ['HTTP_X_ROLE'].split(',')
|
||||
identity = {'user': environ.get('HTTP_X_USER'),
|
||||
'tenant': (environ.get('HTTP_X_TENANT_ID'),
|
||||
environ.get('HTTP_X_TENANT_NAME')),
|
||||
'roles': roles}
|
||||
return identity
|
||||
|
||||
def unauthorized(self, req):
|
||||
"""Return unauthorized given a webob Request object.
|
||||
|
||||
This can be stuffed into the evironment for swift.authorize or
|
||||
called from the authoriztion callback when authorization fails.
|
||||
"""
|
||||
return HTTPUnauthorized(request=req)
|
||||
|
||||
def perform_authenticated_request(self, identity, env, start_response):
|
||||
"""Client provieded a valid identity, so use it for authorization."""
|
||||
env['keystone.identity'] = identity
|
||||
env['swift.authorize'] = self.authorize
|
||||
env['swift.clean_acl'] = clean_acl
|
||||
self.log.debug('calling app: %s // %r', start_response, env)
|
||||
rv = self.app(env, start_response)
|
||||
self.log.debug('return from app: %r', rv)
|
||||
return rv
|
||||
|
||||
def perform_unidentified_request(self, env, start_response):
|
||||
"""Withouth authentication data, use acls for access control."""
|
||||
env['swift.authorize'] = self.authorize_via_acl
|
||||
env['swift.clean_acl'] = self.authorize_via_acl
|
||||
return self.app(env, start_response)
|
||||
def _reseller_check(self, account, tenant_id):
|
||||
"""Check reseller prefix."""
|
||||
return account == '%s_%s' % (self.reseller_prefix, tenant_id)
|
||||
|
||||
def authorize(self, req):
|
||||
"""Used when we have a valid identity from keystone."""
|
||||
self.log.debug('keystone middleware authorization begin')
|
||||
env = req.environ
|
||||
tenant = env.get('keystone.identity', {}).get('tenant')
|
||||
if not tenant:
|
||||
self.log.warn('identity info not present in authorize request')
|
||||
return HTTPExpectationFailed('Unable to locate auth claim',
|
||||
request=req)
|
||||
# TODO(todd): everyone under a tenant can do anything to that tenant.
|
||||
# more realistic would be role/group checking to do things
|
||||
# like deleting the account or creating/deleting containers
|
||||
# esp. when owned by other users in the same tenant.
|
||||
if req.path.startswith('/v1/%s_%s' % (self.reseller_prefix, tenant)):
|
||||
self.log.debug('AUTHORIZED OKAY')
|
||||
return None
|
||||
env_identity = env.get('keystone.identity', {})
|
||||
tenant = env_identity.get('tenant')
|
||||
|
||||
self.log.debug('tenant mismatch: %r', tenant)
|
||||
return self.unauthorized(req)
|
||||
|
||||
def authorize_via_acl(self, req):
|
||||
"""Anon request handling.
|
||||
|
||||
For now this only allows anon read of objects. Container and account
|
||||
actions are prohibited.
|
||||
"""
|
||||
|
||||
self.log.debug('authorizing anonymous request')
|
||||
try:
|
||||
version, account, container, obj = split_path(req.path, 1, 4, True)
|
||||
part = swift_utils.split_path(req.path, 1, 4, True)
|
||||
version, account, container, obj = part
|
||||
except ValueError:
|
||||
return HTTPNotFound(request=req)
|
||||
return webob.exc.HTTPNotFound(request=req)
|
||||
|
||||
if obj:
|
||||
return self._authorize_anon_object(req, account, container, obj)
|
||||
if not self._reseller_check(account, tenant[0]):
|
||||
log_msg = 'tenant mismatch: %s != %s' % (account, tenant[0])
|
||||
self.logger.debug(log_msg)
|
||||
return self.denied_response(req)
|
||||
|
||||
if container:
|
||||
return self._authorize_anon_container(req, account, container)
|
||||
user_groups = env_identity.get('roles', [])
|
||||
|
||||
if account:
|
||||
return self._authorize_anon_account(req, account)
|
||||
# Check the groups the user is belonging to. If the user is
|
||||
# part of the group defined in the config variable
|
||||
# operator_roles (like Admin) then it will be
|
||||
# promoted as an Admin of the account/tenant.
|
||||
for group in self.operator_roles.split(','):
|
||||
group = group.strip()
|
||||
if group in user_groups:
|
||||
log_msg = "allow user in group %s as account admin" % group
|
||||
self.logger.debug(log_msg)
|
||||
req.environ['swift_owner'] = True
|
||||
return
|
||||
|
||||
return self._authorize_anon_toplevel(req)
|
||||
# If user is of the same name of the tenant then make owner of it.
|
||||
user = env_identity.get('user', '')
|
||||
if self.is_admin and user == tenant[1]:
|
||||
req.environ['swift_owner'] = True
|
||||
return
|
||||
|
||||
def _authorize_anon_object(self, req, account, container, obj):
|
||||
referrers, groups = parse_acl(getattr(req, 'acl', None))
|
||||
if referrer_allowed(req.referer, referrers):
|
||||
self.log.debug('anonymous request AUTHORIZED OKAY')
|
||||
return None
|
||||
return self.unauthorized(req)
|
||||
# Allow container sync.
|
||||
if (req.environ.get('swift_sync_key')
|
||||
and req.environ['swift_sync_key'] ==
|
||||
req.headers.get('x-container-sync-key', None)
|
||||
and 'x-timestamp' in req.headers
|
||||
and (req.remote_addr in self.allowed_sync_hosts
|
||||
or swift_utils.get_remote_client(req)
|
||||
in self.allowed_sync_hosts)):
|
||||
log_msg = 'allowing proxy %s for container-sync' % req.remote_addr
|
||||
self.logger.debug(log_msg)
|
||||
return
|
||||
|
||||
def _authorize_anon_container(self, req, account, container):
|
||||
return self.unauthorized(req)
|
||||
# Check if referrer is allowed.
|
||||
referrers, groups = swift_acl.parse_acl(getattr(req, 'acl', None))
|
||||
if swift_acl.referrer_allowed(req.referer, referrers):
|
||||
if obj or '.rlistings' in groups:
|
||||
log_msg = 'authorizing %s via referer ACL' % req.referrer
|
||||
self.logger.debug(log_msg)
|
||||
return
|
||||
return self.denied_response(req)
|
||||
|
||||
def _authorize_anon_account(self, req, account):
|
||||
return self.unauthorized(req)
|
||||
# Allow ACL at individual user level (tenant:user format)
|
||||
if '%s:%s' % (tenant[0], user) in groups:
|
||||
log_msg = 'user %s:%s allowed in ACL authorizing'
|
||||
self.logger.debug(log_msg % (tenant[0], user))
|
||||
return
|
||||
|
||||
def _authorize_anon_toplevel(self, req):
|
||||
return self.unauthorized(req)
|
||||
# Check if we have the group in the usergroups and allow it
|
||||
for user_group in user_groups:
|
||||
if user_group in groups:
|
||||
log_msg = 'user %s:%s allowed in ACL: %s authorizing'
|
||||
self.logger.debug(log_msg % (tenant[0], user, user_group))
|
||||
return
|
||||
|
||||
def _get_claims(self, env):
|
||||
claims = env.get('HTTP_X_AUTH_TOKEN', env.get('HTTP_X_STORAGE_TOKEN'))
|
||||
return claims
|
||||
return self.denied_response(req)
|
||||
|
||||
def _validate_claims(self, claims):
|
||||
"""Ask keystone (as keystone admin) for information for this user."""
|
||||
def denied_response(self, req):
|
||||
"""Deny WSGI Response.
|
||||
|
||||
# TODO(todd): cache
|
||||
|
||||
self.log.debug('Asking keystone to validate token')
|
||||
headers = {'Content-type': 'application/json',
|
||||
'Accept': 'application/json',
|
||||
'X-Auth-Token': self.admin_token}
|
||||
self.log.debug('headers: %r', headers)
|
||||
self.log.debug('url: %s', self.keystone_url)
|
||||
conn = http_connect(self.keystone_url.hostname, self.keystone_url.port,
|
||||
'GET', '/v2.0/tokens/%s' % claims, headers=headers)
|
||||
resp = conn.getresponse()
|
||||
data = resp.read()
|
||||
conn.close()
|
||||
|
||||
# Check http status code for the 'OK' family of responses
|
||||
if not str(resp.status).startswith('20'):
|
||||
return False
|
||||
|
||||
identity_info = json.loads(data)
|
||||
roles = []
|
||||
role_refs = identity_info['access']['user']['roles']
|
||||
|
||||
if role_refs is not None:
|
||||
for role_ref in role_refs:
|
||||
roles.append(role_ref['id'])
|
||||
|
||||
try:
|
||||
tenant = identity_info['access']['token']['tenantId']
|
||||
except:
|
||||
tenant = None
|
||||
if not tenant:
|
||||
tenant = identity_info['access']['user']['tenantId']
|
||||
# TODO(Ziad): add groups back in
|
||||
identity = {'user': identity_info['access']['user']['username'],
|
||||
'tenant': tenant,
|
||||
'roles': roles}
|
||||
|
||||
return identity
|
||||
Returns a standard WSGI response callable with the status of 403 or 401
|
||||
depending on whether the REMOTE_USER is set or not.
|
||||
"""
|
||||
if req.remote_user:
|
||||
return webob.exc.HTTPForbidden(request=req)
|
||||
else:
|
||||
return webob.exc.HTTPUnauthorized(request=req)
|
||||
|
||||
|
||||
def filter_factory(global_conf, **local_conf):
|
||||
|
@ -238,6 +200,5 @@ def filter_factory(global_conf, **local_conf):
|
|||
conf.update(local_conf)
|
||||
|
||||
def auth_filter(app):
|
||||
return AuthProtocol(app, conf)
|
||||
|
||||
return SwiftAuth(app, conf)
|
||||
return auth_filter
|
||||
|
|
Loading…
Reference in New Issue