diff --git a/keystone/middleware/auth_token.py b/keystone/middleware/auth_token.py old mode 100644 new mode 100755 index 0dc723b9c6..4a0d501aa6 --- a/keystone/middleware/auth_token.py +++ b/keystone/middleware/auth_token.py @@ -1,6 +1,5 @@ -#!/usr/bin/env python # vim: tabstop=4 shiftwidth=4 softtabstop=4 -# + # Copyright (c) 2010-2011 OpenStack, LLC. # # Licensed under the Apache License, Version 2.0 (the "License"); diff --git a/keystone/middleware/nova_auth_token.py b/keystone/middleware/nova_auth_token.py index 68ad1d9db3..ad6bcbb810 100644 --- a/keystone/middleware/nova_auth_token.py +++ b/keystone/middleware/nova_auth_token.py @@ -1,6 +1,5 @@ -#!/usr/bin/env python # vim: tabstop=4 shiftwidth=4 softtabstop=4 -# + # Copyright (c) 2010-2011 OpenStack, LLC. # # Licensed under the Apache License, Version 2.0 (the "License"); diff --git a/keystone/middleware/swift_auth.py b/keystone/middleware/swift_auth.py old mode 100755 new mode 100644 index e83c13667d..d12ac162fc --- a/keystone/middleware/swift_auth.py +++ b/keystone/middleware/swift_auth.py @@ -1,7 +1,6 @@ -#!/usr/bin/env python # vim: tabstop=4 shiftwidth=4 softtabstop=4 -# -# Copyright (c) 2010-2011 OpenStack, LLC. + +# Copyright (c) 2012 OpenStack, LLC. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -16,220 +15,183 @@ # See the License for the specific language governing permissions and # limitations under the License. +import webob -""" -TOKEN-BASED AUTH MIDDLEWARE FOR SWIFT - -Authentication on incoming request - * grab token from X-Auth-Token header - * TODO: grab the memcache servers from the request env - * TODOcheck for auth information in memcache - * check for auth information from keystone - * return if unauthorized - * decorate the request for authorization in swift - * forward to the swift proxy app - -Authorization via callback - * check the path and extract the tenant - * get the auth information stored in keystone.identity during - authentication - * TODO: check if the user is an account admin or a reseller admin - * determine what object-type to authorize (account, container, object) - * use knowledge of tenant, admin status, and container acls to authorize - -""" - -import json -from urlparse import urlparse -from webob.exc import HTTPUnauthorized, HTTPNotFound, HTTPExpectationFailed - -from keystone.common.bufferedhttp import http_connect_raw as http_connect - -from swift.common.middleware.acl import clean_acl, parse_acl, referrer_allowed -from swift.common.utils import get_logger, split_path +from swift.common import utils as swift_utils +from swift.common.middleware import acl as swift_acl -PROTOCOL_NAME = 'Swift Token Authentication' +class SwiftAuth(object): + """Swift middleware to Keystone authorization system. - -class AuthProtocol(object): - """Handles authenticating and aurothrizing client calls. - - Add to your pipeline in paste config like: + In Swift's proxy-server.conf add the middleware to your pipeline:: [pipeline:main] - pipeline = catch_errors healthcheck cache keystone proxy-server + pipeline = catch_errors cache tokenauth swiftauth proxy-server - [filter:keystone] + Set account auto creation to true:: + + [app:proxy-server] + account_autocreate = true + + And add a swift authorization filter section, such as:: + + [filter:swiftauth] use = egg:keystone#swiftauth - keystone_url = http://127.0.0.1:8080 - keystone_admin_token = 999888777666 + operator_roles = admin, SwiftOperator + is_admin = true + + If Swift memcache is to be used for caching tokens, add the additional + property in the tokenauth filter: + + [filter:tokenauth] + paste.filter_factory = keystone.middleware.auth_token:filter_factory + ... + cache = swift.cache + + This maps tenants to account in Swift. + + The user whose able to give ACL / create Containers permissions + will be the one that are inside the operator_roles + setting which by default includes the Admin and the SwiftOperator + roles. + + The option is_admin if set to true will allow the + username that has the same name as the account name to be the owner. + + Example: If we have the account called hellocorp with a user + hellocorp that user will be admin on that account and can give ACL + to all other users for hellocorp. + + :param app: The next WSGI app in the pipeline + :param conf: The dict of configuration values """ - def __init__(self, app, conf): - """Store valuable bits from the conf and set up logging.""" self.app = app - self.keystone_url = urlparse(conf.get('keystone_url')) - self.admin_token = conf.get('keystone_admin_token') - self.reseller_prefix = conf.get('reseller_prefix', 'AUTH') - self.log = get_logger(conf, log_route='keystone') - self.log.info('Keystone middleware started') + self.conf = conf + self.logger = swift_utils.get_logger(conf, log_route='keystoneauth') + self.reseller_prefix = conf.get('reseller_prefix', 'AUTH').strip() + self.operator_roles = conf.get('operator_roles', + 'admin, SwiftOperator') + config_is_admin = conf.get('is_admin', "false").lower() + self.is_admin = config_is_admin in ('true', 't', '1', 'on', 'yes', 'y') + cfg_synchosts = conf.get('allowed_sync_hosts', '127.0.0.1') + self.allowed_sync_hosts = [h.strip() for h in cfg_synchosts.split(',') + if h.strip()] - def __call__(self, env, start_response): - """Authenticate the incoming request. + def __call__(self, environ, start_response): + identity = self._keystone_identity(environ) - If authentication fails return an appropriate http status here, - otherwise forward through the rest of the app. - """ + if not identity: + environ['swift.authorize'] = self.denied_response + return self.app(environ, start_response) - self.log.debug('Keystone middleware called') - token = self._get_claims(env) - self.log.debug('token: %s', token) - if token: - identity = self._validate_claims(token) - if identity: - self.log.debug('request authenticated: %r', identity) - return self.perform_authenticated_request(identity, env, - start_response) - else: - self.log.debug('anonymous request') - return self.unauthorized_request(env, start_response) - self.log.debug('no auth token in request headers') - return self.perform_unidentified_request(env, start_response) + self.logger.debug("Using identity: %r" % (identity)) + environ['keystone.identity'] = identity + environ['REMOTE_USER'] = identity.get('tenant') + environ['swift.authorize'] = self.authorize + environ['swift.clean_acl'] = swift_acl.clean_acl + return self.app(environ, start_response) - def unauthorized_request(self, env, start_response): - """Clinet provided a token that wasn't acceptable, error out.""" - return HTTPUnauthorized()(env, start_response) + def _keystone_identity(self, environ): + """Extract the identity from the Keystone auth component.""" + if environ.get('HTTP_X_IDENTITY_STATUS') != 'Confirmed': + return + roles = [] + if 'HTTP_X_ROLE' in environ: + roles = environ['HTTP_X_ROLE'].split(',') + identity = {'user': environ.get('HTTP_X_USER'), + 'tenant': (environ.get('HTTP_X_TENANT_ID'), + environ.get('HTTP_X_TENANT_NAME')), + 'roles': roles} + return identity - def unauthorized(self, req): - """Return unauthorized given a webob Request object. - - This can be stuffed into the evironment for swift.authorize or - called from the authoriztion callback when authorization fails. - """ - return HTTPUnauthorized(request=req) - - def perform_authenticated_request(self, identity, env, start_response): - """Client provieded a valid identity, so use it for authorization.""" - env['keystone.identity'] = identity - env['swift.authorize'] = self.authorize - env['swift.clean_acl'] = clean_acl - self.log.debug('calling app: %s // %r', start_response, env) - rv = self.app(env, start_response) - self.log.debug('return from app: %r', rv) - return rv - - def perform_unidentified_request(self, env, start_response): - """Withouth authentication data, use acls for access control.""" - env['swift.authorize'] = self.authorize_via_acl - env['swift.clean_acl'] = self.authorize_via_acl - return self.app(env, start_response) + def _reseller_check(self, account, tenant_id): + """Check reseller prefix.""" + return account == '%s_%s' % (self.reseller_prefix, tenant_id) def authorize(self, req): - """Used when we have a valid identity from keystone.""" - self.log.debug('keystone middleware authorization begin') env = req.environ - tenant = env.get('keystone.identity', {}).get('tenant') - if not tenant: - self.log.warn('identity info not present in authorize request') - return HTTPExpectationFailed('Unable to locate auth claim', - request=req) - # TODO(todd): everyone under a tenant can do anything to that tenant. - # more realistic would be role/group checking to do things - # like deleting the account or creating/deleting containers - # esp. when owned by other users in the same tenant. - if req.path.startswith('/v1/%s_%s' % (self.reseller_prefix, tenant)): - self.log.debug('AUTHORIZED OKAY') - return None + env_identity = env.get('keystone.identity', {}) + tenant = env_identity.get('tenant') - self.log.debug('tenant mismatch: %r', tenant) - return self.unauthorized(req) - - def authorize_via_acl(self, req): - """Anon request handling. - - For now this only allows anon read of objects. Container and account - actions are prohibited. - """ - - self.log.debug('authorizing anonymous request') try: - version, account, container, obj = split_path(req.path, 1, 4, True) + part = swift_utils.split_path(req.path, 1, 4, True) + version, account, container, obj = part except ValueError: - return HTTPNotFound(request=req) + return webob.exc.HTTPNotFound(request=req) - if obj: - return self._authorize_anon_object(req, account, container, obj) + if not self._reseller_check(account, tenant[0]): + log_msg = 'tenant mismatch: %s != %s' % (account, tenant[0]) + self.logger.debug(log_msg) + return self.denied_response(req) - if container: - return self._authorize_anon_container(req, account, container) + user_groups = env_identity.get('roles', []) - if account: - return self._authorize_anon_account(req, account) + # Check the groups the user is belonging to. If the user is + # part of the group defined in the config variable + # operator_roles (like Admin) then it will be + # promoted as an Admin of the account/tenant. + for group in self.operator_roles.split(','): + group = group.strip() + if group in user_groups: + log_msg = "allow user in group %s as account admin" % group + self.logger.debug(log_msg) + req.environ['swift_owner'] = True + return - return self._authorize_anon_toplevel(req) + # If user is of the same name of the tenant then make owner of it. + user = env_identity.get('user', '') + if self.is_admin and user == tenant[1]: + req.environ['swift_owner'] = True + return - def _authorize_anon_object(self, req, account, container, obj): - referrers, groups = parse_acl(getattr(req, 'acl', None)) - if referrer_allowed(req.referer, referrers): - self.log.debug('anonymous request AUTHORIZED OKAY') - return None - return self.unauthorized(req) + # Allow container sync. + if (req.environ.get('swift_sync_key') + and req.environ['swift_sync_key'] == + req.headers.get('x-container-sync-key', None) + and 'x-timestamp' in req.headers + and (req.remote_addr in self.allowed_sync_hosts + or swift_utils.get_remote_client(req) + in self.allowed_sync_hosts)): + log_msg = 'allowing proxy %s for container-sync' % req.remote_addr + self.logger.debug(log_msg) + return - def _authorize_anon_container(self, req, account, container): - return self.unauthorized(req) + # Check if referrer is allowed. + referrers, groups = swift_acl.parse_acl(getattr(req, 'acl', None)) + if swift_acl.referrer_allowed(req.referer, referrers): + if obj or '.rlistings' in groups: + log_msg = 'authorizing %s via referer ACL' % req.referrer + self.logger.debug(log_msg) + return + return self.denied_response(req) - def _authorize_anon_account(self, req, account): - return self.unauthorized(req) + # Allow ACL at individual user level (tenant:user format) + if '%s:%s' % (tenant[0], user) in groups: + log_msg = 'user %s:%s allowed in ACL authorizing' + self.logger.debug(log_msg % (tenant[0], user)) + return - def _authorize_anon_toplevel(self, req): - return self.unauthorized(req) + # Check if we have the group in the usergroups and allow it + for user_group in user_groups: + if user_group in groups: + log_msg = 'user %s:%s allowed in ACL: %s authorizing' + self.logger.debug(log_msg % (tenant[0], user, user_group)) + return - def _get_claims(self, env): - claims = env.get('HTTP_X_AUTH_TOKEN', env.get('HTTP_X_STORAGE_TOKEN')) - return claims + return self.denied_response(req) - def _validate_claims(self, claims): - """Ask keystone (as keystone admin) for information for this user.""" + def denied_response(self, req): + """Deny WSGI Response. - # TODO(todd): cache - - self.log.debug('Asking keystone to validate token') - headers = {'Content-type': 'application/json', - 'Accept': 'application/json', - 'X-Auth-Token': self.admin_token} - self.log.debug('headers: %r', headers) - self.log.debug('url: %s', self.keystone_url) - conn = http_connect(self.keystone_url.hostname, self.keystone_url.port, - 'GET', '/v2.0/tokens/%s' % claims, headers=headers) - resp = conn.getresponse() - data = resp.read() - conn.close() - - # Check http status code for the 'OK' family of responses - if not str(resp.status).startswith('20'): - return False - - identity_info = json.loads(data) - roles = [] - role_refs = identity_info['access']['user']['roles'] - - if role_refs is not None: - for role_ref in role_refs: - roles.append(role_ref['id']) - - try: - tenant = identity_info['access']['token']['tenantId'] - except: - tenant = None - if not tenant: - tenant = identity_info['access']['user']['tenantId'] - # TODO(Ziad): add groups back in - identity = {'user': identity_info['access']['user']['username'], - 'tenant': tenant, - 'roles': roles} - - return identity + Returns a standard WSGI response callable with the status of 403 or 401 + depending on whether the REMOTE_USER is set or not. + """ + if req.remote_user: + return webob.exc.HTTPForbidden(request=req) + else: + return webob.exc.HTTPUnauthorized(request=req) def filter_factory(global_conf, **local_conf): @@ -238,6 +200,5 @@ def filter_factory(global_conf, **local_conf): conf.update(local_conf) def auth_filter(app): - return AuthProtocol(app, conf) - + return SwiftAuth(app, conf) return auth_filter