Per http://www.ietf.org/rfc/rfc2616.txt, when a 401 error is returned, the
Www-Authenticate response header MUST also be returned. The format is
described in http://www.ietf.org/rfc/rfc2617.txt.
Swift supports and/or implements a number of authentication schemes
including tempauth, Keystone, tempurl, formpost and container sync. In
this fix, we use a catch-all, "Swift". The realm is the account (where
known) or "unknown" (bad path or where the 401 is returned from code
that does not have the request). Examples:
Www-Authenticate: Swift realm="AUTH_1234567889"
Www-Authenticate: Swift realm="unknown"
Fixes bug #1215491
Change-Id: I03362789318dfa156d3733ef9348795062a9cfc4
- Automatically add underscore if there wasn't one already.
- This makes consistent with tempauth.
- Fixes bug 1198878.
- This should probably need to be mentioned in the release changelog for
upgrades.
Change-Id: Ia82f14f82c380c7ed2ddd190116f1493e410cfbe
- In keystoneauth we allowed authenticated users to delete their own
account we are disallowing that and only allow users with reseller
admin to do that for its own or for the others.
- Fixes bug 1177526.
Change-Id: I825c5a968e8eae0991915056825fe0e0c195647e
Below three bug reports talk about one thing.
Current keystoneauth ACL supports as:
tenant_name:user_id ok
tenant_name:user_name no
tenant_name:* no
tenant_id:user_id ok
tenant_id:user_name no
tenant_id:* no
*:user_id ok
*:user_name no
*:* no
This patch will make all of above work fine.
Applying (tenant/user)name could let user put or get their data in a
more readable way. The tenant_name:* and *:user_name is suitable for
many usage.
note: to keep compatibility here add a new keystone.identity just for
authorize() itself and leave env['keystone.identity'] to other
middlerwares.
Fixes: bug #1020709
Fixes: bug #1075362
Fixes: bug #1155389
Change-Id: I9354dedaad875117f6a9072c67e9ecf69bfca77e
Using insensitive case could tolerate human error. For example,
user maybe set like this "operator_roles = Admin, swiftoperator"
- also fix a mistake in test, ['admin'] is correct value for roles, not
'admin' (it will be looped as ['a', 'd', 'm', 'i', 'n'])
- add test for insensitive cases
Fixes: bug #1013120
Change-Id: I56d71da8bc503e48e92dd743692ba6fc237f029e
The recent account_quotas (https://review.openstack.org/23434)
patch added a new setting request.environ[reseller_request].
This patch adds tests for tempauth and keystoneauth as well as
an updated overview_auth.rst.
Change-Id: Icdb7ec9948ae7424b0721fc51a143782b2fdc5a6
- When a user as a valid token it would go to authorize but the acl
check was after the reseller_check and due fail. Check this before
reseller_check and add a test for it.
- Fixes bug 1020722.
Change-Id: Iaff9f35f5ee690e9b729c36d05fb9adf3368dc79
This change replaces WebOb with a mostly compatible local library,
swift.common.swob. Subtle changes to WebOb's API over the years have been a
huge headache. Swift doesn't even run on the current version.
There are a few incompatibilities to simplify the implementation/interface:
* It only implements the header properties we use. More can be easily added.
* Casts header values to str on assignment.
* Response classes ("HTTPNotFound") are no longer subclasses, but partials
on Response, so things like isinstance no longer work on them.
* Unlike newer webob versions, will never return unicode objects.
Change-Id: I76617a0903ee2286b25a821b3c935c86ff95233f
