2246 Commits

Author SHA1 Message Date
Guang Yee
795acd40f1 bp/cross-tenant-acls: allow tenantId:user, tenantName:user, and *:user ALCs
Change-Id: I7cfe77b3f03172814814f2e2bae04a3ae184efb0
2012-11-30 13:53:00 -08:00
Jenkins
871f552ab6 Merge "Updates to use new keystoneclient middleware." 2012-11-29 20:34:28 +00:00
Jenkins
a830b6ffc9 Merge "Fix for container sync not syncing last rowid" 2012-11-29 20:21:45 +00:00
Jenkins
02429858de Merge "Fix bug with swob.Request.path_info_pop" 2012-11-28 23:11:13 +00:00
Dan Prince
abcd872394 Updates to use new keystoneclient middleware.
Updates the proxy-server.conf-sample and docs to use
the new Keystoneclient middleware class name.

Change-Id: I3727f7b7328a2513347b8ef257c270126df36d7b
2012-11-28 16:08:05 -05:00
Jenkins
da8578fdde Merge "Upgrade pep8 to 1.3.3." 2012-11-28 20:46:13 +00:00
gholt
4063123e3c Fix bug with swob.Request.path_info_pop
path_info_pop didn't behave as the webob one did with single segment
paths like /one and with root-only paths /

Now it should.

Change-Id: Ib88344de386ab9e8975e7f48c1afc47731992ee2
2012-11-28 00:08:26 +00:00
Jenkins
0b00d0dbce Merge "added GoLang binding and CDMI to associated projects" 2012-11-27 19:23:04 +00:00
John Dickinson
46f26b3034 added GoLang binding and CDMI to associated projects
Change-Id: I720a0e0e886d25eec52556e8ce93bf9c49f6b452
2012-11-27 09:49:56 -08:00
Jason Johnson
48ebd6732e Replace hard-coded test accounts with user-configured values
Change-Id: I824ba5f231e252b923abc895f757137855a93d3a
2012-11-27 10:39:12 -06:00
Samuel Merritt
35f4d29ed6 Upgrade pep8 to 1.3.3.
This required a bunch of whitespace-poking of the scripts in bin, but
that's all. Now every file in swift/ and bin/ is pep8-1.3.3-compliant,
so hopefully we can be done with this pep8 stuff for a good long time.

Change-Id: I44fdb41d219c57400a4c396ab7eb0ffa9dcd8db8
2012-11-26 18:15:21 -08:00
Jenkins
2ad23a25e8 Merge "pep8 db.py" 2012-11-26 23:59:00 +00:00
Jenkins
67201c3159 Merge "pep8 direct client" 2012-11-26 23:58:16 +00:00
Samuel Merritt
fdf55c2817 Add CONTRIBUTING file.
If the CONTRIBUTING[.md] file exists, Github will show a link to it to
anyone who files an issue on Github or opens a pull request on
Github. We don't want people to do that, so this file points people at
the OpenStack wiki page with instructions on how to contribute
properly. This should cut down on the number of pull requests and
Github issues that we then have to spend our valuable time ignoring.

See also <https://github.com/blog/1184-contributing-guidelines>.

Change-Id: Icd23b65c642c5ae748ca1f7f397e2c8d63173492
2012-11-21 11:23:15 -08:00
Jenkins
2fc9716ec9 Merge "pep8 middleware" 2012-11-21 00:08:53 +00:00
John Dickinson
1f7be20a91 pep8 middleware
Change-Id: Ieef65f05e66b12347752c0e02648858e3242d8e7
2012-11-20 14:51:55 -08:00
John Dickinson
c46033a9a7 pep8 db.py
Change-Id: I2ae277b6f435f56549560684697486b56d24d46d
2012-11-20 14:32:37 -08:00
John Dickinson
3aab2488b2 pep8 direct client
Change-Id: I1ed6afe4336c238044174c93ae1e0078fbcef971
2012-11-20 14:21:14 -08:00
John Dickinson
f74ef1e396 pep8 utils.py
Change-Id: I0466fd2a462e94e5a1e0f88adf901de9f5ac131d
2012-11-20 14:16:17 -08:00
Dan Hersam
923b8b95c3 Fix for container sync not syncing last rowid
Bug 1079439

Change-Id: I1985a7176f34931ecb0f24c0289f18df5e934598
2012-11-19 23:09:17 +00:00
Jenkins
cb55f0c3a8 Merge "Fix lazy-listing of object segments." 2012-11-19 15:28:20 +00:00
Samuel Merritt
357b12dc2b Remove IP-based container-sync ACLs from auth middlewares.
The determination of the client IP looked at the X-Cluster-Client-Ip
and X-Forwarded-For headers in the incoming HTTP request. This is
trivially spoofable by a malicious client, so there's no security
gained by having the check there.

Worse, having the check there provides a false sense of security to
cluster operators. It sounds like it's based on the client IP, so an
attacker would have to do IP spoofing to defeat it. However, it's
really just a shared secret, and there's already a secret key set
up. Basically, it looks like 2-factor auth (IP+key), but it's really
1-factor (key).

Now, the one case where this might provide some security is where the
Swift cluster is behind an external load balancer that strips off the
X-Cluster-Client-Ip and X-Forwarded-For headers and substitutes its
own. I don't think it's worth the tradeoff, hence this commit.

Fixes bug 1068420 for very small values of "fixes".

DocImpact

Change-Id: I2bef64c2e1e4df8a612a5531a35721202deb6964
2012-11-16 18:47:06 -08:00
Jenkins
d13869e64b Merge "Refactor DiskFile to hide temp file names and exts" 2012-11-16 22:58:39 +00:00
Jenkins
ac7829f370 Merge "check response status in WSGIContext._app_call" 2012-11-16 22:36:59 +00:00
Jenkins
4e2ffff606 Merge "Use a delta timeout for memcache where possible" 2012-11-16 22:36:01 +00:00
Samuel Merritt
83bbd0aef2 Fix lazy-listing of object segments.
When responding to a GET request for a manifest, it was intended that
the proxy server lazily fetch the pieces of the container
listing. That way, a single client request doesn't immediately turn
into a bunch of requests to backends. The additional requests should
only get made if the client is putting in the work of receiving the
object body.

However, commit 156f27c accidentally changed this so that all the
pieces of the container listing are eagerly fetched up-front. Better
yet, if an object has more than CONTAINER_LISTING_LIMIT (default
10,000) segments, the container listing is then fetched a second time,
albeit lazily, while streaming out the response.

This commit restores the laziness and adds tests for it.

Change-Id: I49840a7059e6f999ce19199ecb10cdb77358526b
2012-11-16 13:12:58 -08:00
Jenkins
4d50728c8e Merge "change catch_errors to use WSGIContext" 2012-11-16 19:59:08 +00:00
Peter Portante
1ac7b88a27 Use a delta timeout for memcache where possible
We use a delta timeout value for timeouts under 30 days (in seconds)
since that is the limit which the memcached protocols will recognize a
timeout as a delta. Greater than 30 days and it interprets it as an
absolute time in seconds since the epoch.

This helps to address an often difficult-to-debug problem of time
drift between memcache clients and the memcache servers. Prior to this
change, if a client's time drifts behind the servers, short timeouts
run the danger of not being cached at all. If a client's time drifts
ahead of the servers, short timeouts run the danger of persisting too
long. Using delta's avoids this affect. For absolute timeouts 30 days
or more in the future small time drifts between clients and servers
are inconsequential.

See also bug 1076148 (https://bugs.launchpad.net/swift/+bug/1076148).

This also fixes incr and decr to handle timeout values in the same way
timeouts are handled for set operations.

Change-Id: Ie36dbcedfe9b4db9f77ed4ea9b70ff86c5773310
Signed-off-by: Peter Portante <peter.portante@redhat.com>
2012-11-16 14:57:36 -05:00
Jenkins
ac91ab9e9d Merge "Refactor http_connect() to use http_connect_raw()" 2012-11-16 19:52:30 +00:00
Jenkins
1db500839d Merge "Updating doc reflecting the move of auth_token." 2012-11-16 07:01:24 +00:00
Peter Portante
259aafb6f0 Refactor http_connect() to use http_connect_raw()
Change-Id: I889c5eecf860cc947763c5d79148419f9741a2c2
Signed-off-by: Peter Portante <peter.portante@redhat.com>
2012-11-15 21:57:06 -05:00
Chmouel Boudjnah
101f566e92 Updating doc reflecting the move of auth_token.
The auth_token middleware has moved, updating the doc.

Change-Id: I8133b876a53d61bf94169cf08c8b1fa6bbf9681a
2012-11-16 12:30:28 +10:00
Jenkins
c85d2ace93 Merge "Refactor db_replicator's roundrobin_datadirs" 2012-11-16 02:16:54 +00:00
Jenkins
e9a41ed550 Merge "Remove outdated Debian packaging guide." 2012-11-15 22:15:55 +00:00
gholt
4e5889d6ce Refactor db_replicator's roundrobin_datadirs
roundrobin_datadirs was returning any .db file at any depth in the
accounts/containers structure. Since xfs corruption can cause such
files to appear in odd places at times (only happened on one drive of
ours so far, but still...), I've refactored this function to only
return .db files at the proper depth.

Change-Id: Id06ef6584941f8a572e286f69dfa3d96fe451355
2012-11-15 21:44:14 +00:00
John Dickinson
20d4b00645 change catch_errors to use WSGIContext
The current catch_errors (ie without this patch) relinquishes control
before the underlying middleware/app has been evaluated. This results
in not catching errors in the stack when they occur in either the
start_response or in generating the first chunk sent to the client of
the underlying stack.

Change-Id: Iecd21e4fc7e30fa20239d011f69216354b50baf1
2012-11-15 13:18:38 -08:00
Peter Portante
7d70e05aeb Refactor DiskFile to hide temp file names and exts
This set of changes reworks the DiskFile class to remove the "extension"
parameter from the put() method, offering the new put_metadata() method with
an optional tombstone keyword boolean, and changes the mkstemp method to only
return the file descriptor.

Reviewing the code it was found that the temporary file name created as a
result of calling DiskFile.mkstemp() was never used by the caller, but the
caller was responsible for passing it back to the DiskFile.put() method. That
seems like too much information is exposed to the caller, when all the caller
requires is the file descriptor to write data into it.

Upon further review, the mkstemp() method was used in three places: PUT, POST
and DELETE method handling. Of those three cases, only PUT requires the file
descriptor, since it is responsible for writing the object contents. For POST
and DELETE, DiskFile only needs to associate metadata with the correct file
name. We abstract the pattern that those two use (once we also refactor the
code to move the fetch of the delete-at metadata, and subsequent
delete-at-update initiation, from under the mkstemp context) by adding the new
put_metadata() method.

As a result, the DiskFile class is then free to do whatever file system
operations it must to meet the API, without the caller having to know more
than just how to write data to a file descriptor. Note that DiskFile itself
key'd off of the '.ts' and '.meta' extensions for its operations, and for that
to work properly, the caller had to know to use those correctly. With this
change, the caller has no knowledge of how the file system is being used to
accomplish data and metadata storage.

See also Question 213796 at:
    https://answers.launchpad.net/swift/+question/213796

Change-Id: I267f68e64391ba627b2a13682393bec62600159d
Signed-off-by: Peter Portante <peter.portante@redhat.com>
2012-11-15 08:58:26 -05:00
Jenkins
3a806a805c Merge "Fix 500 on GET of many-segment manifest." 2012-11-15 00:32:16 +00:00
Jenkins
6b8f966364 Merge "Better TempAuth storage URL guessing" 2012-11-14 21:10:18 +00:00
Michael Barton
5c8f9c52e3 check response status in WSGIContext._app_call
Only re-chain response iter if start_response hasn't been called yet.

Change-Id: I9670f49419104fb8f949e6edc12d9047d1289cde
2012-11-14 03:12:21 -08:00
Alex Yang
1701b6bc24 fix bug in deleting account memcache.
Every request of container and object will invoke account_info() or
container_info() to query the meta of account and container. The meta
will be cached in memcache with the key 'account/{$account}' or
'container/{$container}', So, if any request to update account and
container, we should delete the cache. But in the cache deletion of
account, it use the wrong key 'account/v1/{$account}'. This could lead
to inconsistency of account meta.

Change-Id: Ied116a58a2d5866ac76d75ae50f21277d66e5755
2012-11-14 14:10:00 +08:00
Samuel Merritt
bf90ba2de1 Remove outdated Debian packaging guide.
There are 3 sections in there, all useless.

Section 1 tells you how to install Swift packages from the swift-core
PPA. However, the latest version there is ancient.

Section 2 tells you how to build your own Swift packages. However, it
talks about getting the source code from the "debian" branch in bzr,
which is obviously really old.

Section 3 tells you how to take the packages from section 2 and
install them. This isn't too out-of-date, but since section 2 doesn't
work any more, section 3 is useless.

Since stale docs are worse than no docs, there's no current
information in this document, and bringing it up-to-date requires a
whole pile of work, I've chosen to delete it entirely.

Also pulled out a couple references to the PPA elsewhere.

Fixes bug 917385.
Fixes bug 1026145.

Change-Id: I510bd8619531fe110419e5488bd20d3602868d66
2012-11-13 13:06:48 -08:00
clayg
4236e6379b patch utils.HASH_PATH_SUFFIX in proxy unittests
Most of the test files set the HASH_PATH_SUFFIX so you can run the test
file stand alone.  This change made it easier for me to run specific
proxy tests separately.

Change-Id: I87d70367dac7f240a2b6779649f8a02cf324ae0f
2012-11-12 23:15:10 -08:00
Samuel Merritt
a78b2d5f46 Fix 500 on GET of many-segment manifest.
The proxy_logging middleware was asserting that the response contained
either a Content-Length header or a Transfer-Encoding header. If not,
it would either add one (if app_iter was a list) or blow up
(otherwise). This blowing up is observable on a GET request to a
manifest object that references more than
swift.common.constraints.CONTAINER_LISTING_LIMIT segments.

If a response makes it up to eventlet.wsgi without a Content-Length
header, then a "Transfer-Encoding: chunked" header is automatically
stuffed into the response by eventlet. Therefore, it's not an error
for a response to not have a Content-Length header, and proxy_logging
should just let it happen.

Fixes bug 1078113.

Change-Id: I3751a8ae14dc68bab546f2746b61267a5115e252
2012-11-12 15:02:04 -08:00
Yee
53ab2e150d fix bug1039861, remove license header in doc/source/conf.py.
Change-Id: Iab43ac342faf3722ccab1ed034f08752dbbfaae1
2012-11-11 00:15:39 -08:00
gholt
47ee1d7e17 Better TempAuth storage URL guessing
I know it's just TempAuth, but bug #959953 just caught my eye as
something interesting to solve.

This does a best guess on the storage URL to return for a given
request. It allows $HOST to be used in the storage URL configuration,
where $HOST will resolve to scheme://host:port. It bases the scheme
on how the server is running or on storage_url_scheme if set. The
host:port comes from the request's Host header if it exists, and
falls back to the WSGI SERVER_NAME:SERVER_PORT otherwise.

Fixes: bug #959953
DocImpact

Change-Id: Ia494bcb99a04490911ee8d2cb8b12a94e77820c5
2012-11-10 16:39:25 +00:00
Jenkins
217bd202dd Merge "fix error with setting max age and incorrect tests" 2012-11-09 23:36:41 +00:00
John Dickinson
8a8ea8f22a fix error with setting max age and incorrect tests
Change-Id: I3f0db3b70ea5df323597b556682c2d1fb28afe53
2012-11-09 14:45:12 -08:00
Jenkins
b8136667e8 Merge "Make swift-bench use less memory with large object sizes." 2012-11-09 21:33:32 +00:00
Jenkins
ee42e6fc72 Merge "Make DELETE requests to expired objects return 404." 2012-11-09 20:17:15 +00:00