openstack
/
swift
Code Issues Proposed changes
OpenStack Storage (Swift)
4,847 Commits 19 Branches 25 Tags 174 MiB
Python 99.6%
JavaScript 0.3%
Go to file
Samuel Merritt d4409c0a04 Better scoping for tempurls, especially container tempurls 
It used to be that a GET of a tempurl referencing a large object would
let you download that large object regardless of where its segments
lived. However, this led to some violated user expectations around
container tempurls.

(Note on shorthand: all tempurls reference objects. However, "account
tempurl" and "container tempurl" are shorthand meaning tempurls
generated using a key on the account or container, respectively.)

Let's say an application is given tempurl keys to a particular
container, and it does all its work therein using those keys. The user
expects that, if the application is compromised, then the attacker
only gains access to the "compromised-container". However, with the old
behavior, the attacker could read data from *any* container like so:

1) Choose a "victim-container" to download

2) Create PUT and GET tempurl for any object name within the
   "compromised-container". The object doesn't need to exist;
   we'll create it.

3) Using the PUT tempurl, upload a DLO manifest with
   "X-Object-Manifest: /victim-container/"

4) Using the GET tempurl, download the object created in step 3. The
   result will be the concatenation of all objects in the
   "victim-container".

Step 3 need not be for all objects in the "victim-container"; for
example, a value "X-Object-Manifest: /victim-container/abc" would only
be the concatenation of all objects whose names begin with "abc". By
probing for object names in this way, individual objects may be found
and extracted.

A similar bug would exist for manifests referencing other accounts
except that neither the X-Object-Manifest (DLO) nor the JSON manifest
document (SLO) have a way of specifying a different account.

This change makes it so that a container tempurl only grants access to
objects within its container, *including* large-object segments. This
breaks backward compatibility for container tempurls that may have
pointed to cross container *LO's, but (a) there are security
implications, and (b) container tempurls are a relatively new feature.

This works by having the tempurl middleware install an authorization
callback ('swift.authorize' in the WSGI environment) that limits the
scope of any requests to the account or container from which the key
came.

This requires swift.authorize to persist for both the manifest request
and all segment requests; this is done by having the proxy server
restore it to the WSGI environment prior to returning from __call__.

[CVE-2015-5223]

Co-Authored-By: Clay Gerrard <clayg@swiftstack.com>
Co-Authored-By: Alistair Coles <alistair.coles@hp.com>
Co-Authored-By: Christian Schwede <cschwede@redhat.com>
Co-Authored-By: Matthew Oliver <matt@oliver.net.au>

Change-Id: Ie6d52f7a07e87f6fec21ed8b0ec1d84be8b2b11c
Closes-Bug: 1449212
 		2015-08-26 08:06:57 -07:00
bin Fix shebang of commands 2015-08-06 11:02:40 +09:00
doc Merge "Add container sync probe test to SAIO default set" 2015-08-25 20:25:01 +00:00
etc Merge "versioned writes middleware" 2015-08-10 17:37:49 +00:00
examples Add a user variable to templates 2013-09-17 11:46:04 +10:00
swift Better scoping for tempurls, especially container tempurls 2015-08-26 08:06:57 -07:00
test Better scoping for tempurls, especially container tempurls 2015-08-26 08:06:57 -07:00
.coveragerc Align tox.ini and fix coverage jobs in jenkins. 2012-06-08 20:05:14 -04:00
.functests Move the tests from functionalnosetests 2014-01-07 15:58:11 +08:00
.gitignore more probe test refactoring 2015-02-13 16:55:45 -08:00
.gitreview Add .gitreview config file for gerrit. 2011-10-24 15:05:49 -04:00
.mailmap update AUTHORS file 2015-07-06 13:57:03 -07:00
.probetests Allow specify arguments to .probetests script 2013-12-24 01:18:19 -08:00
.unittests Fix coverage report for newer versions of coverage 2014-04-24 16:50:03 +00:00
AUTHORS Time synchronization check in recon. 2015-07-23 11:35:02 +02:00
CHANGELOG Add OpenStack release names to changelog 2015-08-19 19:34:29 -07:00
CONTRIBUTING.md Add Swift Design Principles to CONTRIBUTING.md 2015-03-27 13:13:31 -04:00
LICENSE Convert LICENSE to use unix style line endings. 2012-12-19 12:48:27 -05:00
MANIFEST.in Add requirements files to the source distribution 2013-06-03 19:26:20 +04:00
README.md added testing notes to the contributing doc 2014-12-04 10:41:11 -05:00
babel.cfg add pybabel setup.py commands and initial .pot 2011-01-27 00:01:24 +00:00
bandit.yaml Adding bandit for security static analysis testing in swift 2015-07-31 07:37:33 +05:30
requirements.txt Add six requirement 2015-06-09 00:22:39 +02:00
setup.cfg versioned writes middleware 2015-08-07 14:11:32 -04:00
setup.py taking the global reqs that we can 2014-05-21 09:37:22 -07:00
test-requirements.txt Merge "Adding bandit for security static analysis testing in swift" 2015-08-12 20:55:16 +00:00
tox.ini pep8: Fix usage of the l10n _('...') function 2015-08-19 17:12:51 -07:00

README.md

Swift

A distributed object storage system designed to scale from a single machine to thousands of servers. Swift is optimized for multi-tenancy and high concurrency. Swift is ideal for backups, web and mobile content, and any other unstructured data that can grow without bound.

Swift provides a simple, REST-based API fully documented at http://docs.openstack.org/.

Swift was originally developed as the basis for Rackspace's Cloud Files and was open-sourced in 2010 as part of the OpenStack project. It has since grown to include contributions from many companies and has spawned a thriving ecosystem of 3rd party tools. Swift's contributors are listed in the AUTHORS file.

Docs

To build documentation install sphinx (pip install sphinx), run python setup.py build_sphinx, and then browse to /doc/build/html/index.html. These docs are auto-generated after every commit and available online at http://docs.openstack.org/developer/swift/.

For Developers

The best place to get started is the "SAIO - Swift All In One". This document will walk you through setting up a development cluster of Swift in a VM. The SAIO environment is ideal for running small-scale tests against swift and trying out new features and bug fixes.

You can run unit tests with .unittests and functional tests with .functests.

If you would like to start contributing, check out these notes to help you get started.

Code Organization

  • bin/: Executable scripts that are the processes run by the deployer
  • doc/: Documentation
  • etc/: Sample config files
  • swift/: Core code
    • account/: account server
    • common/: code shared by different modules
      • middleware/: "standard", officially-supported middleware
      • ring/: code implementing Swift's ring
    • container/: container server
    • obj/: object server
    • proxy/: proxy server
  • test/: Unit and functional tests

Data Flow

Swift is a WSGI application and uses eventlet's WSGI server. After the processes are running, the entry point for new requests is the Application class in swift/proxy/server.py. From there, a controller is chosen, and the request is processed. The proxy may choose to forward the request to a back- end server. For example, the entry point for requests to the object server is the ObjectController class in swift/obj/server.py.

For Deployers

Deployer docs are also available at http://docs.openstack.org/developer/swift/. A good starting point is at http://docs.openstack.org/developer/swift/deployment_guide.html

You can run functional tests against a swift cluster with .functests. These functional tests require /etc/swift/test.conf to run. A sample config file can be found in this source tree in test/sample.conf.

For Client Apps

For client applications, official Python language bindings are provided at http://github.com/openstack/python-swiftclient.

Complete API documentation at http://docs.openstack.org/api/openstack-object-storage/1.0/content/

For more information come hang out in #openstack-swift on freenode.

Thanks,

The Swift Development Team