swift/doc/source
Samuel Merritt 357b12dc2b Remove IP-based container-sync ACLs from auth middlewares.
The determination of the client IP looked at the X-Cluster-Client-Ip
and X-Forwarded-For headers in the incoming HTTP request. This is
trivially spoofable by a malicious client, so there's no security
gained by having the check there.

Worse, having the check there provides a false sense of security to
cluster operators. It sounds like it's based on the client IP, so an
attacker would have to do IP spoofing to defeat it. However, it's
really just a shared secret, and there's already a secret key set
up. Basically, it looks like 2-factor auth (IP+key), but it's really
1-factor (key).

Now, the one case where this might provide some security is where the
Swift cluster is behind an external load balancer that strips off the
X-Cluster-Client-Ip and X-Forwarded-For headers and substitutes its
own. I don't think it's worth the tradeoff, hence this commit.

Fixes bug 1068420 for very small values of "fixes".

DocImpact

Change-Id: I2bef64c2e1e4df8a612a5531a35721202deb6964
2012-11-16 18:47:06 -08:00
..
_ga Updated Google Analytics code for more precise tracking 2010-11-11 09:00:00 -06:00
_static Adding a box to each page that gives readers links to 1.1 and 1.2 Swift docs sites 2011-03-09 23:14:38 -06:00
_theme Adds links to docs.openstack.org 2012-04-23 10:48:24 -05:00
account.rst Initial commit of Swift code 2010-07-12 17:03:45 -05:00
admin_guide.rst Merge "statsd timing refactor" 2012-11-07 01:27:56 +00:00
associated_projects.rst Extended documentation for using custom loggers 2012-10-26 17:59:42 -05:00
conf.py fix bug1039861, remove license header in doc/source/conf.py. 2012-11-11 00:15:39 -08:00
container.rst More docs 2011-02-24 15:01:22 -08:00
db.rst Initial commit of Swift code 2010-07-12 17:03:45 -05:00
deployment_guide.rst Better TempAuth storage URL guessing 2012-11-10 16:39:25 +00:00
development_auth.rst Adding CORS support 2012-10-23 14:48:59 -05:00
development_guidelines.rst updated copyright date for all files 2012-03-19 13:45:34 -05:00
development_saio.rst remove configobj from deps 2012-10-08 14:20:00 -07:00
getting_started.rst Remove outdated Debian packaging guide. 2012-11-13 13:06:48 -08:00
howto_installmultinode.rst Remove swift.common.client from here. 2012-06-07 16:36:49 +02:00
index.rst Remove outdated Debian packaging guide. 2012-11-13 13:06:48 -08:00
misc.rst Adding CORS support 2012-10-23 14:48:59 -05:00
object.rst Initial commit of Swift code 2010-07-12 17:03:45 -05:00
overview_architecture.rst Spell check for .rst files 2010-10-13 11:28:27 -05:00
overview_auth.rst Updating doc reflecting the move of auth_token. 2012-11-16 12:30:28 +10:00
overview_container_sync.rst Remove IP-based container-sync ACLs from auth middlewares. 2012-11-16 18:47:06 -08:00
overview_expiring_objects.rst Expiring Objects Support 2011-11-01 15:49:00 +00:00
overview_large_objects.rst Remove swift.common.client from here. 2012-06-07 16:36:49 +02:00
overview_object_versioning.rst update object versions docs 2012-08-07 16:26:38 -07:00
overview_reaper.rst Add an optional delay to account reaping. 2012-03-21 15:26:07 +00:00
overview_replication.rst Explain how replication works more clearly 2011-12-21 12:56:23 +09:00
overview_ring.rst Update docs for new ring serialization. 2012-08-21 12:09:28 -07:00
proxy.rst Initial commit of Swift code 2010-07-12 17:03:45 -05:00
ratelimit.rst Reverted the pulling out of various middleware: 2012-05-16 21:25:10 +00:00
ring.rst Initial commit of Swift code 2010-07-12 17:03:45 -05:00