This is the historical location of Swauth; active development is now at https://github.com/openstack/swauth
This is the historical location of Swauth; active development is now at https://github.com/openstack/swauth
Thanks to Ondrej Novy, Peter Lisak, and all the folks at Seznam.cz for taking this over and continuing its development!
This repository will continue to exist in case folks need it, and the "historical" branch contains the code as it existed before migration to https://github.com/openstack/swauth
I switched from tempauth to swath and followed your instructions and keep getting the follow error, any help would be greatly appreciated.
Jan 31 22:42:39 vhost0239 proxy-server STDOUT: EXCEPTION IN handle: Traceback (most recent call last):#12 File "/usr/lib/python2.6/site-packages/swauth-1.0.3.dev-py2.6.egg/swauth/middleware.py", line 415, in handle#012 return self.handle_request(req)(env, start_response)#12 File "/usr/lib/python2.6/site-packages/swauth-1.0.3.dev-py2.6.egg/swauth/middleware.py", line 482, in handle_request#012 req.response = handler(req)#12 File "/usr/lib/python2.6/site-packages/swauth-1.0.3.dev-py2.6.egg/swauth/middleware.py", line 1008, in handle_put_user#012 resp.headers['x-container-meta-account-id']}#12 File "/usr/lib/python2.6/site-packages/WebOb-1.1-py2.6.egg/webob/headers.py", line 16, in getitem#12 raise KeyError(key)#012KeyError: 'x-container-meta-account-id'#12: {'HTTP_X_CF_TRANS_ID': 'txec4d490d-09ee-436d-b1c8-34c337753daf', 'SCRIPT_NAME': '/auth/v2/test/tester', 'webob.adhoc_attrs': {'start_time': 1328049759.525063, 'bytes_transferred': '-', 'client_disconnect': False}, 'REQUEST_METHOD': 'PUT', 'PATH_INFO': '', 'SERVER_PROTOCOL': 'HTTP/1.0', 'eventlet.posthooks': [(<bound method Swauth.posthooklogger of <swauth.middleware.Swauth object at 0xb743eb4c>>, (<Request at 0xb73bf16c PUT https://localhost:777/auth/v2/test/tester>,), {})], 'SERVER_NAME': '127.0.0.1', 'REMOTE_ADDR': '127.0.0.1', 'eventlet.input': <eventlet.wsgi.Input object at 0xb73c3dec>, 'HTTP_X_AUTH_ADMIN_KEY': 'xxxx', 'wsgi.url_scheme': 'https', 'SERVER_PORT': '777', 'HTTP_X_AUTH_USER_KEY': 'testing', 'HTTP_X_AUTH_ADMIN_USER': '.super_admin', 'HTTP_X_AUTH_USER_ADMIN': 'true', 'wsgi.input': <eventlet.wsgi.Input object at 0xb73c3dec>, 'HTTP_HOST': 'localhost:777', 'swift.cache': <swift.common.memcached.MemcacheRing object at 0xb73cb3ac>, 'HTTPS': 'on', 'wsgi.multithread': True, 'wsgi.version': (1, 0), 'GATEWAY_INTERFACE': 'CGI/1.1', 'wsgi.run_once': False, 'wsgi.errors': <swift.common.utils.LoggerFileObject object at 0xb73b25ac>, 'wsgi.multiprocess': False, 'CONTENT_TYPE': None, 'HTTP_ACCEPT_ENCODING': 'identity'}
I'll take care of this at some point soon
If a request comes in with an Authorization header, Swauth assumes it is the authoritative auth when that might not be the case. Instead, it should only set a delayed denial if no others override.
One of the thoughts with Swauth was that you could have multiple clusters all using the same account/user pool. One cluster would run the full Swauth and the others would just use it to validate tokens. I began work on this use case at https://code.launchpad.net/~gholt/swift/swauthremote but I haven't finished it yet.
There are references to Keystone that are now old and the Deswauth work has been completed.
I have following proxy-server.conf:
[pipeline:main]
pipeline = healthcheck cache swauth proxy-logging proxy-server
[app:proxy-server]
use = egg:swift#proxy
allow_account_management = true
account_autocreate = true
[filter:swauth]
use = egg:swauth#swauth
set log_name = swauth
super_admin_key = secretKey
default_swift_cluster = local#http://mystorage.com:8000/v1
Version of swauth is cbe34c6
I run following command:
swauth-add-account -K secretKey -A http://mystorage.com:8000/auth/ -s test10 test10
get
Account creation failed: 500 Server Error
and see following logs:
May 26 20:16:59 mystorage account-server 23.45.67.10 - - [26/May/2013:18:16:59 +0000] "HEAD /disk2/771/AUTH_.auth" 204 - "txf4f38d8f60d8474a80a96-0051a2519b" "-" "-" 0.1133 ""
May 26 20:17:00 mystorage container-server 23.45.67.10 - - [26/May/2013:18:17:00 +0000] "HEAD /disk4/3238/AUTH_.auth/test10" 404 - "txf4f38d8f60d8474a80a96-0051a2519b" "-" "Swauth" 0.0002
May 26 20:17:00 mystorage proxy-server Handoff requested (1) (txn: txf4f38d8f60d8474a80a96-0051a2519b)
May 26 20:17:00 mystorage proxy-server Handoff requested (2) (txn: txf4f38d8f60d8474a80a96-0051a2519b)
May 26 20:17:00 mystorage container-server 23.45.67.10 - - [26/May/2013:18:17:00 +0000] "HEAD /disk2/3238/AUTH_.auth/test10" 404 - "txf4f38d8f60d8474a80a96-0051a2519b" "-" "Swauth" 0.0002
May 26 20:17:00 mystorage proxy-server - - 26/May/2013/18/17/00 HEAD /v1/AUTH_.auth/test10 HTTP/1.0 404 - Swauth - - - - txf4f38d8f60d8474a80a96-0051a2519b - 1.1774 SWTH
May 26 20:17:01 mystorage container-server 23.45.67.10 - - [26/May/2013:18:17:01 +0000] "PUT /disk4/3238/AUTH_.auth/test10" 404 - "txebdc6774ed66489b94105-0051a2519c" "-" "-" 0.3460
May 26 20:17:01 mystorage account-server 23.45.67.20 - - [26/May/2013:18:17:01 +0000] "PUT /disk2/771/AUTH_.auth/test10" 201 - "txebdc6774ed66489b94105-0051a2519c" "-" "-" 0.0010 ""
May 26 20:17:01 mystorage CRON[9224]: (root) CMD ( cd / && run-parts --report /etc/cron.hourly)
May 26 20:17:01 mystorage proxy-server Container PUT returning 503 for (404, 201) (txn: txebdc6774ed66489b94105-0051a2519c)
May 26 20:17:01 mystorage proxy-server STDOUT: EXCEPTION IN handle: Traceback (most recent call last):#012 File "/usr/local/lib/python2.7/dist-packages/swauth-1.0.9.dev-py2.7.egg/swauth/middleware.py", line 454, in handle#012 return self.handle_request(req)(env, start_response)#012 File "/usr/local/lib/python2.7/dist-packages/swauth-1.0.9.dev-py2.7.egg/swauth/middleware.py", line 521, in handle_request#012 req.response = handler(req)#012 File "/usr/local/lib/python2.7/dist-packages/swauth-1.0.9.dev-py2.7.egg/swauth/middleware.py", line 759, in handle_put_account#012 'account: %s %s' % (path, resp.status))#012Exception: Could not create account within main auth account: /v1/AUTH_.auth/test10 503 Internal Server Error#012: {'SCRIPT_NAME': '/auth/v2/test10', 'REQUEST_METHOD': 'PUT', 'PATH_INFO': '', 'SERVER_PROTOCOL': 'HTTP/1.0', 'CONTENT_LENGTH': '0', 'eventlet.posthooks': [(<bound method Swauth.posthooklogger of <swauth.middleware.Swauth object at 0x1be8350>>, (<swift.common.swob.Request object at 0x1c77bd0>,), {})], 'SERVER_NAME': '23.45.67.10', 'REMOTE_ADDR': '23.45.67.10', 'eventlet.input': <eventlet.wsgi.Input object at 0x1c77a10>, 'HTTP_X_AUTH_ADMIN_KEY': 'secretKey', 'wsgi.url_scheme': 'http', 'SERVER_PORT': '6000', 'HTTP_X_AUTH_ADMIN_USER': '.super_admin', 'wsgi.input': <eventlet.wsgi.Input object at 0x1c77a10>, 'HTTP_HOST': 'mystorage.com:8000', 'swift.cache': <swift.common.memcached.MemcacheRing object at 0x1c77a50>, 'HTTP_X_ACCOUNT_SUFFIX': 'test10', 'wsgi.multithread': True, 'wsgi.version': (1, 0), 'GATEWAY_INTERFACE': 'CGI/1.1', 'wsgi.run_once': False, 'wsgi.errors': <swift.common.utils.LoggerFileObject object at 0x1bb0b90>, 'wsgi.multiprocess': False, 'CONTENT_TYPE': None, 'HTTP_ACCEPT_ENCODING': 'identity'} (txn: txebdc6774ed66489b94105-0051a2519c)
May 26 20:17:01 mystorage proxy-server - - 26/May/2013/18/17/01 PUT /v1/AUTH_.auth/test10 HTTP/1.0 499 - Swauth - - 118 - txebdc6774ed66489b94105-0051a2519c - 0.6472 SWTH
This is how ring is configured:
~/swauth# swift-ring-builder /etc/swift/account.builder
/etc/swift/account.builder, build version 6
4096 partitions, 2.000000 replicas, 2 regions, 2 zones, 6 devices, 0.05 balance
The minimum number of hours before a partition can be reassigned is 0
Devices: id region zone ip address port name weight partitions balance meta
0 1 1 23.45.67.20 6012 disk2 1.00 1366 0.05
1 1 1 23.45.67.20 6012 disk3 1.00 1365 -0.02
2 1 1 23.45.67.20 6012 disk4 1.00 1365 -0.02
3 2 2 23.45.67.10 6012 disk2 1.00 1365 -0.02
4 2 2 23.45.67.10 6012 disk3 1.00 1365 -0.02
5 2 2 23.45.67.10 6012 disk4 1.00 1366 0.05
When I repeat this command second time, I see following in logs:
May 26 20:28:40 mystorage account-server 23.45.67.10 - - [26/May/2013:18:28:40 +0000] "HEAD /disk2/771/AUTH_.auth" 204 - "txa50c992d3455462ca4223-0051a25458" "-" "-" 0.2601 ""
May 26 20:28:40 mystorage container-server 23.45.67.10 - - [26/May/2013:18:28:40 +0000] "HEAD /disk4/3238/AUTH_.auth/test10" 204 - "txa50c992d3455462ca4223-0051a25458" "-" "Swauth" 0.0010
May 26 20:28:40 mystorage proxy-server - - 26/May/2013/18/28/40 HEAD /v1/AUTH_.auth/test10 HTTP/1.0 204 - Swauth - - - - txa50c992d3455462ca4223-0051a25458 - 0.2640 SWTH
May 26 20:28:40 mystorage account-server 23.45.67.10 - - [26/May/2013:18:28:40 +0000] "PUT /disk3/3974/AUTH_test10" 201 - "tx278110177e044ec694686-0051a25458" "-" "-" 0.0493 ""
May 26 20:28:41 mystorage proxy-server 23.45.67.10 23.45.67.10 26/May/2013/18/28/41 PUT /v1/AUTH_test10 HTTP/1.0 201 - - .auth%2CAUTH_itkb6c34fa3d27d4c8484a479ae8a9643f3 - - - tx278110177e044ec694686-0051a25458 - 0.3514 -
May 26 20:28:41 mystorage container-server 23.45.67.10 - - [26/May/2013:18:28:41 +0000] "HEAD /disk2/1921/AUTH_.auth/.account_id" 404 - "tx363ffdcd82cc4bf98081c-0051a25459" "-" "-" 0.0001
May 26 20:28:41 mystorage proxy-server Handoff requested (1) (txn: tx363ffdcd82cc4bf98081c-0051a25459)
May 26 20:28:41 mystorage proxy-server Handoff requested (2) (txn: tx363ffdcd82cc4bf98081c-0051a25459)
May 26 20:28:41 mystorage container-server 23.45.67.10 - - [26/May/2013:18:28:41 +0000] "HEAD /disk3/1921/AUTH_.auth/.account_id" 204 - "tx363ffdcd82cc4bf98081c-0051a25459" "-" "-" 0.0011
May 26 20:28:42 mystorage container-server 23.45.67.20 - - [26/May/2013:18:28:42 +0000] "PUT /disk2/1921/AUTH_.auth/.account_id/AUTH_test10" 404 - "tx363ffdcd82cc4bf98081c-0051a25459" "-" "-" 0.0002
May 26 20:28:42 mystorage object-server ERROR Container update failed (saving for async update later): 404 response from 23.45.67.20:6011/disk3 (txn: tx363ffdcd82cc4bf98081c-0051a25459)
May 26 20:28:42 mystorage object-server 23.45.67.10 - - [26/May/2013:18:28:42 +0000] "PUT /disk4/4018/AUTH_.auth/.account_id/AUTH_test10" 201 - "-" "tx363ffdcd82cc4bf98081c-0051a25459" "Swauth" 1.0815
May 26 20:28:42 mystorage proxy-server - - 26/May/2013/18/28/42 PUT /v1/AUTH_.auth/.account_id/AUTH_test10 HTTP/1.0 201 - Swauth - 6 - - tx363ffdcd82cc4bf98081c-0051a25459 - 1.6946 SWTH
May 26 20:28:43 mystorage container-server 23.45.67.10 - - [26/May/2013:18:28:43 +0000] "PUT /disk4/3238/AUTH_.auth/test10/.services" 201 - "tx1eb71781d830452b81e80-0051a2545a" "-" "-" 0.0003
May 26 20:28:43 mystorage object-server 23.45.67.10 - - [26/May/2013:18:28:43 +0000] "PUT /disk3/510/AUTH_.auth/test10/.services" 201 - "-" "tx1eb71781d830452b81e80-0051a2545a" "Swauth" 0.3475
May 26 20:28:43 mystorage proxy-server - - 26/May/2013/18/28/43 PUT /v1/AUTH_.auth/test10/.services HTTP/1.0 201 - Swauth - 96 - - tx1eb71781d830452b81e80-0051a2545a - 0.4804 SWTH
May 26 20:28:43 mystorage container-server 23.45.67.10 - - [26/May/2013:18:28:43 +0000] "POST /disk4/3238/AUTH_.auth/test10" 204 - "tx101de3c80e734201ade48-0051a2545b" "-" "-" 0.2281
May 26 20:28:43 mystorage proxy-server - - 26/May/2013/18/28/43 POST /v1/AUTH_.auth/test10 HTTP/1.0 204 - Swauth - - - - tx101de3c80e734201ade48-0051a2545b - 0.4217 SWTH
May 26 20:28:43 mystorage swauth - 23.45.67.10 26/May/2013/18/28/43 PUT /auth/v2/test10 HTTP/1.0 201 - - .super_admin - - - - - 3.2853
I'm afraid that I have somehow badly installed swauth.
What can I do to provide more information about my installation and my problem?
Under Get User Details it has:
Example Response:
HTTP/1.1 200 Ok
{ "groups": [ { "name": "<account>:<user>" },
{ "name": "<user>" },
{ "name": ".admin" } ],
"auth" : "plaintext:password" }
It should be:
{ "groups": [ { "name": "<account>:<user>" },
{ "name": "<account>" },
{ "name": ".admin" } ],
"auth" : "plaintext:password" }
So the error is in <user> which should be account on the second line.
Swauth requires the proxy-server to have "allow_account_management = true". swauth-prep does an account PUT for the behind-the-scenes Swauth account, and swauth-add-account (and swauth-add-user under some circumstances) will also issue account PUTs.
This needs to be added to the documentation.
In addition, with the new account_autocreate option it should be possible to use that and just update Swauth to try using accounts without PUTing them.
Hi All,
We are running swift 1.4.8 on ubuntu 12.04 with swuath as authentication middleware.
When we try to add a non admin user to the account, using the account admin credentials it throws error "Account creation failed: 403 Forbidden" but, it creates the user in backend.
looks like a bug in the swauth with swift 1.4.8.
Regards,
Viral Patadiya
This is just here so that github won't auto-close the milestone until the release is cut.
Hi,
I was trying to enable formpost and tempurl on my swift setup having swauth as authentication middleware.
It was not working at all. For a change, I tried changing my authentication middleware to tempauth and it worked well.
This means, there is definitely an issue where formpost & tempurl does not work with swauth.
Regards,
Viral
Original report from: https://bugs.launchpad.net/swift/+bug/705544
Currently the c# language binding (https://github.com/rackspace/csharp-cloudfiles) urlencodes x-auth-* values before submitting, but devauth/swauth does not unencode them. This causes x-auth-users like "account:user" to be encoded as "account%3auser", resulting in auth failure.
Given x-auth-key/x-auth-user values with strange characters ("", ";", etc) or multibyte values, the x-auth fields should be encoded in some manner.
This was originally filed against devauth, which has now been deprecated and removed, but I'm pretty sure it affects swauth as well.
on Swift 1.4.4
execute swauth-prep got 500 server error
and trace the call
while create account , swift return 405 method not allowed
Refactor to use Swift's make_pre_authed_request
The swift3 middleware sets the X_AUTH_TOKEN to the base64 encoded AWS canonical string. This is a variable length string partially based on the URL path. It is difficult to define an acceptable max_token_length. Would it make sense to allow a paste configuration option to change the max_token_length or disable it?
Basically it seems to boil down to:
diff --git a/webadmin/index.html b/webadmin/index.html
index cbc7c8a..07daa12 100644
--- a/webadmin/index.html
+++ b/webadmin/index.html
@@ -333,10 +333,10 @@
request.setRequestHeader('X-Auth-Admin-User', creds_user);
request.setRequestHeader('X-Auth-Admin-Key', creds_key);
request.setRequestHeader('X-Auth-User-Key', document.getElementById('add_user_key').value);
- if (document.getElementById('add_user_admin').value) {
+ if (document.getElementById('add_user_admin').checked) {
request.setRequestHeader('X-Auth-User-Admin', 'true');
}
- if (document.getElementById('add_user_reseller_admin').value) {
+ if (document.getElementById('add_user_reseller_admin').checked) {
request.setRequestHeader('X-Auth-User-Reseller-Admin', 'true');
}
request.send();
The "value" of the .value property seems to always be "on" regardless of the state of the element (tested on Chrome and Safari). So the "if block" evaluates "true" and the X-Auth-User-Reseller-Admin header is sent as "true" (i.e. X-Auth-User-Reseller-Admin:true according to chome debug tools) even though the form has the add_user_reseller_admin checkbox - unchecked.
I'm not fully sure I grok the security model here, but it seems like reseller admin's can't create other reseller admins.
When I try on the command line:
swauth-add-user -A http://localhost:8080/auth -U admin:admin -K admin -a -r test tester7 testing7
i'll get a 401, but:
swauth-add-user -A http://localhost:8080/auth -K swauthkey -a -r test tester7 testing7
...will succeed.
Either way the XHR doesn't seem to capture the spirt of the form, because of course:
swauth-add-user -A http://localhost:8080/auth -U admin:admin -K admin -a test tester7 testing7
...works - and changing the javascript to look at the .checked property will not send the the X-Auth-User-Reseller-Admin header.
Does it work differently on your machine? Would you like me to audit the webadmin's javascript for other usage of .value on checkboxes? Dose the project have any notion of tests for the webadmin if I do attempt a PR?
Essex with Swauth support On CentOS6 with single node.
May 17 23:38:52 localhost proxy-server STDOUT: EXCEPTION IN handle: Traceback (most recent call last):#12 File "/root/swauth/middleware.py", line 404, in handle#012 return self.handle_request(req)(env, start_response)#12 File "/root/swauth/middleware.py", line 471, in handle_request#012 req.response = handler(req)#12 File "/root/swauth/middleware.py", line 1183, in handle_get_token#012 'exists: %s %s' % (path, resp.status))#012Exception: Could not detect whether a token already exists: /v1/AUTH_.auth/.token_d/AUTH_tk69d81d080626426bb6c2b2aa8d2e267d 503 Internal Server Error#012: {'SCRIPT_NAME': '/auth', 'webob.adhoc_attrs': {'start_time': 1337278117.1463921, 'bytes_transferred': '-', 'client_disconnect': False}, 'REQUEST_METHOD': 'GET', 'PATH_INFO': '/v1.0', 'SERVER_PROTOCOL': 'HTTP/1.0', 'QUERY_STRING': '', 'HTTP_X_STORAGE_PASS': 'password', 'HTTP_USER_AGENT': '' '', 'HTTP_CONNECTION': 'Keep-Alive', 'eventlet.posthooks': [(<bound method Swauth.posthooklogger of <swauth.middleware.Swauth object at 0x145f250>>, (<Request at 0x6461cd0 GET http://192.168.1.10/auth/v1.0>,), {})], 'SERVER_NAME': '192.168.1.10', 'REMOTE_ADDR': '192.168.1.167', 'eventlet.input': <eventlet.wsgi.Input object at 0x2f4ae90>, 'HTTP_X_STORAGE_USER': 'one:one', 'wsgi.url_scheme': 'http', 'SERVER_PORT': '443', 'wsgi.input': <eventlet.wsgi.Input object at 0x2f4ae90>, 'HTTP_HOST': '192.168.1.10', 'wsgi.multithread': True, 'HTTP_ACCEPT': 'application/xml', 'wsgi.version': (1, 0), 'GATEWAY_INTERFACE': 'CGI/1.1', 'wsgi.run_once': False, 'wsgi.errors': <swift.common.utils.LoggerFileObject object at 0x1436590>, 'wsgi.multiprocess': False, 'CONTENT_TYPE': None, 'swift.cache': <swift.common.memcached.MemcacheRing object at 0x145f410>}
May 17 23:39:40 localhost proxy-server STDOUT: EXCEPTION IN handle: Traceback (most recent call last):#12 File "/root/swauth/middleware.py", line 404, in handle#012 return self.handle_request(req)(env, start_response)#12 File "/root/swauth/middleware.py", line 471, in handle_request#012 req.response = handler(req)#12 File "/root/swauth/middleware.py", line 1223, in handle_get_token#012 (path, resp.status))#012Exception: Could not obtain services info: /v1/AUTH_.auth/umesh/.services 503 Internal Server Error#012: {'SCRIPT_NAME': '/auth', 'webob.adhoc_attrs': {'start_time': 1337278155.8839321, 'bytes_transferred': '-', 'client_disconnect': False}, 'REQUEST_METHOD': 'GET', 'PATH_INFO': '/v1.0', 'SERVER_PROTOCOL': 'HTTP/1.0', 'QUERY_STRING': '', 'HTTP_X_STORAGE_PASS': 'password', 'HTTP_USER_AGENT': '' '', 'eventlet.posthooks': [(<bound method Swauth.posthooklogger of <swauth.middleware.Swauth object at 0x145f250>>, (<Request at 0x4514c50 GET http://192.168.1.10/auth/v1.0>,), {})], 'SERVER_NAME': '192.168.1.10', 'REMOTE_ADDR': '192.168.1.167', 'eventlet.input': <eventlet.wsgi.Input object at 0x4863e10>, 'HTTP_X_STORAGE_USER': 'one:one', 'wsgi.url_scheme': 'http', 'SERVER_PORT': '443', 'wsgi.input': <eventlet.wsgi.Input object at 0x4863e10>, 'HTTP_HOST': '192.168.1.10', 'wsgi.multithread': True, 'HTTP_ACCEPT': 'application/xml', 'wsgi.version': (1, 0), 'GATEWAY_INTERFACE': 'CGI/1.1', 'wsgi.run_once': False, 'wsgi.errors': <swift.common.utils.LoggerFileObject object at 0x1436590>, 'wsgi.multiprocess': False, 'CONTENT_TYPE': None, 'swift.cache': <swift.common.memcached.MemcacheRing object at 0x145f410>}
May 17 23:40:32 localhost proxy-server STDOUT: EXCEPTION IN handle: Traceback (most recent call last):#12 File "/root/swauth/middleware.py", line 404, in handle#012 return self.handle_request(req)(env, start_response)#12 File "/root/swauth/middleware.py", line 471, in handle_request#012 req.response = handler(req)#12 File "/root/swauth/middleware.py", line 1162, in handle_get_token#012 (path, resp.status))#012Exception: Could not obtain user details: /v1/AUTH_.auth/umesh/umesh 503 Internal Server Error#012: {'SCRIPT_NAME': '/auth', 'webob.adhoc_attrs': {'start_time': 1337278232.3465359, 'bytes_transferred': '-', 'client_disconnect': False}, 'REQUEST_METHOD': 'GET', 'PATH_INFO': '/v1.0', 'SERVER_PROTOCOL': 'HTTP/1.0', 'QUERY_STRING': '', 'HTTP_X_STORAGE_PASS': 'password', 'HTTP_USER_AGENT': '' '', 'eventlet.posthooks': [(<bound method Swauth.posthooklogger of <swauth.middleware.Swauth object at 0x145f250>>, (<Request at 0x1a8d150 GET http://192.168.1.10/auth/v1.0>,), {})], 'SERVER_NAME': '192.168.1.10', 'REMOTE_ADDR': '192.168.1.167', 'eventlet.input': <eventlet.wsgi.Input object at 0x70086d0>, 'HTTP_X_STORAGE_USER': 'one:one', 'wsgi.url_scheme': 'http', 'SERVER_PORT': '443', 'wsgi.input': <eventlet.wsgi.Input object at 0x70086d0>, 'HTTP_HOST': '192.168.1.10', 'wsgi.multithread': True, 'HTTP_ACCEPT': 'application/xml', 'wsgi.version': (1, 0), 'GATEWAY_INTERFACE': 'CGI/1.1', 'wsgi.run_once': False, 'wsgi.errors': <swift.common.utils.LoggerFileObject object at 0x1436590>, 'wsgi.multiprocess': False, 'CONTENT_TYPE': None, 'swift.cache': <swift.common.memcached.MemcacheRing object at 0x145f410>}
I ran "python setup.py sdist" and the resulting tarball in dist/ ended missing README.md. Please either add README.md to MANIFEST.in or set a flag to setup().
No real need to have it separate.
Allow /not/ setting super_admin_key to disallow such operations on that proxy.
http://gholt.github.io/swauth/dev/api.html#get-account-details
The "Example Response:" JSON is not valid JSON. There is an extra comma after
"local": "https://<storage endpoint>/v1/<account_id>" },
that should be removed
Hi,
I added 2 new classes to store users keys as sha256 and sha512 hashes:
class Sha256(object):
"""
Provides a particular auth type for encoding format for encoding and
matching user keys.
This class must be all lowercase except for the first character, which
must be capitalized. encode and match methods must be provided and are
the only ones that will be used by swauth.
"""
def encode(self, key):
"""
Encodes a user key into a particular format. The result of this method
will be used by swauth for storing user credentials.
:param key: User's secret key
:returns: A string representing user credentials
"""
enc_key = '%s%s' % (self.salt, key)
enc_val = hashlib.sha256(enc_key).hexdigest()
return "sha256:%s" % (enc_val)
def match(self, key, creds):
"""
Checks whether the user-provided key matches the user's credentials
:param key: User-supplied key
:param creds: User's stored credentials
:returns: True if the supplied key is valid, False otherwise
"""
return self.encode(key) == creds
class Sha512(object):
"""
Provides a particular auth type for encoding format for encoding and
matching user keys.
This class must be all lowercase except for the first character, which
must be capitalized. encode and match methods must be provided and are
the only ones that will be used by swauth.
"""
def encode(self, key):
"""
Encodes a user key into a particular format. The result of this method
will be used by swauth for storing user credentials.
:param key: User's secret key
:returns: A string representing user credentials
"""
enc_key = '%s%s' % (self.salt, key)
enc_val = hashlib.sha512(enc_key).hexdigest()
return "sha512:%s" % (enc_val)
def match(self, key, creds):
"""
Checks whether the user-provided key matches the user's credentials
:param key: User-supplied key
:param creds: User's stored credentials
:returns: True if the supplied key is valid, False otherwise
"""
return self.encode(key) == credsI was wondering if sha1 seems not be secure any more nowadays maybe it should be better to use stronger hashes as default? Do you think it could have notacible impact on performance of swift proxy server?
As i can see there is a option to set a global salt only or there is a way to pass salt per user key? If use global salt maybe we shouldn't store salt together with users keys in case of someone stole are database?
So that a malicious client can't blow out our memcache or something along those lines, we should quickly reject any requests with tokens larger than 256 characters.
In order to change a user's password when the clients are distributed and the system is under production load, it is useful to be able to manage multiple passwords per user, to enable a phased change.
Amazon describes this process here: http://docs.amazonwebservices.com/AWSSecurityCredentials/1.0/AboutAWSCredentials.html#CredentialRotation
in the docs (api.html), the Authentication section declares "These headers are defined as X-Auth-Admin-User and X-Auth-Admin-Key... Typically, these values are .super_admin (the site super admin user)"
All the following examples use .super_user instead:
Example Request:
GET /auth// HTTP/1.1
X-Auth-Admin-User: .super_user
X-Auth-Admin-Key: swauthkey
It would be easier to follow if the examples used .super_admin instead of .super_user.
I suggest changing all instances of .super_user to .super_admin in api.html.
Thanks.
This release will require Swift 1.7.6 or greater (swift.common.swob support with a particular bugfix is needed).
With Swift's new account_autocreate option it should be possible to use that and just update Swauth to try using accounts without PUTing them.
The example requests under Create Account for swauth/doc/source/api.rst show GET requests, but the documentation states: "An account can be created with a PUT request against a non-existent account."
The examples should be updated to show PUT requests for the HTTP method.
I installed swauth, edited the proxy-server.conf and then tried to do a swauth-prep to initialize it. But this takes very long and does not seem to complete in 30 minutes. When I do a ctrl+c to interrupt, I get the following message:Traceback (most recent call last):
File "/usr/bin/swauth-prep", line 57, in
resp = conn.getresponse()
File "/usr/lib/pymodules/python2.7/swift/common/bufferedhttp.py", line 95, in getresponse
response = HTTPConnection.getresponse(self)
File "/usr/lib/python2.7/httplib.py", line 1027, in getresponse
response.begin()
File "/usr/lib/python2.7/httplib.py", line 407, in begin
version, status, reason = self._read_status()
File "/usr/lib/python2.7/httplib.py", line 365, in _read_status
line = self.fp.readline()
File "/usr/lib/python2.7/socket.py", line 447, in readline
data = self._sock.recv(self._rbufsize)
File "/usr/lib/pymodules/python2.7/eventlet/greenio.py", line 238, in recv
timeout_exc=socket.timeout("timed out"))
File "/usr/lib/pymodules/python2.7/eventlet/hubs/init.py", line 121, in trampoline
return hub.switch()
File "/usr/lib/pymodules/python2.7/eventlet/hubs/hub.py", line 177, in switch
return self.greenlet.switch()
File "/usr/lib/pymodules/python2.7/eventlet/hubs/hub.py", line 226, in run
self.wait(sleep_time)
File "/usr/lib/pymodules/python2.7/eventlet/hubs/poll.py", line 84, in wait
presult = self.do_poll(seconds)
File "/usr/lib/pymodules/python2.7/eventlet/hubs/epolls.py", line 55, in do_poll
return self.poll.poll(seconds)
Do you have any Idea what could be causing this?
I'm evaluating swauth in order to check if it resolves an issue I have with tempauth. Basically I cannot request a new token for a user until the existing token has expired. This means that in a scenario where I'm constantly interacting with Swift I am bound to get a 401 error when the token I'm using expires.
Since I cannot issue a retry, this is a problem for me since that request is lost. Does swauth have the same issue? I briefly looked at the code and it seems pretty similar to tempauth, in that it checks to see if there's an existing token for that user and returns it. Can I force the creation of new tokens? Is there another way to deal with this issue not involving retries?
Thanks.
There's a bug when doing listings that end up using a non-7-bit marker. We need to utf-8 encode the marker.
Allow OPTIONS requests to pass through as they should be harmless and the Swift proxy needs them to properly support CORS.
An upcoming change in Swift is going to want swift.source set in subrequests to differentiate them from actual requests. Swauth should set swift.source to SWTH.
There's a bug where Swauth doesn't set it's own requests as "preauthorized" which means any other auth further in the pipeline ends up rejecting those requests. I have a patch for this at https://code.launchpad.net/~gholt/swift/multiswauth
Stub issue so milestone doesn't get auto-closed until the release is made.
I had begun work on this at https://code.launchpad.net/~gholt/swift/swauthpurtok/+merge/45921
I originally wrote a section for the OpenStack Foundation Security Guide about SWAuth, but the core reviewers felt that it wasn't the appropriate place for it.
I wanted to provide my documentation work to the community.
The attached are in a rough form since I don't have the ability to incorporate them into the swauth project.
Creative Commons Attribution 3.0 License
I hope someone finds it useful.
Create API reference documentation
I think I'd like to have the swauth api homed at /swauth/ instead of /auth/ so it doesn't conflict with some other stuff I've got going. And that worked mostly fine using the auth_prefix setting in the proxy-server.conf's [filter:swauth] section, but broke webadmin.
Bit of sed and a reupload squared it for me, but it felt like a hack, and if I want to try and push any fixes upstream I'll have to carry this silly patch ๐ข (I'm no css guru, but I wonder have you heard of the bootstrap?)
I thought of two ways that might be better and was wondering if you'd be interested in seeing either one of them.
mv index.html index.html-template and have a swauth-webadmin install command that could read the config, fill in the blanks and upload the newly rendered webadmin resource(s)./info with register_swift_info that says the relative url of the swauth api end point and have index.html do an XHR as soon as it loads to fill in some global state?This is just here so that github won't auto-close the milestone until the release is cut.
The README should dispose of its install docs and just reference the Sphinx-built docs.
The in-flight Swift container sync feature, https://code.launchpad.net/~gholt/swift/consync/+merge/51081 , requires additional features to Swauth.
Original report from: https://bugs.launchpad.net/swift/+bug/785448
Multiple Swauths fails because the second swauth will reject all behind-the-scenes requests by the first.
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google โค๏ธ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.