Renaming TestAuth to TempAuth because nose hates anything with the word test in it.
This commit is contained in:
parent
3ee4a01100
commit
f68b6354e2
@ -549,17 +549,17 @@ allow_account_management false Whether account PUTs and DELETEs
|
||||
are even callable
|
||||
============================ =============== =============================
|
||||
|
||||
[testauth]
|
||||
[tempauth]
|
||||
|
||||
===================== =============================== =======================
|
||||
Option Default Description
|
||||
--------------------- ------------------------------- -----------------------
|
||||
use Entry point for
|
||||
paste.deploy to use for
|
||||
auth. To use testauth
|
||||
auth. To use tempauth
|
||||
set to:
|
||||
`egg:swift#testauth`
|
||||
set log_name testauth Label used when logging
|
||||
`egg:swift#tempauth`
|
||||
set log_name tempauth Label used when logging
|
||||
set log_facility LOG_LOCAL0 Syslog log facility
|
||||
set log_level INFO Log level
|
||||
set log_headers True If True, log headers in
|
||||
|
@ -6,7 +6,7 @@ Auth Server and Middleware
|
||||
Creating Your Own Auth Server and Middleware
|
||||
--------------------------------------------
|
||||
|
||||
The included swift/common/middleware/testauth.py is a good example of how to
|
||||
The included swift/common/middleware/tempauth.py is a good example of how to
|
||||
create an auth subsystem with proxy server auth middleware. The main points are
|
||||
that the auth middleware can reject requests up front, before they ever get to
|
||||
the Swift Proxy application, and afterwards when the proxy issues callbacks to
|
||||
@ -27,7 +27,7 @@ specific information, it just passes it along. Convention has
|
||||
environ['REMOTE_USER'] set to the authenticated user string but often more
|
||||
information is needed than just that.
|
||||
|
||||
The included TestAuth will set the REMOTE_USER to a comma separated list of
|
||||
The included TempAuth will set the REMOTE_USER to a comma separated list of
|
||||
groups the user belongs to. The first group will be the "user's group", a group
|
||||
that only the user belongs to. The second group will be the "account's group",
|
||||
a group that includes all users for that auth account (different than the
|
||||
@ -37,7 +37,7 @@ will be omitted.
|
||||
|
||||
It is highly recommended that authentication server implementers prefix their
|
||||
tokens and Swift storage accounts they create with a configurable reseller
|
||||
prefix (`AUTH_` by default with the included TestAuth). This prefix will avoid
|
||||
prefix (`AUTH_` by default with the included TempAuth). This prefix will avoid
|
||||
conflicts with other authentication servers that might be using the same
|
||||
Swift cluster. Otherwise, the Swift cluster will have to try all the resellers
|
||||
until one validates a token or all fail.
|
||||
@ -46,14 +46,14 @@ A restriction with group names is that no group name should begin with a period
|
||||
'.' as that is reserved for internal Swift use (such as the .r for referrer
|
||||
designations as you'll see later).
|
||||
|
||||
Example Authentication with TestAuth:
|
||||
Example Authentication with TempAuth:
|
||||
|
||||
* Token AUTH_tkabcd is given to the TestAuth middleware in a request's
|
||||
* Token AUTH_tkabcd is given to the TempAuth middleware in a request's
|
||||
X-Auth-Token header.
|
||||
* The TestAuth middleware validates the token AUTH_tkabcd and discovers
|
||||
* The TempAuth middleware validates the token AUTH_tkabcd and discovers
|
||||
it matches the "tester" user within the "test" account for the storage
|
||||
account "AUTH_storage_xyz".
|
||||
* The TestAuth middleware sets the REMOTE_USER to
|
||||
* The TempAuth middleware sets the REMOTE_USER to
|
||||
"test:tester,test,AUTH_storage_xyz"
|
||||
* Now this user will have full access (via authorization procedures later)
|
||||
to the AUTH_storage_xyz Swift storage account and access to containers in
|
||||
|
@ -265,14 +265,14 @@ Sample configuration files are provided with all defaults in line-by-line commen
|
||||
log_facility = LOG_LOCAL1
|
||||
|
||||
[pipeline:main]
|
||||
pipeline = healthcheck cache testauth proxy-server
|
||||
pipeline = healthcheck cache tempauth proxy-server
|
||||
|
||||
[app:proxy-server]
|
||||
use = egg:swift#proxy
|
||||
allow_account_management = true
|
||||
|
||||
[filter:testauth]
|
||||
use = egg:swift#testauth
|
||||
[filter:tempauth]
|
||||
use = egg:swift#tempauth
|
||||
user_admin_admin = admin .admin .reseller_admin
|
||||
user_test_tester = testing .admin
|
||||
user_test2_tester2 = testing2 .admin
|
||||
|
@ -13,7 +13,7 @@ Prerequisites
|
||||
Basic architecture and terms
|
||||
----------------------------
|
||||
- *node* - a host machine running one or more Swift services
|
||||
- *Proxy node* - node that runs Proxy services; also runs TestAuth
|
||||
- *Proxy node* - node that runs Proxy services; also runs TempAuth
|
||||
- *Storage node* - node that runs Account, Container, and Object services
|
||||
- *ring* - a set of mappings of Swift data to physical devices
|
||||
|
||||
@ -23,7 +23,7 @@ This document shows a cluster using the following types of nodes:
|
||||
|
||||
- Runs the swift-proxy-server processes which proxy requests to the
|
||||
appropriate Storage nodes. The proxy server will also contain
|
||||
the TestAuth service as WSGI middleware.
|
||||
the TempAuth service as WSGI middleware.
|
||||
|
||||
- five Storage nodes
|
||||
|
||||
@ -130,14 +130,14 @@ Configure the Proxy node
|
||||
user = swift
|
||||
|
||||
[pipeline:main]
|
||||
pipeline = healthcheck cache testauth proxy-server
|
||||
pipeline = healthcheck cache tempauth proxy-server
|
||||
|
||||
[app:proxy-server]
|
||||
use = egg:swift#proxy
|
||||
allow_account_management = true
|
||||
|
||||
[filter:testauth]
|
||||
use = egg:swift#testauth
|
||||
[filter:tempauth]
|
||||
use = egg:swift#tempauth
|
||||
user_system_root = testpass .admin https://$PROXY_LOCAL_NET_IP:8080/v1/AUTH_system
|
||||
|
||||
[filter:healthcheck]
|
||||
@ -420,8 +420,8 @@ See :ref:`config-proxy` for the initial setup, and then follow these additional
|
||||
|
||||
#. Change the storage url for any users to point to the load balanced url, rather than the first proxy server you created in /etc/swift/proxy-server.conf::
|
||||
|
||||
[filter:testauth]
|
||||
use = egg:swift#testauth
|
||||
[filter:tempauth]
|
||||
use = egg:swift#tempauth
|
||||
user_system_root = testpass .admin http[s]://<LOAD_BALANCER_HOSTNAME>:<PORT>/v1/AUTH_system
|
||||
|
||||
#. Next, copy all the ring information to all the nodes, including your new proxy nodes, and ensure the ring info gets to all the storage nodes as well.
|
||||
|
@ -33,12 +33,12 @@ Utils
|
||||
:members:
|
||||
:show-inheritance:
|
||||
|
||||
.. _common_testauth:
|
||||
.. _common_tempauth:
|
||||
|
||||
TestAuth
|
||||
TempAuth
|
||||
========
|
||||
|
||||
.. automodule:: swift.common.middleware.testauth
|
||||
.. automodule:: swift.common.middleware.tempauth
|
||||
:members:
|
||||
:show-inheritance:
|
||||
|
||||
|
@ -3,7 +3,7 @@ The Auth System
|
||||
===============
|
||||
|
||||
--------
|
||||
TestAuth
|
||||
TempAuth
|
||||
--------
|
||||
|
||||
The auth system for Swift is loosely based on the auth system from the existing
|
||||
@ -27,7 +27,7 @@ validation.
|
||||
Swift will make calls to the auth system, giving the auth token to be
|
||||
validated. For a valid token, the auth system responds with an overall
|
||||
expiration in seconds from now. Swift will cache the token up to the expiration
|
||||
time. The included TestAuth also has the concept of admin and non-admin users
|
||||
time. The included TempAuth also has the concept of admin and non-admin users
|
||||
within an account. Admin users can do anything within the account. Non-admin
|
||||
users can only perform operations per container based on the container's
|
||||
X-Container-Read and X-Container-Write ACLs. For more information on ACLs, see
|
||||
@ -40,7 +40,7 @@ receive the auth token and a URL to the Swift system.
|
||||
Extending Auth
|
||||
--------------
|
||||
|
||||
TestAuth is written as wsgi middleware, so implementing your own auth is as
|
||||
TempAuth is written as wsgi middleware, so implementing your own auth is as
|
||||
easy as writing new wsgi middleware, and plugging it in to the proxy server.
|
||||
The KeyStone project and the Swauth project are examples of additional auth
|
||||
services.
|
||||
|
@ -13,7 +13,7 @@
|
||||
# log_level = INFO
|
||||
|
||||
[pipeline:main]
|
||||
pipeline = catch_errors healthcheck cache ratelimit testauth proxy-server
|
||||
pipeline = catch_errors healthcheck cache ratelimit tempauth proxy-server
|
||||
|
||||
[app:proxy-server]
|
||||
use = egg:swift#proxy
|
||||
@ -41,10 +41,10 @@ use = egg:swift#proxy
|
||||
# 'false' no one, even authorized, can.
|
||||
# allow_account_management = false
|
||||
|
||||
[filter:testauth]
|
||||
use = egg:swift#testauth
|
||||
[filter:tempauth]
|
||||
use = egg:swift#tempauth
|
||||
# You can override the default log routing for this filter here:
|
||||
# set log_name = testauth
|
||||
# set log_name = tempauth
|
||||
# set log_facility = LOG_LOCAL0
|
||||
# set log_level = INFO
|
||||
# set log_headers = False
|
||||
|
2
setup.py
2
setup.py
@ -113,7 +113,7 @@ setup(
|
||||
'domain_remap=swift.common.middleware.domain_remap:filter_factory',
|
||||
'swift3=swift.common.middleware.swift3:filter_factory',
|
||||
'staticweb=swift.common.middleware.staticweb:filter_factory',
|
||||
'testauth=swift.common.middleware.testauth:filter_factory',
|
||||
'tempauth=swift.common.middleware.tempauth:filter_factory',
|
||||
],
|
||||
},
|
||||
)
|
||||
|
@ -28,7 +28,7 @@ added. For example::
|
||||
...
|
||||
|
||||
[pipeline:main]
|
||||
pipeline = healthcheck cache testauth staticweb proxy-server
|
||||
pipeline = healthcheck cache tempauth staticweb proxy-server
|
||||
|
||||
...
|
||||
|
||||
|
@ -30,19 +30,19 @@ from swift.common.middleware.acl import clean_acl, parse_acl, referrer_allowed
|
||||
from swift.common.utils import cache_from_env, get_logger, split_path
|
||||
|
||||
|
||||
class TestAuth(object):
|
||||
class TempAuth(object):
|
||||
"""
|
||||
Test authentication and authorization system.
|
||||
|
||||
Add to your pipeline in proxy-server.conf, such as::
|
||||
|
||||
[pipeline:main]
|
||||
pipeline = catch_errors cache testauth proxy-server
|
||||
pipeline = catch_errors cache tempauth proxy-server
|
||||
|
||||
And add a testauth filter section, such as::
|
||||
And add a tempauth filter section, such as::
|
||||
|
||||
[filter:testauth]
|
||||
use = egg:swift#testauth
|
||||
[filter:tempauth]
|
||||
use = egg:swift#tempauth
|
||||
user_admin_admin = admin .admin .reseller_admin
|
||||
user_test_tester = testing .admin
|
||||
user_test2_tester2 = testing2 .admin
|
||||
@ -57,7 +57,7 @@ class TestAuth(object):
|
||||
def __init__(self, app, conf):
|
||||
self.app = app
|
||||
self.conf = conf
|
||||
self.logger = get_logger(conf, log_route='testauth')
|
||||
self.logger = get_logger(conf, log_route='tempauth')
|
||||
self.log_headers = conf.get('log_headers') == 'True'
|
||||
self.reseller_prefix = conf.get('reseller_prefix', 'AUTH').strip()
|
||||
if self.reseller_prefix and self.reseller_prefix[-1] != '_':
|
||||
@ -114,7 +114,7 @@ class TestAuth(object):
|
||||
"""
|
||||
# Ensure the accounts we handle have been created
|
||||
if not self.created_accounts and self.users:
|
||||
newenv = {'REQUEST_METHOD': 'GET', 'HTTP_USER_AGENT': 'TestAuth'}
|
||||
newenv = {'REQUEST_METHOD': 'GET', 'HTTP_USER_AGENT': 'TempAuth'}
|
||||
for name in ('swift.cache', 'HTTP_X_TRANS_ID'):
|
||||
if name in env:
|
||||
newenv[name] = env[name]
|
||||
@ -478,5 +478,5 @@ def filter_factory(global_conf, **local_conf):
|
||||
conf.update(local_conf)
|
||||
|
||||
def auth_filter(app):
|
||||
return TestAuth(app, conf)
|
||||
return TempAuth(app, conf)
|
||||
return auth_filter
|
@ -23,7 +23,7 @@ from time import time
|
||||
|
||||
from webob import Request, Response
|
||||
|
||||
from swift.common.middleware import testauth as auth
|
||||
from swift.common.middleware import tempauth as auth
|
||||
|
||||
|
||||
class FakeMemcache(object):
|
Loading…
x
Reference in New Issue
Block a user