9 Commits

Author SHA1 Message Date
David Hadas
8b140033f0 Improved container-sync resiliency
container-sync now skips faulty objects in the first and second rounds.
All replicas try in the second round.
No server will give up until the faulty object suceeds

Fixes: bug #1068423

Change-Id: I0defc174b2ce3796a6acf410a2d2eae138e8193d
2013-03-08 22:28:06 +02:00
Samuel Merritt
89a871d42f Improve container-sync docs.
Two improvements: first, document that the container-sync process
connects to the remote cluster's proxy server, so outbound
connectivity is required.

Second, rewrite the behind-the-scenes container-sync example and add
some ASCII-art diagrams.

Fixes bug 1068430.

Bonus fix of docstring in wsgi.py to squelch a sphinx warning.

Change-Id: I85bd56c2bd14431e13f7c57a43852777f14014fb
2012-11-21 14:59:26 -08:00
Samuel Merritt
357b12dc2b Remove IP-based container-sync ACLs from auth middlewares.
The determination of the client IP looked at the X-Cluster-Client-Ip
and X-Forwarded-For headers in the incoming HTTP request. This is
trivially spoofable by a malicious client, so there's no security
gained by having the check there.

Worse, having the check there provides a false sense of security to
cluster operators. It sounds like it's based on the client IP, so an
attacker would have to do IP spoofing to defeat it. However, it's
really just a shared secret, and there's already a secret key set
up. Basically, it looks like 2-factor auth (IP+key), but it's really
1-factor (key).

Now, the one case where this might provide some security is where the
Swift cluster is behind an external load balancer that strips off the
X-Cluster-Client-Ip and X-Forwarded-For headers and substitutes its
own. I don't think it's worth the tradeoff, hence this commit.

Fixes bug 1068420 for very small values of "fixes".

DocImpact

Change-Id: I2bef64c2e1e4df8a612a5531a35721202deb6964
2012-11-16 18:47:06 -08:00
Chmouel Boudjnah
22572b506a Remove swift.common.client from here.
- It has been to its own gerrit project.
- direct_client should follow next.
- Implements blueprint clientbindings.

Change-Id: I3bb50c95eba81302bfec71cb7ce5288b85a41dc0
2012-06-07 16:36:49 +02:00
gholt
2f0df53ed9 Added notes about container sync and large objects 2011-07-14 18:53:04 +00:00
gholt
b88a0d0f95 consync: fixes as per the code roast 2011-07-08 19:57:45 +00:00
gholt
552fa38ed1 Doc updates 2011-06-22 15:05:23 +00:00
gholt
f40519a182 Container sync doc updates 2011-03-02 14:18:49 -08:00
gholt
a7c0a6edde More docs 2011-02-24 15:01:22 -08:00