24ef12027c
Add a new middleware implementing some basic container quotas. Quotas are subject to several limitations: eventual consistency, the timeliness of the cached container_info (60 second ttl by default), and it’s unable to reject chunked transfer uploads that exceed the quota (though once the quota is exceeded, new chunked transfers will be refused). However, they get most of the way to container quotas fairly inexpensively. Quotas are set by adding meta values to the container, and are validated when set: X-Container-Meta-Quota-Bytes: Maximum size of the container, in bytes. X-Container-Meta-Quota-Count: Maximum object count of the container. DocImpact Change-Id: I77cfbf6dc231a2e522bd67328e4c082424a93eee
345 lines
13 KiB
Plaintext
345 lines
13 KiB
Plaintext
[DEFAULT]
|
|
# bind_ip = 0.0.0.0
|
|
# bind_port = 80
|
|
# bind_timeout = 30
|
|
# backlog = 4096
|
|
# swift_dir = /etc/swift
|
|
# workers = 1
|
|
# user = swift
|
|
# Set the following two lines to enable SSL. This is for testing only.
|
|
# cert_file = /etc/swift/proxy.crt
|
|
# key_file = /etc/swift/proxy.key
|
|
# expiring_objects_container_divisor = 86400
|
|
# You can specify default log routing here if you want:
|
|
# log_name = swift
|
|
# log_facility = LOG_LOCAL0
|
|
# log_level = INFO
|
|
# log_headers = False
|
|
# log_address = /dev/log
|
|
# comma separated list of functions to call to setup custom log handlers.
|
|
# functions get passed: conf, name, log_to_console, log_route, fmt, logger,
|
|
# adapted_logger
|
|
# log_custom_handlers =
|
|
# If set, log_udp_host will override log_address
|
|
# log_udp_host =
|
|
# log_udp_port = 514
|
|
# You can enable StatsD logging here:
|
|
# log_statsd_host = localhost
|
|
# log_statsd_port = 8125
|
|
# log_statsd_default_sample_rate = 1
|
|
# log_statsd_metric_prefix =
|
|
# Use a comma separated list of full url (http://foo.bar:1234,https://foo.bar)
|
|
# cors_allow_origin =
|
|
# eventlet_debug = false
|
|
|
|
[pipeline:main]
|
|
pipeline = catch_errors healthcheck cache ratelimit tempauth container-quotas proxy-logging proxy-server
|
|
|
|
[app:proxy-server]
|
|
use = egg:swift#proxy
|
|
# You can override the default log routing for this app here:
|
|
# set log_name = proxy-server
|
|
# set log_facility = LOG_LOCAL0
|
|
# set log_level = INFO
|
|
# set log_address = /dev/log
|
|
# log_handoffs = True
|
|
# recheck_account_existence = 60
|
|
# recheck_container_existence = 60
|
|
# object_chunk_size = 8192
|
|
# client_chunk_size = 8192
|
|
# node_timeout = 10
|
|
# client_timeout = 60
|
|
# conn_timeout = 0.5
|
|
# How long without an error before a node's error count is reset. This will
|
|
# also be how long before a node is reenabled after suppression is triggered.
|
|
# error_suppression_interval = 60
|
|
# How many errors can accumulate before a node is temporarily ignored.
|
|
# error_suppression_limit = 10
|
|
# If set to 'true' any authorized user may create and delete accounts; if
|
|
# 'false' no one, even authorized, can.
|
|
# allow_account_management = false
|
|
# Set object_post_as_copy = false to turn on fast posts where only the metadata
|
|
# changes are stored anew and the original data file is kept in place. This
|
|
# makes for quicker posts; but since the container metadata isn't updated in
|
|
# this mode, features like container sync won't be able to sync posts.
|
|
# object_post_as_copy = true
|
|
# If set to 'true' authorized accounts that do not yet exist within the Swift
|
|
# cluster will be automatically created.
|
|
# account_autocreate = false
|
|
# If set to a positive value, trying to create a container when the account
|
|
# already has at least this maximum containers will result in a 403 Forbidden.
|
|
# Note: This is a soft limit, meaning a user might exceed the cap for
|
|
# recheck_account_existence before the 403s kick in.
|
|
# max_containers_per_account = 0
|
|
# This is a comma separated list of account hashes that ignore the
|
|
# max_containers_per_account cap.
|
|
# max_containers_whitelist =
|
|
# Comma separated list of Host headers to which the proxy will deny requests.
|
|
# deny_host_headers =
|
|
# Prefix used when automatically creating accounts.
|
|
# auto_create_account_prefix = .
|
|
# Depth of the proxy put queue.
|
|
# put_queue_depth = 10
|
|
# Start rate-limiting object segment serving after the Nth segment of a
|
|
# segmented object.
|
|
# rate_limit_after_segment = 10
|
|
# Once segment rate-limiting kicks in for an object, limit segments served
|
|
# to N per second.
|
|
# rate_limit_segments_per_sec = 1
|
|
|
|
[filter:tempauth]
|
|
use = egg:swift#tempauth
|
|
# You can override the default log routing for this filter here:
|
|
# set log_name = tempauth
|
|
# set log_facility = LOG_LOCAL0
|
|
# set log_level = INFO
|
|
# set log_headers = False
|
|
# set log_address = /dev/log
|
|
# The reseller prefix will verify a token begins with this prefix before even
|
|
# attempting to validate it. Also, with authorization, only Swift storage
|
|
# accounts with this prefix will be authorized by this middleware. Useful if
|
|
# multiple auth systems are in use for one Swift cluster.
|
|
# reseller_prefix = AUTH
|
|
# The auth prefix will cause requests beginning with this prefix to be routed
|
|
# to the auth subsystem, for granting tokens, etc.
|
|
# auth_prefix = /auth/
|
|
# token_life = 86400
|
|
# This allows middleware higher in the WSGI pipeline to override auth
|
|
# processing, useful for middleware such as tempurl and formpost. If you know
|
|
# you're not going to use such middleware and you want a bit of extra security,
|
|
# you can set this to false.
|
|
# allow_overrides = true
|
|
# This specifies what scheme to return with storage urls:
|
|
# http, https, or default (chooses based on what the server is running as)
|
|
# This can be useful with an SSL load balancer in front of a non-SSL server.
|
|
# storage_url_scheme = default
|
|
# Lastly, you need to list all the accounts/users you want here. The format is:
|
|
# user_<account>_<user> = <key> [group] [group] [...] [storage_url]
|
|
# or if you want underscores in <account> or <user>, you can base64 encode them
|
|
# (with no equal signs) and use this format:
|
|
# user64_<account_b64>_<user_b64> = <key> [group] [group] [...] [storage_url]
|
|
# There are special groups of:
|
|
# .reseller_admin = can do anything to any account for this auth
|
|
# .admin = can do anything within the account
|
|
# If neither of these groups are specified, the user can only access containers
|
|
# that have been explicitly allowed for them by a .admin or .reseller_admin.
|
|
# The trailing optional storage_url allows you to specify an alternate url to
|
|
# hand back to the user upon authentication. If not specified, this defaults to
|
|
# $HOST/v1/<reseller_prefix>_<account> where $HOST will do its best to resolve
|
|
# to what the requester would need to use to reach this host.
|
|
# Here are example entries, required for running the tests:
|
|
user_admin_admin = admin .admin .reseller_admin
|
|
user_test_tester = testing .admin
|
|
user_test2_tester2 = testing2 .admin
|
|
user_test_tester3 = testing3
|
|
|
|
# To enable Keystone authentication you need to have the auth token
|
|
# middleware first to be configured. Here is an example below, please
|
|
# refer to the keystone's documentation for details about the
|
|
# different settings.
|
|
#
|
|
# You'll need to have as well the keystoneauth middleware enabled
|
|
# and have it in your main pipeline so instead of having tempauth in
|
|
# there you can change it to: authtoken keystone
|
|
#
|
|
# [filter:authtoken]
|
|
# paste.filter_factory = keystoneclient.middleware.auth_token:filter_factory
|
|
# auth_host = keystonehost
|
|
# auth_port = 35357
|
|
# auth_protocol = http
|
|
# auth_uri = http://keystonehost:5000/
|
|
# admin_tenant_name = service
|
|
# admin_user = swift
|
|
# admin_password = password
|
|
# delay_auth_decision = 1
|
|
#
|
|
# [filter:keystoneauth]
|
|
# use = egg:swift#keystoneauth
|
|
# Operator roles is the role which user would be allowed to manage a
|
|
# tenant and be able to create container or give ACL to others.
|
|
# operator_roles = admin, swiftoperator
|
|
|
|
[filter:healthcheck]
|
|
use = egg:swift#healthcheck
|
|
# An optional filesystem path, which if present, will cause the healthcheck
|
|
# URL to return "503 Service Unavailable" with a body of "DISABLED BY FILE".
|
|
# This facility may be used to temporarily remove a Swift node from a load
|
|
# balancer pool during maintenance or upgrade (remove the file to allow the
|
|
# node back into the load balancer pool).
|
|
# disable_path =
|
|
|
|
[filter:cache]
|
|
use = egg:swift#memcache
|
|
# You can override the default log routing for this filter here:
|
|
# set log_name = cache
|
|
# set log_facility = LOG_LOCAL0
|
|
# set log_level = INFO
|
|
# set log_headers = False
|
|
# set log_address = /dev/log
|
|
# If not set here, the value for memcache_servers will be read from
|
|
# memcache.conf (see memcache.conf-sample) or lacking that file, it will
|
|
# default to the value below. You can specify multiple servers separated with
|
|
# commas, as in: 10.1.2.3:11211,10.1.2.4:11211
|
|
# memcache_servers = 127.0.0.1:11211
|
|
#
|
|
# Sets how memcache values are serialized and deserialized:
|
|
# 0 = older, insecure pickle serialization
|
|
# 1 = json serialization but pickles can still be read (still insecure)
|
|
# 2 = json serialization only (secure and the default)
|
|
# If not set here, the value for memcache_serialization_support will be read
|
|
# from /etc/swift/memcache.conf (see memcache.conf-sample).
|
|
# To avoid an instant full cache flush, existing installations should
|
|
# upgrade with 0, then set to 1 and reload, then after some time (24 hours)
|
|
# set to 2 and reload.
|
|
# In the future, the ability to use pickle serialization will be removed.
|
|
# memcache_serialization_support = 2
|
|
|
|
[filter:ratelimit]
|
|
use = egg:swift#ratelimit
|
|
# You can override the default log routing for this filter here:
|
|
# set log_name = ratelimit
|
|
# set log_facility = LOG_LOCAL0
|
|
# set log_level = INFO
|
|
# set log_headers = False
|
|
# set log_address = /dev/log
|
|
# clock_accuracy should represent how accurate the proxy servers' system clocks
|
|
# are with each other. 1000 means that all the proxies' clock are accurate to
|
|
# each other within 1 millisecond. No ratelimit should be higher than the
|
|
# clock accuracy.
|
|
# clock_accuracy = 1000
|
|
# max_sleep_time_seconds = 60
|
|
# log_sleep_time_seconds of 0 means disabled
|
|
# log_sleep_time_seconds = 0
|
|
# allows for slow rates (e.g. running up to 5 sec's behind) to catch up.
|
|
# rate_buffer_seconds = 5
|
|
# account_ratelimit of 0 means disabled
|
|
# account_ratelimit = 0
|
|
|
|
# these are comma separated lists of account names
|
|
# account_whitelist = a,b
|
|
# account_blacklist = c,d
|
|
|
|
# with container_limit_x = r
|
|
# for containers of size x limit requests per second to r. The container
|
|
# rate will be linearly interpolated from the values given. With the values
|
|
# below, a container of size 5 will get a rate of 75.
|
|
# container_ratelimit_0 = 100
|
|
# container_ratelimit_10 = 50
|
|
# container_ratelimit_50 = 20
|
|
|
|
[filter:domain_remap]
|
|
use = egg:swift#domain_remap
|
|
# You can override the default log routing for this filter here:
|
|
# set log_name = domain_remap
|
|
# set log_facility = LOG_LOCAL0
|
|
# set log_level = INFO
|
|
# set log_headers = False
|
|
# set log_address = /dev/log
|
|
# storage_domain = example.com
|
|
# path_root = v1
|
|
# reseller_prefixes = AUTH
|
|
|
|
[filter:catch_errors]
|
|
use = egg:swift#catch_errors
|
|
# You can override the default log routing for this filter here:
|
|
# set log_name = catch_errors
|
|
# set log_facility = LOG_LOCAL0
|
|
# set log_level = INFO
|
|
# set log_headers = False
|
|
# set log_address = /dev/log
|
|
|
|
[filter:cname_lookup]
|
|
# Note: this middleware requires python-dnspython
|
|
use = egg:swift#cname_lookup
|
|
# You can override the default log routing for this filter here:
|
|
# set log_name = cname_lookup
|
|
# set log_facility = LOG_LOCAL0
|
|
# set log_level = INFO
|
|
# set log_headers = False
|
|
# set log_address = /dev/log
|
|
# storage_domain = example.com
|
|
# lookup_depth = 1
|
|
|
|
# Note: Put staticweb just after your auth filter(s) in the pipeline
|
|
[filter:staticweb]
|
|
use = egg:swift#staticweb
|
|
# Seconds to cache container x-container-meta-web-* header values.
|
|
# cache_timeout = 300
|
|
# You can override the default log routing for this filter here:
|
|
# set log_name = staticweb
|
|
# set log_facility = LOG_LOCAL0
|
|
# set log_level = INFO
|
|
# set log_address = /dev/log
|
|
# set access_log_name = staticweb
|
|
# set access_log_facility = LOG_LOCAL0
|
|
# set access_log_level = INFO
|
|
# set log_headers = False
|
|
|
|
# Note: Put tempurl just before your auth filter(s) in the pipeline
|
|
[filter:tempurl]
|
|
use = egg:swift#tempurl
|
|
#
|
|
# The headers to remove from incoming requests. Simply a whitespace delimited
|
|
# list of header names and names can optionally end with '*' to indicate a
|
|
# prefix match. incoming_allow_headers is a list of exceptions to these
|
|
# removals.
|
|
# incoming_remove_headers = x-timestamp
|
|
#
|
|
# The headers allowed as exceptions to incoming_remove_headers. Simply a
|
|
# whitespace delimited list of header names and names can optionally end with
|
|
# '*' to indicate a prefix match.
|
|
# incoming_allow_headers =
|
|
#
|
|
# The headers to remove from outgoing responses. Simply a whitespace delimited
|
|
# list of header names and names can optionally end with '*' to indicate a
|
|
# prefix match. outgoing_allow_headers is a list of exceptions to these
|
|
# removals.
|
|
# outgoing_remove_headers = x-object-meta-*
|
|
#
|
|
# The headers allowed as exceptions to outgoing_remove_headers. Simply a
|
|
# whitespace delimited list of header names and names can optionally end with
|
|
# '*' to indicate a prefix match.
|
|
# outgoing_allow_headers = x-object-meta-public-*
|
|
|
|
# Note: Put formpost just before your auth filter(s) in the pipeline
|
|
[filter:formpost]
|
|
use = egg:swift#formpost
|
|
|
|
# Note: Just needs to be placed before the proxy-server in the pipeline.
|
|
[filter:name_check]
|
|
use = egg:swift#name_check
|
|
# forbidden_chars = '"`<>
|
|
# maximum_length = 255
|
|
# forbidden_regexp = /\./|/\.\./|/\.$|/\.\.$
|
|
|
|
[filter:proxy-logging]
|
|
use = egg:swift#proxy_logging
|
|
# If not set, logging directives from [DEFAULT] without "access_" will be used
|
|
# access_log_name = swift
|
|
# access_log_facility = LOG_LOCAL0
|
|
# access_log_level = INFO
|
|
# access_log_address = /dev/log
|
|
# If set, access_log_udp_host will override access_log_address
|
|
# access_log_udp_host =
|
|
# access_log_udp_port = 514
|
|
# You can use log_statsd_* from [DEFAULT] or override them here:
|
|
# access_log_statsd_host = localhost
|
|
# access_log_statsd_port = 8125
|
|
# access_log_statsd_default_sample_rate = 1
|
|
# access_log_statsd_metric_prefix =
|
|
# access_log_headers = False
|
|
# What HTTP methods are allowed for StatsD logging (comma-sep); request methods
|
|
# not in this list will have "BAD_METHOD" for the <verb> portion of the metric.
|
|
# log_statsd_valid_http_methods = GET,HEAD,POST,PUT,DELETE,COPY,OPTIONS
|
|
|
|
# Note: Put before both ratelimit and auth in the pipeline.
|
|
[filter:bulk]
|
|
use = egg:swift#bulk
|
|
# max_containers_per_extraction = 10000
|
|
# max_failed_files = 1000
|
|
# max_deletes_per_request = 1000
|
|
|
|
# Note: Put after auth in the pipeline.
|
|
[filter:container-quotas]
|
|
use = egg:swift#container_quotas
|