openstack/swift
Code Issues Proposed changes
ca87827db9
swift/doc/source/misc.rst
gholt f60d05686f New container sync configuration option 
Summary of the new configuration option:

The cluster operators add the container_sync middleware to their
proxy pipeline and create a container-sync-realms.conf for their
cluster and copy this out to all their proxy and container servers.
This file specifies the available container sync "realms".

A container sync realm is a group of clusters with a shared key that
have agreed to provide container syncing to one another.

The end user can then set the X-Container-Sync-To value on a
container to //realm/cluster/account/container instead of the
previously required URL.

The allowed hosts list is not used with this configuration and
instead every container sync request sent is signed using the realm
key and user key.

This offers better security as source hosts can be faked much more
easily than faking per request signatures. Replaying signed requests,
assuming it could easily be done, shouldn't be an issue as the
X-Timestamp is part of the signature and so would just short-circuit
as already current or as superceded.

This also makes configuration easier for the end user, especially
with difficult networking situations where a different host might
need to be used for the container sync daemon since it's connecting
from within a cluster. With this new configuration option, the end
user just specifies the realm and cluster names and that is resolved
to the proper endpoint configured by the operator. If the operator
changes their configuration (key or endpoint), the end user does not
need to change theirs.

DocImpact

Change-Id: Ie1704990b66d0434e4991e26ed1da8b08cb05a37
2014-01-10 23:48:00 +00:00

4.1 KiB
Raw Blame History

Misc

Exceptions

swift.common.exceptions

Constraints

swift.common.constraints

Utils

swift.common.utils

TempAuth

swift.common.middleware.tempauth

KeystoneAuth

swift.common.middleware.keystoneauth

ACLs

swift.common.middleware.acl

WSGI

swift.common.wsgi

Direct Client

swift.common.direct_client

Internal Client

swift.common.internal_client

Buffered HTTP

swift.common.bufferedhttp

Healthcheck

swift.common.middleware.healthcheck

Recon

swift.common.middleware.recon

MemCacheD

swift.common.memcached

Manager

swift.common.manager

Ratelimit

swift.common.middleware.ratelimit

StaticWeb

swift.common.middleware.staticweb

TempURL

swift.common.middleware.tempurl

FormPost

swift.common.middleware.formpost

Domain Remap

swift.common.middleware.domain_remap

CNAME Lookup

swift.common.middleware.cname_lookup

Proxy Logging

swift.common.middleware.proxy_logging

Bulk Operations (Delete and Archive Auto Extraction)

swift.common.middleware.bulk

Container Quotas

swift.common.middleware.container_quotas

Account Quotas

swift.common.middleware.account_quotas

Static Large Objects

swift.common.middleware.slo

List Endpoints

swift.common.middleware.list_endpoints

Container Sync Realms

swift.common.container_sync_realms

Container Sync Middleware

swift.common.middleware.container_sync

Discoverability

Swift can optionally be configured to provide clients with an interface providing details about the installation. If configured, a GET request to /info will return configuration data in JSON format. An example response:

{"swift": {"version": "1.8.1"}, "staticweb": {}, "tempurl": {}}

This would signify to the client that swift version 1.8.1 is running and that staticweb and tempurl are available in this installation.

There may be administrator-only information available via /info. To retrieve it, one must use an HMAC-signed request, similar to TempURL. The signature may be produced like so:

swift-temp-url GET 3600 /info secret 2>/dev/null | sed s/temp_url/swiftinfo/g