5582f166c2
This patch introduces a new user format to tempauth which starts with "user64_" and in which the account and user are base64 encoded (sans padding equal signs): user64_<account_b64>_<user_b64> = <key> [group] [group] [...] [storage_url] This allows unambiguous parsing and adds the ability to have a user or account name containing underscores. The handling of tempauth configuration is fully backward compatible and this only adds new, optional functionality. Also beefed up unit tests to get full coverage of the user parsing code in tempauth's __init__(). Change-Id: Id06304934ab8055a28921f2e1aa3c58a2036d8f8
328 lines
13 KiB
Plaintext
328 lines
13 KiB
Plaintext
[DEFAULT]
|
|
# bind_ip = 0.0.0.0
|
|
# bind_port = 80
|
|
# backlog = 4096
|
|
# swift_dir = /etc/swift
|
|
# workers = 1
|
|
# user = swift
|
|
# Set the following two lines to enable SSL. This is for testing only.
|
|
# cert_file = /etc/swift/proxy.crt
|
|
# key_file = /etc/swift/proxy.key
|
|
# expiring_objects_container_divisor = 86400
|
|
# You can specify default log routing here if you want:
|
|
# log_name = swift
|
|
# log_facility = LOG_LOCAL0
|
|
# log_level = INFO
|
|
# log_headers = False
|
|
# log_address = /dev/log
|
|
# If set, log_udp_host will override log_address
|
|
# log_udp_host =
|
|
# log_udp_port = 514
|
|
# You can enable StatsD logging here:
|
|
# log_statsd_host = localhost
|
|
# log_statsd_port = 8125
|
|
# log_statsd_default_sample_rate = 1
|
|
# log_statsd_metric_prefix =
|
|
|
|
[pipeline:main]
|
|
pipeline = catch_errors healthcheck cache ratelimit tempauth proxy-logging proxy-server
|
|
|
|
[app:proxy-server]
|
|
use = egg:swift#proxy
|
|
# You can override the default log routing for this app here:
|
|
# set log_name = proxy-server
|
|
# set log_facility = LOG_LOCAL0
|
|
# set log_level = INFO
|
|
# set log_address = /dev/log
|
|
# log_handoffs = True
|
|
# recheck_account_existence = 60
|
|
# recheck_container_existence = 60
|
|
# object_chunk_size = 8192
|
|
# client_chunk_size = 8192
|
|
# node_timeout = 10
|
|
# client_timeout = 60
|
|
# conn_timeout = 0.5
|
|
# How long without an error before a node's error count is reset. This will
|
|
# also be how long before a node is reenabled after suppression is triggered.
|
|
# error_suppression_interval = 60
|
|
# How many errors can accumulate before a node is temporarily ignored.
|
|
# error_suppression_limit = 10
|
|
# If set to 'true' any authorized user may create and delete accounts; if
|
|
# 'false' no one, even authorized, can.
|
|
# allow_account_management = false
|
|
# Set object_post_as_copy = false to turn on fast posts where only the metadata
|
|
# changes are stored anew and the original data file is kept in place. This
|
|
# makes for quicker posts; but since the container metadata isn't updated in
|
|
# this mode, features like container sync won't be able to sync posts.
|
|
# object_post_as_copy = true
|
|
# If set to 'true' authorized accounts that do not yet exist within the Swift
|
|
# cluster will be automatically created.
|
|
# account_autocreate = false
|
|
# If set to a positive value, trying to create a container when the account
|
|
# already has at least this maximum containers will result in a 403 Forbidden.
|
|
# Note: This is a soft limit, meaning a user might exceed the cap for
|
|
# recheck_account_existence before the 403s kick in.
|
|
# max_containers_per_account = 0
|
|
# This is a comma separated list of account hashes that ignore the
|
|
# max_containers_per_account cap.
|
|
# max_containers_whitelist =
|
|
# Comma separated list of Host headers to which the proxy will deny requests.
|
|
# deny_host_headers =
|
|
# Prefix used when automatically creating accounts.
|
|
# auto_create_account_prefix = .
|
|
# Depth of the proxy put queue.
|
|
# put_queue_depth = 10
|
|
# Start rate-limiting object segment serving after the Nth segment of a
|
|
# segmented object.
|
|
# rate_limit_after_segment = 10
|
|
# Once segment rate-limiting kicks in for an object, limit segments served
|
|
# to N per second.
|
|
# rate_limit_segments_per_sec = 1
|
|
|
|
[filter:tempauth]
|
|
use = egg:swift#tempauth
|
|
# You can override the default log routing for this filter here:
|
|
# set log_name = tempauth
|
|
# set log_facility = LOG_LOCAL0
|
|
# set log_level = INFO
|
|
# set log_headers = False
|
|
# set log_address = /dev/log
|
|
# The reseller prefix will verify a token begins with this prefix before even
|
|
# attempting to validate it. Also, with authorization, only Swift storage
|
|
# accounts with this prefix will be authorized by this middleware. Useful if
|
|
# multiple auth systems are in use for one Swift cluster.
|
|
# reseller_prefix = AUTH
|
|
# The auth prefix will cause requests beginning with this prefix to be routed
|
|
# to the auth subsystem, for granting tokens, etc.
|
|
# auth_prefix = /auth/
|
|
# token_life = 86400
|
|
# This is a comma separated list of hosts allowed to send X-Container-Sync-Key
|
|
# requests.
|
|
# allowed_sync_hosts = 127.0.0.1
|
|
# This allows middleware higher in the WSGI pipeline to override auth
|
|
# processing, useful for middleware such as tempurl and formpost. If you know
|
|
# you're not going to use such middleware and you want a bit of extra security,
|
|
# you can set this to false.
|
|
# allow_overrides = true
|
|
# Lastly, you need to list all the accounts/users you want here. The format is:
|
|
# user_<account>_<user> = <key> [group] [group] [...] [storage_url]
|
|
# or if you want underscores in <account> or <user>, you can base64 encode them
|
|
# (with no equal signs) and use this format:
|
|
# user64_<account_b64>_<user_b64> = <key> [group] [group] [...] [storage_url]
|
|
# There are special groups of:
|
|
# .reseller_admin = can do anything to any account for this auth
|
|
# .admin = can do anything within the account
|
|
# If neither of these groups are specified, the user can only access containers
|
|
# that have been explicitly allowed for them by a .admin or .reseller_admin.
|
|
# The trailing optional storage_url allows you to specify an alternate url to
|
|
# hand back to the user upon authentication. If not specified, this defaults to
|
|
# http[s]://<ip>:<port>/v1/<reseller_prefix>_<account> where http or https
|
|
# depends on whether cert_file is specified in the [DEFAULT] section, <ip> and
|
|
# <port> are based on the [DEFAULT] section's bind_ip and bind_port (falling
|
|
# back to 127.0.0.1 and 8080), <reseller_prefix> is from this section, and
|
|
# <account> is from the user_<account>_<user> name.
|
|
# Here are example entries, required for running the tests:
|
|
user_admin_admin = admin .admin .reseller_admin
|
|
user_test_tester = testing .admin
|
|
user_test2_tester2 = testing2 .admin
|
|
user_test_tester3 = testing3
|
|
|
|
# To enable Keystone authentication you need to have the auth token
|
|
# middleware first to be configured. Here is an example below, please
|
|
# refer to the keystone's documentation for details about the
|
|
# different settings.
|
|
#
|
|
# You'll need to have as well the keystoneauth middleware enabled
|
|
# and have it in your main pipeline so instead of having tempauth in
|
|
# there you can change it to: authtoken keystone
|
|
#
|
|
# [filter:authtoken]
|
|
# paste.filter_factory = keystone.middleware.auth_token:filter_factory
|
|
# auth_host = keystonehost
|
|
# auth_port = 35357
|
|
# auth_protocol = http
|
|
# auth_uri = http://keystonehost:5000/
|
|
# admin_tenant_name = service
|
|
# admin_user = swift
|
|
# admin_password = password
|
|
# delay_auth_decision = 1
|
|
#
|
|
# [filter:keystoneauth]
|
|
# use = egg:swift#keystoneauth
|
|
# Operator roles is the role which user would be allowed to manage a
|
|
# tenant and be able to create container or give ACL to others.
|
|
# operator_roles = admin, swiftoperator
|
|
|
|
[filter:healthcheck]
|
|
use = egg:swift#healthcheck
|
|
# You can override the default log routing for this filter here:
|
|
# set log_name = healthcheck
|
|
# set log_facility = LOG_LOCAL0
|
|
# set log_level = INFO
|
|
# set log_headers = False
|
|
# set log_address = /dev/log
|
|
|
|
[filter:cache]
|
|
use = egg:swift#memcache
|
|
# You can override the default log routing for this filter here:
|
|
# set log_name = cache
|
|
# set log_facility = LOG_LOCAL0
|
|
# set log_level = INFO
|
|
# set log_headers = False
|
|
# set log_address = /dev/log
|
|
# If not set here, the value for memcache_servers will be read from
|
|
# memcache.conf (see memcache.conf-sample) or lacking that file, it will
|
|
# default to the value below. You can specify multiple servers separated with
|
|
# commas, as in: 10.1.2.3:11211,10.1.2.4:11211
|
|
# memcache_servers = 127.0.0.1:11211
|
|
#
|
|
# Sets how memcache values are serialized and deserialized:
|
|
# 0 = older, insecure pickle serialization
|
|
# 1 = json serialization but pickles can still be read (still insecure)
|
|
# 2 = json serialization only (secure and the default)
|
|
# If not set here, the value for memcache_serialization_support will be read
|
|
# from /etc/swift/memcache.conf (see memcache.conf-sample).
|
|
# To avoid an instant full cache flush, existing installations should
|
|
# upgrade with 0, then set to 1 and reload, then after some time (24 hours)
|
|
# set to 2 and reload.
|
|
# In the future, the ability to use pickle serialization will be removed.
|
|
# memcache_serialization_support = 2
|
|
|
|
[filter:ratelimit]
|
|
use = egg:swift#ratelimit
|
|
# You can override the default log routing for this filter here:
|
|
# set log_name = ratelimit
|
|
# set log_facility = LOG_LOCAL0
|
|
# set log_level = INFO
|
|
# set log_headers = False
|
|
# set log_address = /dev/log
|
|
# clock_accuracy should represent how accurate the proxy servers' system clocks
|
|
# are with each other. 1000 means that all the proxies' clock are accurate to
|
|
# each other within 1 millisecond. No ratelimit should be higher than the
|
|
# clock accuracy.
|
|
# clock_accuracy = 1000
|
|
# max_sleep_time_seconds = 60
|
|
# log_sleep_time_seconds of 0 means disabled
|
|
# log_sleep_time_seconds = 0
|
|
# allows for slow rates (e.g. running up to 5 sec's behind) to catch up.
|
|
# rate_buffer_seconds = 5
|
|
# account_ratelimit of 0 means disabled
|
|
# account_ratelimit = 0
|
|
|
|
# these are comma separated lists of account names
|
|
# account_whitelist = a,b
|
|
# account_blacklist = c,d
|
|
|
|
# with container_limit_x = r
|
|
# for containers of size x limit requests per second to r. The container
|
|
# rate will be linearly interpolated from the values given. With the values
|
|
# below, a container of size 5 will get a rate of 75.
|
|
# container_ratelimit_0 = 100
|
|
# container_ratelimit_10 = 50
|
|
# container_ratelimit_50 = 20
|
|
|
|
[filter:domain_remap]
|
|
use = egg:swift#domain_remap
|
|
# You can override the default log routing for this filter here:
|
|
# set log_name = domain_remap
|
|
# set log_facility = LOG_LOCAL0
|
|
# set log_level = INFO
|
|
# set log_headers = False
|
|
# set log_address = /dev/log
|
|
# storage_domain = example.com
|
|
# path_root = v1
|
|
# reseller_prefixes = AUTH
|
|
|
|
[filter:catch_errors]
|
|
use = egg:swift#catch_errors
|
|
# You can override the default log routing for this filter here:
|
|
# set log_name = catch_errors
|
|
# set log_facility = LOG_LOCAL0
|
|
# set log_level = INFO
|
|
# set log_headers = False
|
|
# set log_address = /dev/log
|
|
|
|
[filter:cname_lookup]
|
|
# Note: this middleware requires python-dnspython
|
|
use = egg:swift#cname_lookup
|
|
# You can override the default log routing for this filter here:
|
|
# set log_name = cname_lookup
|
|
# set log_facility = LOG_LOCAL0
|
|
# set log_level = INFO
|
|
# set log_headers = False
|
|
# set log_address = /dev/log
|
|
# storage_domain = example.com
|
|
# lookup_depth = 1
|
|
|
|
# Note: Put staticweb just after your auth filter(s) in the pipeline
|
|
[filter:staticweb]
|
|
use = egg:swift#staticweb
|
|
# Seconds to cache container x-container-meta-web-* header values.
|
|
# cache_timeout = 300
|
|
# You can override the default log routing for this filter here:
|
|
# set log_name = staticweb
|
|
# set log_facility = LOG_LOCAL0
|
|
# set log_level = INFO
|
|
# set log_address = /dev/log
|
|
# set access_log_name = staticweb
|
|
# set access_log_facility = LOG_LOCAL0
|
|
# set access_log_level = INFO
|
|
# set log_headers = False
|
|
|
|
# Note: Put tempurl just before your auth filter(s) in the pipeline
|
|
[filter:tempurl]
|
|
use = egg:swift#tempurl
|
|
#
|
|
# The headers to remove from incoming requests. Simply a whitespace delimited
|
|
# list of header names and names can optionally end with '*' to indicate a
|
|
# prefix match. incoming_allow_headers is a list of exceptions to these
|
|
# removals.
|
|
# incoming_remove_headers = x-timestamp
|
|
#
|
|
# The headers allowed as exceptions to incoming_remove_headers. Simply a
|
|
# whitespace delimited list of header names and names can optionally end with
|
|
# '*' to indicate a prefix match.
|
|
# incoming_allow_headers =
|
|
#
|
|
# The headers to remove from outgoing responses. Simply a whitespace delimited
|
|
# list of header names and names can optionally end with '*' to indicate a
|
|
# prefix match. outgoing_allow_headers is a list of exceptions to these
|
|
# removals.
|
|
# outgoing_remove_headers = x-object-meta-*
|
|
#
|
|
# The headers allowed as exceptions to outgoing_remove_headers. Simply a
|
|
# whitespace delimited list of header names and names can optionally end with
|
|
# '*' to indicate a prefix match.
|
|
# outgoing_allow_headers = x-object-meta-public-*
|
|
|
|
# Note: Put formpost just before your auth filter(s) in the pipeline
|
|
[filter:formpost]
|
|
use = egg:swift#formpost
|
|
|
|
# Note: Just needs to be placed before the proxy-server in the pipeline.
|
|
[filter:name_check]
|
|
use = egg:swift#name_check
|
|
# forbidden_chars = '"`<>
|
|
# maximum_length = 255
|
|
# forbidden_regexp = /\./|/\.\./|/\.$|/\.\.$
|
|
|
|
[filter:proxy-logging]
|
|
use = egg:swift#proxy_logging
|
|
# If not set, logging directives from [DEFAULT] without "access_" will be # used
|
|
# access_log_name = swift
|
|
# access_log_facility = LOG_LOCAL0
|
|
# access_log_level = INFO
|
|
# access_log_address = /dev/log
|
|
# If set, access_log_udp_host will override access_log_address
|
|
# access_log_udp_host =
|
|
# access_log_udp_port = 514
|
|
# You can use log_statsd_* from [DEFAULT] or override them here:
|
|
# access_log_statsd_host = localhost
|
|
# access_log_statsd_port = 8125
|
|
# access_log_statsd_default_sample_rate = 1
|
|
# access_log_statsd_metric_prefix =
|
|
# access_log_headers = False
|
|
# What HTTP methods are allowed for StatsD logging (comma-sep); request methods
|
|
# not in this list will have "BAD_METHOD" for the <verb> portion of the metric.
|
|
# log_statsd_valid_http_methods = GET,HEAD,POST,PUT,DELETE,COPY
|