swauth.middleware

class swauth.middleware.Swauth(app, conf)[source]

Bases: object

Scalable authentication and authorization system that uses Swift as its backing store.

Parameters:
  • app – The next WSGI app in the pipeline
  • conf – The dict of configuration values
authorize(req)[source]

Returns None if the request is authorized to continue or a standard WSGI response callable if not.

credentials_match(user_detail, key)[source]

Returns True if the key is valid for the user_detail. Currently, this only supports plaintext key matching.

Parameters:
  • user_detail – The dict for the user.
  • key – The key to validate for the user.
Returns:

True if the key is valid for the user, False if not.

denied_response(req)[source]

Returns a standard WSGI response callable with the status of 403 or 401 depending on whether the REMOTE_USER is set or not.

get_admin_detail(req)[source]

Returns the dict for the user specified as the admin in the request with the addition of an account key set to the admin user’s account.

Parameters:
  • req – The webob request to retrieve X-Auth-Admin-User and X-Auth-Admin-Key from.
Returns:

The dict for the admin user with the addition of the account key.

get_conn(urlparsed=None)[source]

Returns an HTTPConnection based on the urlparse result given or the default Swift cluster (internal url) urlparse result.

Parameters:
  • urlparsed – The result from urlparse.urlparse or None to use the default Swift cluster’s value
get_groups(env, token)[source]

Get groups for the given token.

Parameters:
  • env – The current WSGI environment dictionary.
  • token – Token to validate and return a group string for.
Returns:

None if the token is invalid or a string containing a comma separated list of groups the authenticated user is a member of. The first group in the list is also considered a unique identifier for that user.

get_itoken(env)[source]

Returns the current internal token to use for the auth system’s own actions with other services. Each process will create its own itoken and the token will be deleted and recreated based on the token_life configuration value. The itoken information is stored in memcache because the auth process that is asked by Swift to validate the token may not be the same as the auth process that created the token.

handle(env, start_response)[source]

WSGI entry point for auth requests (ones that match the self.auth_prefix). Wraps env in webob.Request object and passes it down.

Parameters:
  • env – WSGI environment dictionary
  • start_response – WSGI callable
handle_delete_account(req)[source]

Handles the DELETE v2/<account> call for removing an account from the auth system. Can only be called by a .reseller_admin.

Parameters:
  • req – The webob.Request to process.
Returns:

webob.Response, 2xx on success.

handle_delete_user(req)[source]

Handles the DELETE v2/<account>/<user> call for deleting a user from an account.

Can only be called by an account .admin.

Parameters:
  • req – The webob.Request to process.
Returns:

webob.Response, 2xx on success.

handle_get_account(req)[source]

Handles the GET v2/<account> call for getting account information. Can only be called by an account .admin.

On success, a JSON dictionary will be returned containing the keys account_id, services, and users. The account_id is the value used when creating service accounts. The services value is a dict as described in the handle_get_token() call. The users value is a list of dicts, each dict representing a user and currently only containing the single key name. For example:

{"account_id": "AUTH_018c3946-23f8-4efb-a8fb-b67aae8e4162",
 "services": {"storage": {"default": "local",
              "local": "http://127.0.0.1:8080/v1/AUTH_018c3946"}},
 "users": [{"name": "tester"}, {"name": "tester3"}]}
Parameters:
  • req – The webob.Request to process.
Returns:

webob.Response, 2xx on success with a JSON dictionary as explained above.

handle_get_reseller(req)[source]

Handles the GET v2 call for getting general reseller information (currently just a list of accounts). Can only be called by a .reseller_admin.

On success, a JSON dictionary will be returned with a single accounts key whose value is list of dicts. Each dict represents an account and currently only contains the single key name. For example:

{"accounts": [{"name": "reseller"}, {"name": "test"},
              {"name": "test2"}]}
Parameters:
  • req – The webob.Request to process.
Returns:

webob.Response, 2xx on success with a JSON dictionary as explained above.

handle_get_token(req)[source]

Handles the various request for token and service end point(s) calls. There are various formats to support the various auth servers in the past. Examples:

GET <auth-prefix>/v1/<act>/auth
    X-Auth-User: <act>:<usr>  or  X-Storage-User: <usr>
    X-Auth-Key: <key>         or  X-Storage-Pass: <key>
GET <auth-prefix>/auth
    X-Auth-User: <act>:<usr>  or  X-Storage-User: <act>:<usr>
    X-Auth-Key: <key>         or  X-Storage-Pass: <key>
GET <auth-prefix>/v1.0
    X-Auth-User: <act>:<usr>  or  X-Storage-User: <act>:<usr>
    X-Auth-Key: <key>         or  X-Storage-Pass: <key>

Values should be url encoded, “act%3Ausr” instead of “act:usr” for example; however, for backwards compatibility the colon may be included unencoded.

On successful authentication, the response will have X-Auth-Token and X-Storage-Token set to the token to use with Swift and X-Storage-URL set to the URL to the default Swift cluster to use.

The response body will be set to the account’s services JSON object as described here:

{"storage": {     # Represents the Swift storage service end points
    "default": "cluster1", # Indicates which cluster is the default
    "cluster1": "<URL to use with Swift>",
        # A Swift cluster that can be used with this account,
        # "cluster1" is the name of the cluster which is usually a
        # location indicator (like "dfw" for a datacenter region).
    "cluster2": "<URL to use with Swift>"
        # Another Swift cluster that can be used with this account,
        # there will always be at least one Swift cluster to use or
        # this whole "storage" dict won't be included at all.
 },
 "servers": {       # Represents the Nova server service end points
    # Expected to be similar to the "storage" dict, but not
    # implemented yet.
 },
 # Possibly other service dicts, not implemented yet.
}
Parameters:
  • req – The webob.Request to process.
Returns:

webob.Response, 2xx on success with data set as explained above.

handle_get_user(req)[source]

Handles the GET v2/<account>/<user> call for getting user information. Can only be called by an account .admin.

On success, a JSON dict will be returned as described:

{"groups": [  # List of groups the user is a member of
    {"name": "<act>:<usr>"},
        # The first group is a unique user identifier
    {"name": "<account>"},
        # The second group is the auth account name
    {"name": "<additional-group>"}
        # There may be additional groups, .admin being a special
        # group indicating an account admin and .reseller_admin
        # indicating a reseller admin.
 ],
 "auth": "plaintext:<key>"
 # The auth-type and key for the user; currently only plaintext is
 # implemented.
}

For example:

{"groups": [{"name": "test:tester"}, {"name": "test"},
            {"name": ".admin"}],
 "auth": "plaintext:testing"}

If the <user> in the request is the special user .groups, the JSON dict will contain a single key of groups whose value is a list of dicts representing the active groups within the account. Each dict currently has the single key name. For example:

{"groups": [{"name": ".admin"}, {"name": "test"},
            {"name": "test:tester"}, {"name": "test:tester3"}]}
Parameters:
  • req – The webob.Request to process.
Returns:

webob.Response, 2xx on success with a JSON dictionary as explained above.

handle_prep(req)[source]

Handles the POST v2/.prep call for preparing the backing store Swift cluster for use with the auth subsystem. Can only be called by .super_admin.

Parameters:
  • req – The webob.Request to process.
Returns:

webob.Response, 204 on success

handle_put_account(req)[source]

Handles the PUT v2/<account> call for adding an account to the auth system. Can only be called by a .reseller_admin.

By default, a newly created UUID4 will be used with the reseller prefix as the account id used when creating corresponding service accounts. However, you can provide an X-Account-Suffix header to replace the UUID4 part.

Parameters:
  • req – The webob.Request to process.
Returns:

webob.Response, 2xx on success.

handle_put_user(req)[source]

Handles the PUT v2/<account>/<user> call for adding a user to an account.

X-Auth-User-Key represents the user’s key (url encoded), X-Auth-User-Admin may be set to true to create an account .admin, and X-Auth-User-Reseller-Admin may be set to true to create a .reseller_admin.

Can only be called by an account .admin unless the user is to be a .reseller_admin, in which case the request must be by .super_admin.

Parameters:
  • req – The webob.Request to process.
Returns:

webob.Response, 2xx on success.

handle_request(req)[source]

Entry point for auth requests (ones that match the self.auth_prefix). Should return a WSGI-style callable (such as webob.Response).

Parameters:
  • req – webob.Request object
handle_set_services(req)[source]

Handles the POST v2/<account>/.services call for setting services information. Can only be called by a reseller .admin.

In the handle_get_account() (GET v2/<account>) call, a section of the returned JSON dict is services. This section looks something like this:

"services": {"storage": {"default": "local",
              "local": "http://127.0.0.1:8080/v1/AUTH_018c3946"}}

Making use of this section is described in handle_get_token().

This function allows setting values within this section for the <account>, allowing the addition of new service end points or updating existing ones.

The body of the POST request should contain a JSON dict with the following format:

{"service_name": {"end_point_name": "end_point_value"}}

There can be multiple services and multiple end points in the same call.

Any new services or end points will be added to the existing set of services and end points. Any existing services with the same service name will be merged with the new end points. Any existing end points with the same end point name will have their values updated.

The updated services dictionary will be returned on success.

Parameters:
  • req – The webob.Request to process.
Returns:

webob.Response, 2xx on success with the udpated services JSON dict as described above

handle_validate_token(req)[source]

Handles the GET v2/.token/<token> call for validating a token, usually called by a service like Swift.

On a successful validation, X-Auth-TTL will be set for how much longer this token is valid and X-Auth-Groups will contain a comma separated list of groups the user belongs to.

The first group listed will be a unique identifier for the user the token represents.

.reseller_admin is a special group that indicates the user should be allowed to do anything on any account.

Parameters:
  • req – The webob.Request to process.
Returns:

webob.Response, 2xx on success with data set as explained above.

is_account_admin(req, account)[source]

Returns True if the admin specified in the request represents a .admin for the account specified.

Parameters:
  • req – The webob.Request to check.
  • account – The account to check for .admin against.
  • returns – True if .admin.
is_reseller_admin(req, admin_detail=None)[source]

Returns True if the admin specified in the request represents a .reseller_admin.

Parameters:
  • req – The webob.Request to check.
  • admin_detail – The previously retrieved dict from get_admin_detail() or None for this function to retrieve the admin_detail itself.
  • returns – True if .reseller_admin.
is_super_admin(req)[source]

Returns True if the admin specified in the request represents the .super_admin.

Parameters:
  • req – The webob.Request to check.
  • returns – True if .super_admin.
make_request(env, method, path, body=None, headers=None)[source]

Makes a new webob.Request based on the current env but with the parameters specified. Note that this request will be preauthorized.

Parameters:
  • env – Current WSGI environment dictionary
  • method – HTTP method of new request
  • path – HTTP path of new request
  • body – HTTP body of new request; None by default
  • headers – Extra HTTP headers of new request; None by default
Returns:

webob.Request object

posthooklogger(env, req)[source]
swauth.middleware.filter_factory(global_conf, **local_conf)[source]

Returns a WSGI filter app for use with paste.deploy.

swauth.middleware.get_remote_client(req)[source]

Previous topic

swauth

Next topic

Swauth API

This Page