<div dir="ltr">Hi, <br><br>Starting from 1.9, Swift has get_info() support allowing middleware to get container and/or account information maintained by Swift.<br>Middleware can use get_info() on a container to retrieve the container metadata. <br>
In a similar way, middleware can use get_inf() on an account to retrieve the account metadata.<br><br>The ability to retrieve container and account metadata by middleware opens up an option to write Swift Auth systems without the use of the Swift Delay Denial mechanism. For example, when a request comes in ( during '__call__()' ), the Auth middleware can perform get_info on the container and/or account and decide whether to authorize or reject the client request upfront and before the request ever reaching Swift. In such a case, if the Auth middleware decides to allow the request to be processed by Swift, it may avoid adding a swift.authorize callback and thus disabling the use of the Swift delay_denial mechanism. <br>
<br>Qs:<br>1. Should we document this approach as another way to do auth in Swift (currently this option is not well documented)<br> See <a href="http://docs.openstack.org/developer/swift/development_auth.html">http://docs.openstack.org/developer/swift/development_auth.html</a>:<br>
"Authorization is performed through callbacks by the Swift Proxy server to the
WSGI environment’s swift.authorize value, if one is set." followed by an example how that is done. Should we add description for this alternative option of using get_info() during __call__()?<br><br>2. What are the pros and cons of each of the two options? <br>
What benefit do we see in an AUTH system using delay_denial over deciding on the authorization upfront? <br> Should we continue use delay_denial in keystone_auth, swauth? <br><br>DH<br> </div>