[Openstack-operators] Reverse Proxy Authentication

Prasad Dharmasena pkd at Glue.umd.edu
Wed Feb 29 21:43:24 UTC 2012


I'm very new to OpenStack.  I've searched a bit but I can't find the 
answers to some of the questions I have.  I hope someone can point 
me in the right direction.

Currently I'm only looking at Swift.  I've followed the SAIO 
instructions and got it working with tempauth.  I've also installed 
a test cluster of 1 proxy + 3 nodes and that works with swauth.  
(both tested with curl and cyberduck)

Next for the Prox+3-nodes setup, I would like to do Reverse Proxy 
Authentication as described in 
http://keystone.openstack.org/middleware_architecture.html with my 
own web server doing the authentication.  If I understand the 
document, if I include the following headers, OpenStack Service 
(swift) will not require an X-Auth-Token and I can get at the 
storage objects.

  X-Authorization: Proxy <username>
  X-Identity-Status: Confirmed

Outside  +------------+                      +--------------+
Request  | My Auth    | (above two headers)  | Swift        |
-------->| Web Server |--------------------->| Proxy Server |
         +------------+  (restricted by FW)  +--------------+


1) Since the authentication is done by the external Auth Component 
(My Auth Web Server; not a part of OpenStack) do I remove any/all 
tempauth and swauth components from the Swift Proxy Server?
Any pointers to a document on how to set that up?  (ie: an example 
proxy-server.conf ?)

2) If swauth isn't there in the Swift Proxy Server, how do I add new 
accounts/users ?  

3) w/o the authentication component in the Swift Proxy Server end, 
how do I query that box for the X-Storage-Url ?

(My thinking is that the account-server keeps track of accounts, 
users, containers and ACLs.  Is that a wrong assumption?)



Prasad Dharmasena     <http://glue.umd.edu/~pkd> 

More information about the Openstack-operators mailing list