[openstack-dev] [Swift] Swift Auth systems and Delay Denial

David Hadas david.hadas at gmail.com
Tue Jul 23 08:49:23 UTC 2013


Hi,

Starting from 1.9, Swift has get_info() support allowing middleware to get
container and/or account information maintained by Swift.
Middleware can use get_info() on a container to retrieve the container
metadata.
In a similar way, middleware can use get_inf() on an account to retrieve
the account metadata.

The ability to retrieve container and account metadata by middleware opens
up an option to write Swift Auth systems without the use of the Swift Delay
Denial mechanism. For example, when a request comes in ( during
'__call__()' ), the Auth middleware can perform get_info on the container
and/or account and decide whether to authorize or reject the client request
upfront and before the request ever reaching Swift. In such a case, if the
Auth middleware decides to allow the request to be processed by Swift, it
may avoid adding a swift.authorize callback and thus disabling the use of
the Swift delay_denial mechanism.

Qs:
1. Should we document this approach as another way to do auth in Swift
(currently this option is not well documented)
     See http://docs.openstack.org/developer/swift/development_auth.html:
      "Authorization is performed through callbacks by the Swift Proxy
server to the WSGI environment’s swift.authorize value, if one is set."
followed by an example how that is done. Should we add description for this
alternative option of using get_info() during __call__()?

2. What are the pros and cons of each of the two options?
     What benefit do we see in an AUTH system using delay_denial over
deciding on the authorization upfront?
     Should we continue use delay_denial in keystone_auth, swauth?

DH
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20130723/393ba04f/attachment.html>


More information about the OpenStack-dev mailing list