pkd at Glue
Feb 29, 2012, 2:43 PM
Post #1 of 1
Reverse Proxy Authentication
I'm very new to OpenStack. I've searched a bit but I can't find the
answers to some of the questions I have. I hope someone can point
me in the right direction.
Currently I'm only looking at Swift. I've followed the SAIO
instructions and got it working with tempauth. I've also installed
a test cluster of 1 proxy + 3 nodes and that works with swauth.
(both tested with curl and cyberduck)
Next for the Prox+3-nodes setup, I would like to do Reverse Proxy
Authentication as described in
http://keystone.openstack.org/middleware_architecture.html with my
own web server doing the authentication. If I understand the
document, if I include the following headers, OpenStack Service
(swift) will not require an X-Auth-Token and I can get at the
X-Authorization: Proxy <username>
Outside +------------+ +--------------+
Request | My Auth | (above two headers) | Swift |
-------->| Web Server |--------------------->| Proxy Server |
+------------+ (restricted by FW) +--------------+
1) Since the authentication is done by the external Auth Component
(My Auth Web Server; not a part of OpenStack) do I remove any/all
tempauth and swauth components from the Swift Proxy Server?
Any pointers to a document on how to set that up? (ie: an example
2) If swauth isn't there in the Swift Proxy Server, how do I add new
3) w/o the authentication component in the Swift Proxy Server end,
how do I query that box for the X-Storage-Url ?
(My thinking is that the account-server keeps track of accounts,
users, containers and ACLs. Is that a wrong assumption?)
Prasad Dharmasena <http://glue.umd.edu/~pkd>