github.com/swiftstack/ProxyFS@v0.0.0-20210203235616-4017c267d62f/pfsagentd/pfsagentd-swift-auth-plugin/README.md (about)

     1  # PFSAgent OpenStack Swift Authorization PlugIn
     2  
     3  To provide a workable solution for those following standard Swift Authentication,
     4  this plug-in instance may be employed. Otherwise, consider this implementation a
     5  template for the desired instantiation of whatever Authentication mechanism is
     6  employed.
     7  
     8  For the standard Swift Authentication instantiation, the value of the ENV
     9  varialble specified by [Agent]PlugInEnvName (optionally set to the value of
    10  [Agent]PlugInEnvValue by PFSAgent) is required to be a UTF-8 encoded JSON Document:
    11  
    12  ```
    13  {
    14      "AuthURL"  : "<e.g. https://<domain-name>/auth/v1.0>",
    15      "AuthUser" : "<e.g. test:tester>",
    16      "AuthKey"  : "<e.g. testing>",
    17      "Account"  : "<e.g. AUTH_test>"
    18  }
    19  ```
    20  
    21  There are three modifications to the Storage URL normally returned by a
    22  standard Swift Authentication operation:
    23  
    24  * The `scheme` used to authenticate may be either `http` or `https`. In the
    25    case of `https`, it is likely that some form of TLS termination <b>prior</b>
    26    to reaching the Swift Proxy has rewritten the `scheme` to be `http`. In such
    27    a case, the Storage URL returned will specify `http` as its scheme. Since
    28    the client must continue to use `https` to reach the Swift Proxy for each
    29    authenticated subsequent request, the plug-in will rewrite the scheme to
    30    be `https`. Note that this is an incomplete solution in cases where standard
    31    port numbers (i.e. `80` for `http` and `443` for `https`) are not assumed
    32    (i.e. port numbers are specified in the URL).
    33  
    34  * The path portion of the Storage URL returned by the Swift Proxy will start
    35    with `v1` to indicate the version of the OpenStack Swift protocol being used.
    36    No `v2` has ever been defined, so this is a constant in normal requests.
    37    To indicate the client, in the case of GETs and PUTs, has specified the
    38    `physical` path (i.e. to LogSegments of a FileInode) rather than the
    39    `virtual` path (i.e. the full path of the file in the file system), this
    40    protocol version will be changed to `proxyfs`. This updated protocol verion
    41    will also be used with the `PROXYFS` method used to pass a `mount` request,
    42    via JSON RPC, over to the ProxyFS process serving the volume to be mounted.
    43  
    44  * The final element of the path portion of the Storage URL returned by the
    45    Swift Proxy will typically be the Account associated with the specified
    46    AuthUser (e.g. AuthUser `test` typically has a corresponding Account named
    47    `AUTH_test`). The volume being accessed may, however be stored in a different
    48    Account than this. As such, the account element of the path will be replaced
    49    with the `Account` as requested.