Authentication Plug-In
Both ProxyFS itself and each PFSAgent client access Swift Accounts,
Containers, and Objects directly. PFSAgent, potentially residing
outside a Swift cluster's trust domain
, will use normal
OpenStack Swift methods for such access. This access must be authorized
by means of obtaining an AuthToken
. ProxyFS, if not configured
alongside a so-called NoAuth
Swift Proxy, will also need the same.
Even in Swift clusters have a NoAuth
Swift Proxy configured, ProxyFS
will, from time to time, validate PFSAgent client access by testing their
AuthToken locally as well.
While many Swift clusters implement authorization via Swift Proxy
pipeline filters that honor the OpenStack Swift convention, some clusters
may require alternate authorization mechanisms. To support any such
authorization solution, a Golang Plug-In mechanism is employed.
A standard OpenStack Swift Plug-In is provided (see subdirectory iauth-swift
)
that may either be used for clusters honoring the OpenStack Swift authorization
convention or as a template for development of any particular authorization
solution. The only requirements are that:
- The plug-in's location is provided this
iauth
package
- Credentials to be authorized are provided in a single string (possibly a JSON document)
- The plug-in returns both a Swift AuthToken and StorageURL (or an error)
- The StorageURL has been properly modified as necessary to ensure
- the proper transport (scheme) is used (i.e. either "http" or "https")
- the specified
Account
, if necessary, has been substituted
- the specified
Container
has been appended