OpenStack Swift Authorization PlugIn
To provide a workable solution for those following standard Swift Authentication,
this plug-in instance may be employed. Otherwise, consider this implementation a
template for the desired instantiation of whatever Authentication mechanism is
employed.
For the standard Swift Authentication instantiation, the value of authInJSON
is required to be a UTF-8 encoded JSON Document:
{
"AuthURL" : "<e.g. https://<domain-name>/auth/v1.0>",
"AuthUser" : "<e.g. test:tester>",
"AuthKey" : "<e.g. testing>",
"Account" : "<e.g. AUTH_test>",
"Container" : "<e.g. con>
}
There are three modifications to the Storage URL normally returned by a
standard Swift Authentication operation:
-
The scheme
used to authenticate may be either http
or https
. In the
case of https
, it is likely that some form of TLS termination prior
to reaching the Swift Proxy has rewritten the scheme
to be http
. In such
a case, the Storage URL returned will specify http
as its scheme. Since
the client must continue to use https
to reach the Swift Proxy for each
authenticated subsequent request, the plug-in will rewrite the scheme to
be https
. Note that this is an incomplete solution in cases where standard
port numbers (i.e. 80
for http
and 443
for https
) are not assumed
(i.e. port numbers are specified in the URL).
-
The final element of the path portion of the Storage URL returned by the
Swift Proxy will typically be the Account associated with the specified
AuthUser (e.g. AuthUser test
typically has a corresponding Account named
AUTH_test
). The volume being accessed may, however be stored in a different
Account than this. As such, the account element of the path will be replaced
with the Account
as requested.
-
The specified Container must be appended to the Storage URL delineated from
the perhaps updated Account portion by a slash ("/").