OpenStack Object Storage (swift)

Proxy Account Controller Functionality

Asked by Travis W Kiel

Reading some discussions in the bug pages I am hearing that some auth related functionality was moved from the auth server to the proxy; namely account creation, etc.

What I am wondering is what exactly the proxy's AccountController can do? Is it just account metadata changes, or can you actually create an account through the proxy server itself, rather than just through the devauth server?

I took a look at the code for the AccountController and it appears that it's just metadata updates. I have tried to use the accountcontroller via client, but I seem to get unauthorized no matter what creds im using.

Could anybody help de-mystify this for me, just to clear up some conflicting information im seeing?

Question information

Language:
English Edit question
Status:
Solved
For:
OpenStack Object Storage (swift) Edit question
Assignee:
No assignee Edit question
Solved by:
Greg Lange
Solved:
Last query:
Last reply:
Revision history for this message
Best Greg Lange (greglange) said : 		#1

The proxy doesn't/can't create accounts. It only calls out to an auth service to verify a request's auth token.

Included in the swift code base is an example/development auth server under ~/swift/swift/auth.

It can be used during development/testing but probably shouldn't be used for production.

Using that auth server you can create accounts.

Greg

Revision history for this message
Travis W Kiel (twkiel) said : 		#2

Excellent, thanks for the clarification Greg.

Revision history for this message
John Dickinson (notmyname) said : 		#3

Actually, Greg is correct with an older version of the code. The proxy server does, in fact, have account creation code (AccountController.PUT). It's usage is restricted by the auth middleware to prevent just anyone from creating any account.

An important note is that the dev auth server provided with swift (for dev use only, not prod) is not related to the auth middleware. The middleware will tie in with any auth system to authenticate tokens and authorize access to the system.

So the proxy server does account PUTs and account metadata updates. The swift-auth-add-user is used to create new swift accounts in the cluster. Or write your own if you are using a different auth system.