如何想用使用 Swift的服务,都需要经过认证鉴权,例如,某用户想上传一个文件X,首先该用户需要有权限进入到系统中,然后他需要有可以上传文件的权限,早期版本Swift有自己的实现认证鉴权的程序tempauth,在/swift/common/middlleware/下你可以找到这个python文件,但是后期,openstack退出了自己的认证鉴权的模块keystone,提供统一的接口,这样服务向外暴露的只是认证鉴权的url。通常我们使用keystone作为 swift鉴权模块,因为它功能强大,同时可以支持其他服务。
之前的文章中,我分析过请求的流程,一个请求->auth_token->swift_auth->handler_request,其中 auth_token,swift_auth 分别在keystone/middleware/ 中,auth_token作为通用的模块,提供给nova,glance,swift等等组件的服务,同时也可以支持亚马逊的API ,swift_auth,是针对swift鉴权的模块,在最新的版本中, swift_auth已经集成到了swift中,命名为keystoneauth.py 其实它们基本上就是一个文件。
值得注意的是,swift需要启动auth_token服务,也就是keystone的代码,所以,通常swift proxy和keystone会安装在同一台机器上,如果不安装在一台机器上,则需要在安装swift proxy 的机器上安装auth_token及相关的代码。
我本身没有研究 keystone这个项目,所以对一些东西也不是很熟悉,但是keystone确实是一个功能很强大的鉴权模块,比如支持ssl,acl(防盗链)等,我咨询过源码贡献者,所以下面的源码分析有一定的借鉴意义。
下面是源码分析:
def __call__(self, env, start_response): """Handle incoming request. Authenticate send downstream on success. Reject request if we can't authenticate. """ LOG.debug('Authenticating user token') try: self._remove_auth_headers(env)#在已有的env环境中中,删除token相关的headers。 user_token = self._get_user_token_from_header(env)#从header中获取user_token token_info = self._validate_user_token(user_token)#验证user_token user_headers = self._build_user_headers(token_info)#制作token的headers self._add_headers(env, user_headers)#把新生成的headers添加到env中, return self.app(env, start_response) except InvalidUserToken: if self.delay_auth_decision: LOG.info('Invalid user token - deferring reject downstream') self._add_headers(env, {'X-Identity-Status': 'Invalid'}) return self.app(env, start_response) else: LOG.info('Invalid user token - rejecting request') return self._reject_request(env, start_response) except ServiceError, e: LOG.critical('Unable to obtain admin token: %s' % e) resp = webob.exc.HTTPServiceUnavailable() return resp(env, start_response)
在env中 删除token相关的header
def _remove_auth_headers(self, env): """Remove headers so a user can't fake authentication.#删除headers这样一个用户就不能伪装认证 :param env: wsgi request environment """ auth_headers = (#把这些头转化成env相应的格式 然后删除它们,保证env没有与identity相关的数据 'X-Identity-Status', 'X-Tenant-Id', 'X-Tenant-Name', 'X-User-Id', 'X-User-Name', 'X-Roles', 'X-Service-Catalog', # Deprecated 'X-User', 'X-Tenant', 'X-Role', ) LOG.debug('Removing headers from request environment: %s' % ','.join(auth_headers)) self._remove_headers(env, auth_headers)
从env中获取user_token
def _get_user_token_from_header(self, env): """Get token id from request. :param env: wsgi request environment :return token id :raises InvalidUserToken if no token is provided in request """ token = self._get_header(env, 'X-Auth-Token',#获取token self._get_header(env, 'X-Storage-Token')) if token: return token else: LOG.warn("Unable to find authentication token in headers: %s", env) raise InvalidUserToken('Unable to find token in headers')
验证user_token流程
def _validate_user_token(self, user_token, retry=True): """Authenticate user using PKI :param user_token: user's token id :param retry: Ignored, as it is not longer relevant :return uncrypted body of the token if the token is valid :raise InvalidUserToken if token is rejected :no longer raises ServiceError since it no longer makes RPC """ try: cached = self._cache_get(user_token)#在缓存中查找user_token if cached:#如果缓存缓存中存在,说明已经在鉴权有效期内 return cached if (len(user_token) > cms.UUID_TOKEN_LENGTH):#如果大于32位 verified = self.verify_signed_token(user_token)#ssl功能 data = json.loads(verified) else:#如果不大于32位—》去keystone鉴权 data = self.verify_uuid_token(user_token, retry) self._cache_put(user_token, data)#放到缓存中,此处有bug,因为跳出程序后还会进行缓存。 return data except Exception as e: LOG.debug('Token validation failure.', exc_info=True) self._cache_store_invalid(user_token) LOG.warn("Authorization failed for token %s", user_token) raise InvalidUserToken('Token authorization failed') def verify_uuid_token(self, user_token, retry=True): """Authenticate user token with keystone. :param user_token: user's token id :param retry: flag that forces the middleware to retry user authentication when an indeterminate response is received. Optional. :return token object received from keystone on success :raise InvalidUserToken if token is rejected :raise ServiceError if unable to authenticate token """ headers = {'X-Auth-Token': self.get_admin_token()}#在proxy-server.conf配置文件中,配置的admin_token response, data = self._json_request('GET',#发送请求到keystone,得到响应,和响应data '/v2.0/tokens/%s' % user_token, additional_headers=headers) if response.status == 200:#200表示成功,缓存数据,然后返回。 self._cache_put(user_token, data) return data if response.status == 404: # FIXME(ja): I'm assuming the 404 status means that user_token is # invalid - not that the admin_token is invalid self._cache_store_invalid(user_token)#user_token已经无效 LOG.warn("Authorization failed for token %s", user_token) raise InvalidUserToken('Token authorization failed') if response.status == 401: LOG.info('Keystone rejected admin token %s, resetting', headers) self.admin_token = None else: LOG.error('Bad response code while validating token: %s' % response.status) if retry: LOG.info('Retrying validation') return self._validate_user_token(user_token, False) else: LOG.warn("Invalid user token: %s. Keystone response: %s.", user_token, data) raise InvalidUserToken()
转换token对象到header 中
def _build_user_headers(self, token_info): """Convert token object into headers. Build headers that represent authenticated user: * X_IDENTITY_STATUS: Confirmed or Invalid * X_TENANT_ID: id of tenant if tenant is present * X_TENANT_NAME: name of tenant if tenant is present * X_USER_ID: id of user * X_USER_NAME: name of user * X_ROLES: list of roles * X_SERVICE_CATALOG: service catalog Additional (deprecated) headers include: * X_USER: name of user * X_TENANT: For legacy compatibility before we had ID and Name * X_ROLE: list of roles :param token_info: token object returned by keystone on authentication :raise InvalidUserToken when unable to parse token object """ user = token_info['access']['user']#根据token_info,获取user,token,roles token = token_info['access']['token'] roles = ','.join([role['name'] for role in user.get('roles', [])]) def get_tenant_info(): """Returns a (tenant_id, tenant_name) tuple from context.""" def essex(): """Essex puts the tenant ID and name on the token.""" return (token['tenant']['id'], token['tenant']['name']) def pre_diablo(): """Pre-diablo, Keystone only provided tenantId.""" return (token['tenantId'], token['tenantId']) def default_tenant(): """Assume the user's default tenant.""" return (user['tenantId'], user['tenantName']) for method in [essex, pre_diablo, default_tenant]: try: return method() except KeyError: pass raise InvalidUserToken('Unable to determine tenancy.') tenant_id, tenant_name = get_tenant_info()#获取tenant_id,tenant_name user_id = user['id'] user_name = user['name'] rval = {#生成一个关于Identity信息的字典。 'X-Identity-Status': 'Confirmed', 'X-Tenant-Id': tenant_id, 'X-Tenant-Name': tenant_name, 'X-User-Id': user_id, 'X-User-Name': user_name, 'X-Roles': roles, # Deprecated 'X-User': user_name, 'X-Tenant': tenant_name, 'X-Role': roles, } try: catalog = token_info['access']['serviceCatalog'] rval['X-Service-Catalog'] = jsonutils.dumps(catalog)#catalog使用json格式 except KeyError: pass return rval #然后把生成的user_token 添加到env中,
这样鉴权的过程就结束了,下一步是swift_auth.py/keystoneauth.py
我们在handle_request中会发现程序在执行最终操作之前,才调用鉴权函数,这是因为,如果有权限,我们就使出这个钩子(鉴权),这样之后的就不需要鉴权了。
def __call__(self, environ, start_response): identity = self._keystone_identity(environ)#先从环境中获取identity信息 # Check if one of the middleware like tempurl or formpost have # set the swift.authorize_override environ and want to control the # authentication if (self.allow_overrides and#如果使用其他的中间件设置了swift.authorize environ.get('swift.authorize_override', False)): msg = 'Authorizing from an overriding middleware (i.e: tempurl)' self.logger.debug(msg) return self.app(environ, start_response) if identity:#如果有信息 self.logger.debug('Using identity: %r' % (identity)) environ['keystone.identity'] = identity environ['REMOTE_USER'] = identity.get('tenant') environ['swift.authorize'] = self.authorize#设置句柄 else: self.logger.debug('Authorizing as anonymous') environ['swift.authorize'] = self.authorize_anonymous environ['swift.clean_acl'] = swift_acl.clean_acl#防盗链功能实现 return self.app(environ, start_response)
主要的authorize
def authorize(self, req): env = req.environ env_identity = env.get('keystone.identity', {}) tenant_id, tenant_name = env_identity.get('tenant') try: part = swift_utils.split_path(req.path, 1, 4, True) version, account, container, obj = part except ValueError: return webob.exc.HTTPNotFound(request=req) user_roles = env_identity.get('roles', []) # Give unconditional access to a user with the reseller_admin # role. if self.reseller_admin_role in user_roles:#如果有reseller_admin_role返回空,意味着有权限 msg = 'User %s has reseller admin authorizing' self.logger.debug(msg % tenant_id) req.environ['swift_owner'] = True return # Check if a user tries to access an account that does not match their # token#检查是否用户没有访问的account的权限 if not self._reseller_check(account, tenant_id): log_msg = 'tenant mismatch: %s != %s' % (account, tenant_id) self.logger.debug(log_msg) return self.denied_response(req) # Check the roles the user is belonging to. If the user is # part of the role defined in the config variable # operator_roles (like admin) then it will be # promoted as an admin of the account/tenant. for role in self.operator_roles.split(','):#如果是admin,或者是swiftoperator权限,返回空 role = role.strip() if role in user_roles: log_msg = 'allow user with role %s as account admin' % (role) self.logger.debug(log_msg) req.environ['swift_owner'] = True return # If user is of the same name of the tenant then make owner of it. user = env_identity.get('user', '') if self.is_admin and user == tenant_name: req.environ['swift_owner'] = True return