【原创】OpenStack Swift源码分析（五）keystone鉴权

    如何想用使用 Swift的服务，都须要通过认证鉴权，例如，某用户想上传一个文件X，首先该用户须要有权限进入到系统中，而后他须要有能够上传文件的权限，早期版本Swift有本身的实现认证鉴权的程序tempauth，在/swift/common/middlleware/下你能够找到这个python文件，可是后期，openstack退出了本身的认证鉴权的模块keystone，提供统一的接口，这样服务向外暴露的只是认证鉴权的url。一般咱们使用keystone做为 swift鉴权模块，由于它功能强大，同时能够支持其余服务。

    以前的文章中，我分析过请求的流程，一个请求->auth_token->swift_auth->handler_request，其中 auth_token,swift_auth 分别在keystone/middleware/ 中，auth_token做为通用的模块，提供给nova,glance,swift等等组件的服务，同时也能够支持亚马逊的API ,swift_auth,是针对swift鉴权的模块，在最新的版本中， swift_auth已经集成到了swift中，命名为keystoneauth.py 其实它们基本上就是一个文件。

    值得注意的是，swift须要启动auth_token服务，也就是keystone的代码，因此，一般swift proxy和keystone会安装在同一台机器上，若是不安装在一台机器上，则须要在安装swift proxy 的机器上安装auth_token及相关的代码。

    我自己没有研究 keystone这个项目，因此对一些东西也不是很熟悉，可是keystone确实是一个功能很强大的鉴权模块，好比支持ssl,acl(防盗链)等，我咨询过源码贡献者，因此下面的源码分析有必定的借鉴意义。

    下面是源码分析：

def __call__(self, env, start_response):
        """Handle incoming request.

        Authenticate send downstream on success. Reject request if
        we can't authenticate.

        """
        LOG.debug('Authenticating user token')
        try:
            self._remove_auth_headers(env)#在已有的env环境中中，删除token相关的headers。
            user_token = self._get_user_token_from_header(env)#从header中获取user_token
            token_info = self._validate_user_token(user_token)#验证user_token
            user_headers = self._build_user_headers(token_info)#制做token的headers
            self._add_headers(env, user_headers)#把新生成的headers添加到env中，
            return self.app(env, start_response)

        except InvalidUserToken:
            if self.delay_auth_decision:
                LOG.info('Invalid user token - deferring reject downstream')
                self._add_headers(env, {'X-Identity-Status': 'Invalid'})
                return self.app(env, start_response)
            else:
                LOG.info('Invalid user token - rejecting request')
                return self._reject_request(env, start_response)

        except ServiceError, e:
            LOG.critical('Unable to obtain admin token: %s' % e)
            resp = webob.exc.HTTPServiceUnavailable()
            return resp(env, start_response)

在env中 删除token相关的header

def _remove_auth_headers(self, env): """Remove headers so a user can't fake authentication.#删除headers这样一个用户就不能假装认证 :param env: wsgi request environment """ auth_headers = (#把这些头转化成env相应的格式 而后删除它们，保证env没有与identity相关的数据 'X-Identity-Status', 'X-Tenant-Id', 'X-Tenant-Name', 'X-User-Id', 'X-User-Name', 'X-Roles', 'X-Service-Catalog', # Deprecated 'X-User', 'X-Tenant', 'X-Role', ) LOG.debug('Removing headers from request environment: %s' % ','.join(auth_headers)) self._remove_headers(env, auth_headers)

从env中获取user_token

def _get_user_token_from_header(self, env): """Get token id from request. :param env: wsgi request environment :return token id :raises InvalidUserToken if no token is provided in request """ token = self._get_header(env, 'X-Auth-Token',#获取token self._get_header(env, 'X-Storage-Token')) if token: return token else: LOG.warn("Unable to find authentication token in headers: %s", env) raise InvalidUserToken('Unable to find token in headers')

验证user_token流程

 def _validate_user_token(self, user_token, retry=True): """Authenticate user using PKI :param user_token: user's token id :param retry: Ignored, as it is not longer relevant :return uncrypted body of the token if the token is valid :raise InvalidUserToken if token is rejected :no longer raises ServiceError since it no longer makes RPC """ try: cached = self._cache_get(user_token)#在缓存中查找user_token if cached:#若是缓存缓存中存在，说明已经在鉴权有效期内 return cached if (len(user_token) > cms.UUID_TOKEN_LENGTH):#若是大于32位 verified = self.verify_signed_token(user_token)#ssl功能 data = json.loads(verified) else:#若是不大于32位—》去keystone鉴权 data = self.verify_uuid_token(user_token, retry) self._cache_put(user_token, data)#放到缓存中，此处有bug，由于跳出程序后还会进行缓存。 return data except Exception as e: LOG.debug('Token validation failure.', exc_info=True) self._cache_store_invalid(user_token) LOG.warn("Authorization failed for token %s", user_token) raise InvalidUserToken('Token authorization failed') def verify_uuid_token(self, user_token, retry=True): """Authenticate user token with keystone. :param user_token: user's token id :param retry: flag that forces the middleware to retry user authentication when an indeterminate response is received. Optional. :return token object received from keystone on success :raise InvalidUserToken if token is rejected :raise ServiceError if unable to authenticate token """ headers = {'X-Auth-Token': self.get_admin_token()}#在proxy-server.conf配置文件中，配置的admin_token response, data = self._json_request('GET',#发送请求到keystone,获得响应，和响应data '/v2.0/tokens/%s' % user_token, additional_headers=headers) if response.status == 200:#200表示成功，缓存数据，而后返回。 self._cache_put(user_token, data) return data if response.status == 404: # FIXME(ja): I'm assuming the 404 status means that user_token is # invalid - not that the admin_token is invalid self._cache_store_invalid(user_token)#user_token已经无效 LOG.warn("Authorization failed for token %s", user_token) raise InvalidUserToken('Token authorization failed') if response.status == 401: LOG.info('Keystone rejected admin token %s, resetting', headers) self.admin_token = None else: LOG.error('Bad response code while validating token: %s' % response.status) if retry: LOG.info('Retrying validation') return self._validate_user_token(user_token, False) else: LOG.warn("Invalid user token: %s. Keystone response: %s.", user_token, data) raise InvalidUserToken()

转换token对象到header 中

def _build_user_headers(self, token_info):
        """Convert token object into headers.

        Build headers that represent authenticated user:
         * X_IDENTITY_STATUS: Confirmed or Invalid
         * X_TENANT_ID: id of tenant if tenant is present
         * X_TENANT_NAME: name of tenant if tenant is present
         * X_USER_ID: id of user
         * X_USER_NAME: name of user
         * X_ROLES: list of roles
         * X_SERVICE_CATALOG: service catalog

        Additional (deprecated) headers include:
         * X_USER: name of user
         * X_TENANT: For legacy compatibility before we had ID and Name
         * X_ROLE: list of roles

        :param token_info: token object returned by keystone on authentication
        :raise InvalidUserToken when unable to parse token object

        """
        user = token_info['access']['user']#根据token_info,获取user,token,roles
        token = token_info['access']['token']
        roles = ','.join([role['name'] for role in user.get('roles', [])])

        def get_tenant_info():
            """Returns a (tenant_id, tenant_name) tuple from context."""
            def essex():
                """Essex puts the tenant ID and name on the token."""
                return (token['tenant']['id'], token['tenant']['name'])

            def pre_diablo():
                """Pre-diablo, Keystone only provided tenantId."""
                return (token['tenantId'], token['tenantId'])

            def default_tenant():
                """Assume the user's default tenant."""
                return (user['tenantId'], user['tenantName'])

            for method in [essex, pre_diablo, default_tenant]:
                try:
                    return method()
                except KeyError:
                    pass

            raise InvalidUserToken('Unable to determine tenancy.')

        tenant_id, tenant_name = get_tenant_info()#获取tenant_id,tenant_name

        user_id = user['id']
        user_name = user['name']

        rval = {#生成一个关于Identity信息的字典。
            'X-Identity-Status': 'Confirmed',
            'X-Tenant-Id': tenant_id,
            'X-Tenant-Name': tenant_name,
            'X-User-Id': user_id,
            'X-User-Name': user_name,
            'X-Roles': roles,
            # Deprecated
            'X-User': user_name,
            'X-Tenant': tenant_name,
            'X-Role': roles,
        }

        try:
            catalog = token_info['access']['serviceCatalog']
            rval['X-Service-Catalog'] = jsonutils.dumps(catalog)#catalog使用json格式
        except KeyError:
            pass

        return rval
#而后把生成的user_token 添加到env中，

这样鉴权的过程就结束了，下一步是swift_auth.py/keystoneauth.py

咱们在handle_request中会发现程序在执行最终操做以前，才调用鉴权函数，这是由于，若是有权限，咱们就使出这个钩子（鉴权），这样以后的就不须要鉴权了。

def __call__(self, environ, start_response):
        identity = self._keystone_identity(environ)#先从环境中获取identity信息

        # Check if one of the middleware like tempurl or formpost have
        # set the swift.authorize_override environ and want to control the
        # authentication
        if (self.allow_overrides and#若是使用其余的中间件设置了swift.authorize
                environ.get('swift.authorize_override', False)):
            msg = 'Authorizing from an overriding middleware (i.e: tempurl)'
            self.logger.debug(msg)
            return self.app(environ, start_response)

        if identity:#若是有信息
            self.logger.debug('Using identity: %r' % (identity))
            environ['keystone.identity'] = identity
            environ['REMOTE_USER'] = identity.get('tenant')
            environ['swift.authorize'] = self.authorize#设置句柄
        else:
            self.logger.debug('Authorizing as anonymous')
            environ['swift.authorize'] = self.authorize_anonymous

        environ['swift.clean_acl'] = swift_acl.clean_acl#防盗链功能实现

        return self.app(environ, start_response)

主要的authorize

def authorize(self, req):
        env = req.environ
        env_identity = env.get('keystone.identity', {})
        tenant_id, tenant_name = env_identity.get('tenant')

        try:
            part = swift_utils.split_path(req.path, 1, 4, True)
            version, account, container, obj = part
        except ValueError:
            return webob.exc.HTTPNotFound(request=req)

        user_roles = env_identity.get('roles', [])

        # Give unconditional access to a user with the reseller_admin
        # role.
        if self.reseller_admin_role in user_roles:#若是有reseller_admin_role返回空，意味着有权限
            msg = 'User %s has reseller admin authorizing'
            self.logger.debug(msg % tenant_id)
            req.environ['swift_owner'] = True
            return

        # Check if a user tries to access an account that does not match their
        # token#检查是否用户没有访问的account的权限
        if not self._reseller_check(account, tenant_id):
            log_msg = 'tenant mismatch: %s != %s' % (account, tenant_id)
            self.logger.debug(log_msg)
            return self.denied_response(req)

        # Check the roles the user is belonging to. If the user is
        # part of the role defined in the config variable
        # operator_roles (like admin) then it will be
        # promoted as an admin of the account/tenant.
        for role in self.operator_roles.split(','):#若是是admin,或者是swiftoperator权限，返回空
            role = role.strip()
            if role in user_roles:
                log_msg = 'allow user with role %s as account admin' % (role)
                self.logger.debug(log_msg)
                req.environ['swift_owner'] = True
                return

        # If user is of the same name of the tenant then make owner of it.
        user = env_identity.get('user', '')
        if self.is_admin and user == tenant_name:
            req.environ['swift_owner'] = True
            return