tempauth: Support fernet tokens 

Tempauth fernet tokens use a secret shared among all proxies to encrypt
user group information. Because they are encrypted, clients can neither
view nor edit this information; it is an opaque bearer token similar to
the existing memcached-backed tokens (just much longer). Note that
tokens still expire after the configured token_life.
Add a new set of config options of the form
 fernet_key_<keyid> = <32 url-safe base64-encoded bytes>
Any of the configured keys will be used to attempt to decrypt tokens
starting with "ftk" and extract group information.
Another new config option
 active_fernet_key_id = <keyid>
dictates which key should be used when minting tokens. Such tokens
will start with "ftk" to distinguish them from memcached-backed tokens
(which continue to start with "tk"). If active_fernet_key_id is not
configured, memcached-backed tokens continue to be used.
Together, these allow seamless transitions from memcached-backed tokens
to fernet tokens, as well as transitions from one fernet key to another:
 1. Add a new fernet_key_<keyid> entry.
 2. Ensure all proxies have the new config with fernet_key_<keyid>.
 3. Set active_fernet_key_id = <keyid>.
 4. Ensure all proxies have the new config with the new
 active_fernet_key_id.
This is similar to the key-rotation process for the encryption feature,
except that old keys may be pruned following a token_life period.
Additionally, opportunistically compress groups before minting tokens.
Compressed tokens will begin with "zftk" but otherwise behave just like
"ftk" tokens.
Change-Id: I0bdc98765d05e91f872ef39d4722f91711a5641f
This commit is contained in:
Tim Burke
2022年10月13日 15:29:19 -07:00
parent 64bd1acb9e
commit 74030236ad

View File

@@ -459,6 +459,19 @@ use = egg:swift#tempauth
# This can be useful with an SSL load balancer in front of a non-SSL server.
# storage_url_scheme = default
#
# Fernet keys may be used for storage, rather than relying on memcached.
# Multiple keys may be configured using options named 'fernet_key_<key_id>'
# where 'key_id' is a unique identifier. The value should be 32 url-safe
# base64-encoded bytes, such as may be generated using
# `openssl rand -base64 32 | tr '+/' '-_'`
# Any of these keys may be used for decryption. Only one key may be used
# for encryption by a proxy at any given time; configure it with the
# 'active_fernet_key_id' option. All proxies in the cluster should know
# about a key before it is activated. If blank (the default),
# memcached-backed tokens will be issued.
# fernet_key_myid = <32 url-safe base64-encoded bytes>
# active_fernet_key_id = myid
#
# Lastly, you need to list all the accounts/users you want here. The format is:
# user_<account>_<user> = <key> [group] [group] [...] [storage_url]
# or if you want underscores in <account> or <user>, you can base64 encode them
Reference in New Issue
openstack/swift
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.

The note is not visible to the blocked user.