Delegated Authorization

To support additional asset workflows, the SwiftStack Controller includes the Delegated Authorization middleware. This middleware delegates authorization to an external web service, or "Permit Server." This delegation is akin to cooperative multitasking or advisory filesystem locks in that it is not a security feature. It provides additional coordination semantics for well-behaved clients. It does not prevent malicious clients from bypassing the Permit Server if they try.

The Delegated Authorization middleware is made active on a per-container basis by setting the Use-Permit container metadata key (by POSTing the header X-Container-Meta-Use-Permit) to a value like "on", "t", or "true".

Once enabled on a container, all Swift API requests for objects in that container must include some of the following headers:

SwiftStack-Permit-Endpoint

The URL endpoint of the Permit Server, including any leading http:// or https://.

SwiftStack-Permit-Content

This is an opaque, arbitrary byte string (which will be decoded according to RFC 2396) to be sent in the POST request body to the Permit Server.

SwiftStack-Permit-Header-*

Any header that starts with SwiftStack-Permit-Header- will be passed to the authentication endpoint, without the SwiftStack-Permit-Header- prefix. For example, SwiftStack-Permit-Header-Authorization: token will be passed as Authorization: token.

You must include either the SwiftStack-Permit-Content or one or more SwiftStack-Permit-Header- headers. Including none of the above will result in an error.

Three optional headers may also be provided in the Swift API request:

SwiftStack-Permit-Content-Type

If supplied, the value will be used as the POST request’s Content-Type header. If not supplied, the POST’s Content-Type header value will be application/octet-stream.

SwiftStack-Permit-Content-Encoding

If supplied, the value will be used as the POST request’s Content-Encoding header. If not supplied, the POST request will have no Content-Encoding header.

SwiftStack-Permit-Method

If supplied, the value will be used as the method to use for authentication. The method must be one of GET, HEAD, POST, or PUT. By default, POST is assumed.

If the Permit Server responds with a response between 200 and 299 then the Swift API request will be processed "normally" (subject to all normal authentication and authorization). If the Permit Server successfully responds with another valid HTTP response (including 3xx responses), then the Swift API request will be rejected with 403 Forbidden. If there is an error communicating with the Permit server itself, the Swift API request's response will be 503 Service Unavailable.

Configuration

Click on the Delegated Authorization link on the Manage Cluster page Middleware tab to enable and configure the Delegated Authorization middleware.

../../_images/delegated-auth.png

http_timeout

An integer number of seconds to wait for the Permit Server before giving up and returning a 503 Service Unavailable to the client.