Revision e6d3ee61 docs/admin-guide.rst

b/docs/admin-guide.rst
521 521
:ref:`authenticate-api-label` API call from a private network or through HTTPS.
522 522

  
523 523

  
524
File/Object Storage Service (Pithos+)
525
====================================
526

  
527
Pithos+ is the Synnefo component that implements a storage service and exposes
528
the associated OpenStack REST APIs with custom extensions.
529

  
530
Pithos+ advanced operations
531
---------------------------
532

  
533
Enable separate domain for serving user content
534
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
535

  
536
Since Synnefo v0.15, there is a possibility to serve untrusted user content
537
in an isolated domain.
538

  
539
Enabling this feature consists of the following steps:
540

  
541
#. **Declare new domain in apache server**
542

  
543
   In order to enable the apache server to serve several domains it is required
544
   to setup several virtual hosts.
545
   Therefore, for adding the new domain e.g. "user-content.example.com", append
546
   the following in ``/etc/apache2/sites-available/synnefo-ssl``:
547

  
548
    .. code-block:: console
549

  
550
        <VirtualHost _default_:443>
551
            ServerName user-content.example.com
552

  
553
            Alias /static "/usr/share/synnefo/static"
554

  
555
            #  SetEnv no-gzip
556
            #  SetEnv dont-vary
557

  
558
           AllowEncodedSlashes On
559

  
560
           RequestHeader set X-Forwarded-Protocol "https"
561

  
562
        <Proxy * >
563
            Order allow,deny
564
            Allow from all
565
        </Proxy>
566

  
567
            SetEnv                proxy-sendchunked
568
            SSLProxyEngine        off
569
            ProxyErrorOverride    off
570

  
571
            ProxyPass        /static !
572
            ProxyPass        / http://localhost:8080/ retry=0
573
            ProxyPassReverse / http://localhost:8080/
574

  
575
            RewriteEngine On
576
            RewriteCond %{THE_REQUEST} ^.*(\\r|\\n|%0A|%0D).* [NC]
577
            RewriteRule ^(.*)$ - [F,L]
578

  
579
            SSLEngine on
580
            SSLCertificateFile    /etc/ssl/certs/ssl-cert-snakeoil.pem
581
            SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
582
        </VirtualHost>
583

  
584
    .. note:: Consider also to purchase and install a certificate for the new
585
              domain.
586

  
587

  
588
    Finally, restart the apache server::
589

  
590
        pithos-host$ /etc/init.d/apache2 restart
591

  
592
#. **Register Pithos+ as an OAuth2 client in Astakos**
593

  
594
   Starting from synnefo version 0.15, in order to view the content of a
595
   protected resource, Pithos+ (on behalf of the user) has to be granted
596
   authorization for the specific resource by Astakos.
597

  
598
   During the authorization grant procedure, Pithos+ has to authenticate
599
   itself with Astakos since the latter has to prevent serving requests by
600
   unknown/unauthorized clients.
601

  
602
   Therefore, in the installation guide you were guided to register Pithos+
603
   as an OAuth2 client in Astakos.
604

  
605
   .. note:: You can see the registered clients by running::
606
    astakos-host$ snf-manage oauth2-client-list -o identifier,redirect_urls,is_trusted
607

  
608
   However, requests originated from the new domain will be rejected since
609
   Astakos is ignorant about the new domain.
610

  
611
   Therefore, you need to register a new client pointing to the unsafe domain.
612
   To do so, use the following command::
613

  
614
        astakos-host$ snf-manage oauth2-client-add pithos-unsafe-domain --secret=<secret> --is-trusted --url https://user-content.example.com/pithos/ui/view
615

  
616

  
617
   .. note:: You can also unregister the client pointing to the safe domain,
618
       since it will no longer be useful.
619
       To do so, run the following::
620

  
621
        astakos-host$ snf-manage oauth2-client-remove pithos-view
622

  
623
#. **Update Pithos+ configuration**
624

  
625
   Respectively, the ``PITHOS_OAUTH2_CLIENT_CREDENTIALS`` setting should be
626
   updated to contain the credentials of the client registered in the previous
627
   step.
628

  
629
   Furthermore, you need to restrict all the requests for user content
630
   to be served exclusively by the unsafe domain.
631

  
632
   To enable this, set the ``PITHOS_UNSAFE_DOMAIN`` setting to the value
633
   of the new domain e.g. "user-content.example.com"
634

  
635
   Finally, restart the gunicorn server::
636

  
637
        pithos-host$ /etc/init.d/gunicorn restart
638

  
639

  
524 640
Compute/Network/Image Service (Cyclades)
525 641
========================================
526 642

  

Also available in: Unified diff