Revision e6d3ee61 docs/admin-guide.rst
b/docs/admin-guide.rst | ||
---|---|---|
521 | 521 |
:ref:`authenticate-api-label` API call from a private network or through HTTPS. |
522 | 522 |
|
523 | 523 |
|
524 |
File/Object Storage Service (Pithos+) |
|
525 |
==================================== |
|
526 |
|
|
527 |
Pithos+ is the Synnefo component that implements a storage service and exposes |
|
528 |
the associated OpenStack REST APIs with custom extensions. |
|
529 |
|
|
530 |
Pithos+ advanced operations |
|
531 |
--------------------------- |
|
532 |
|
|
533 |
Enable separate domain for serving user content |
|
534 |
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|
535 |
|
|
536 |
Since Synnefo v0.15, there is a possibility to serve untrusted user content |
|
537 |
in an isolated domain. |
|
538 |
|
|
539 |
Enabling this feature consists of the following steps: |
|
540 |
|
|
541 |
#. **Declare new domain in apache server** |
|
542 |
|
|
543 |
In order to enable the apache server to serve several domains it is required |
|
544 |
to setup several virtual hosts. |
|
545 |
Therefore, for adding the new domain e.g. "user-content.example.com", append |
|
546 |
the following in ``/etc/apache2/sites-available/synnefo-ssl``: |
|
547 |
|
|
548 |
.. code-block:: console |
|
549 |
|
|
550 |
<VirtualHost _default_:443> |
|
551 |
ServerName user-content.example.com |
|
552 |
|
|
553 |
Alias /static "/usr/share/synnefo/static" |
|
554 |
|
|
555 |
# SetEnv no-gzip |
|
556 |
# SetEnv dont-vary |
|
557 |
|
|
558 |
AllowEncodedSlashes On |
|
559 |
|
|
560 |
RequestHeader set X-Forwarded-Protocol "https" |
|
561 |
|
|
562 |
<Proxy * > |
|
563 |
Order allow,deny |
|
564 |
Allow from all |
|
565 |
</Proxy> |
|
566 |
|
|
567 |
SetEnv proxy-sendchunked |
|
568 |
SSLProxyEngine off |
|
569 |
ProxyErrorOverride off |
|
570 |
|
|
571 |
ProxyPass /static ! |
|
572 |
ProxyPass / http://localhost:8080/ retry=0 |
|
573 |
ProxyPassReverse / http://localhost:8080/ |
|
574 |
|
|
575 |
RewriteEngine On |
|
576 |
RewriteCond %{THE_REQUEST} ^.*(\\r|\\n|%0A|%0D).* [NC] |
|
577 |
RewriteRule ^(.*)$ - [F,L] |
|
578 |
|
|
579 |
SSLEngine on |
|
580 |
SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem |
|
581 |
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key |
|
582 |
</VirtualHost> |
|
583 |
|
|
584 |
.. note:: Consider also to purchase and install a certificate for the new |
|
585 |
domain. |
|
586 |
|
|
587 |
|
|
588 |
Finally, restart the apache server:: |
|
589 |
|
|
590 |
pithos-host$ /etc/init.d/apache2 restart |
|
591 |
|
|
592 |
#. **Register Pithos+ as an OAuth2 client in Astakos** |
|
593 |
|
|
594 |
Starting from synnefo version 0.15, in order to view the content of a |
|
595 |
protected resource, Pithos+ (on behalf of the user) has to be granted |
|
596 |
authorization for the specific resource by Astakos. |
|
597 |
|
|
598 |
During the authorization grant procedure, Pithos+ has to authenticate |
|
599 |
itself with Astakos since the latter has to prevent serving requests by |
|
600 |
unknown/unauthorized clients. |
|
601 |
|
|
602 |
Therefore, in the installation guide you were guided to register Pithos+ |
|
603 |
as an OAuth2 client in Astakos. |
|
604 |
|
|
605 |
.. note:: You can see the registered clients by running:: |
|
606 |
astakos-host$ snf-manage oauth2-client-list -o identifier,redirect_urls,is_trusted |
|
607 |
|
|
608 |
However, requests originated from the new domain will be rejected since |
|
609 |
Astakos is ignorant about the new domain. |
|
610 |
|
|
611 |
Therefore, you need to register a new client pointing to the unsafe domain. |
|
612 |
To do so, use the following command:: |
|
613 |
|
|
614 |
astakos-host$ snf-manage oauth2-client-add pithos-unsafe-domain --secret=<secret> --is-trusted --url https://user-content.example.com/pithos/ui/view |
|
615 |
|
|
616 |
|
|
617 |
.. note:: You can also unregister the client pointing to the safe domain, |
|
618 |
since it will no longer be useful. |
|
619 |
To do so, run the following:: |
|
620 |
|
|
621 |
astakos-host$ snf-manage oauth2-client-remove pithos-view |
|
622 |
|
|
623 |
#. **Update Pithos+ configuration** |
|
624 |
|
|
625 |
Respectively, the ``PITHOS_OAUTH2_CLIENT_CREDENTIALS`` setting should be |
|
626 |
updated to contain the credentials of the client registered in the previous |
|
627 |
step. |
|
628 |
|
|
629 |
Furthermore, you need to restrict all the requests for user content |
|
630 |
to be served exclusively by the unsafe domain. |
|
631 |
|
|
632 |
To enable this, set the ``PITHOS_UNSAFE_DOMAIN`` setting to the value |
|
633 |
of the new domain e.g. "user-content.example.com" |
|
634 |
|
|
635 |
Finally, restart the gunicorn server:: |
|
636 |
|
|
637 |
pithos-host$ /etc/init.d/gunicorn restart |
|
638 |
|
|
639 |
|
|
524 | 640 |
Compute/Network/Image Service (Cyclades) |
525 | 641 |
======================================== |
526 | 642 |
|
Also available in: Unified diff