All of lore.kernel.org
 help / color / mirror / Atom feed
From: Radoslaw Zarzynski <rzarzynski@mirantis.com>
To: Casey Bodley <cbodley@redhat.com>
Cc: The Sacred Order of the Squid Cybernetic <ceph-devel@vger.kernel.org>
Subject: Re: rgw: feedback on auth engine selection
Date: Thu, 8 Sep 2016 17:46:45 +0200	[thread overview]
Message-ID: <CA+H5UW3J3XtMeqhH7FjRCe-ocep-ZidLSpNX=1y=sX6GmcamRQ@mail.gmail.com> (raw)
In-Reply-To: <45ac8340-c6eb-8cdc-9c83-3db6f7f3fcd6@redhat.com>

On Wed, Sep 7, 2016 at 11:09 PM, Casey Bodley <cbodley@redhat.com> wrote:
>
> AWS v4 is a good example to look at, yeah. It's a special case, because
> there's a separate 'complete' step after reading the body of the request, so
> we need to track auth state between the calls to authorize() and complete().
> The current implementation stores this stuff in a 'struct rgw_aws4_auth'
> member of req_state.

Yup, AWS v4 was a game changer - not only from the perspective
of auth subsystem but for RGWOps as well. Before its introduction
the flow was pretty straightforward:

  1. authenticate - currently RGWHandler::authorize
  2. authorize - RGWOp::verify_permissions
  3. execute - RGWOp::execute

As you mentioned, in such situation AuthEngines can be truly
stateless. In the post-AWSv4 era things are more complicated,
unfortunately. This is the cost we're paying for assuring data
integrity without in-memory buffering on the application level.
Now the flow does look like:

  A. authenticate - RGWHandler::authorize
  B. authorize - RGWOp::verify_permissions
  C. execute_prepare - some parts of RGWOp::execute
  D. authenticate_complete - some parts of RGWOp::execute
  E. execute_commit - some parts of RGWOp::execute

The typical example is RGWPutObj::execute that actually does
point C, D, E. I can fully understand why we have this actually.
Though, in the future I would like to restore the clear separation
of concerns (the single responsibility principle). The new auth
infrastructure was designed to accommodate v4 as well.

> So far, all of the AuthEngine instances have been constructed on the stack
> in their handler's authorize() method, so their state has been limited to
> that scope. If a new AWS4AuthEngine were to encapsulate v4 auth this state,
> the engine would have to live somewhere outside of the authorize() method -
> most likely in req_state. But we could just as easily have a stateless
> AWS4AuthEngine that accessed the existing rgw_aws4_auth via req_state.
> Encapsulation of rgw_aws4_auth could be improved by making everything
> private except for a complete() method (and call it  AWS4AuthCompletion, for
> example).

I don't want to treat AWSv4 in any special way. I would prefer
to have simply an reference to AuthEngine in RGWHandler or
req_state if we want to make the first one stateless. The specific
implementation would encapsulate all required state inside.
Of course, the AuthEngine interface needs to be extended with
something like complete_authentication() but this was expected.
Moreover, AWSv4 was the main factor behind making AuthEngine
state-full.

Regards,
Radek

  reply	other threads:[~2016-09-08 15:46 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <e2a2e0c9-51e7-b703-2c8d-7b489d4e8994@redhat.com>
2016-09-07 17:19 ` rgw: feedback on auth engine selection Radoslaw Zarzynski
2016-09-07 21:05   ` Casey Bodley
2016-09-08 17:19     ` Radoslaw Zarzynski
2016-09-08 18:23       ` Casey Bodley
2016-09-12  9:48         ` Radoslaw Zarzynski
2016-09-12 18:35           ` Casey Bodley
2016-09-08 21:05       ` Matt Benjamin
2016-09-08 17:21     ` Pritha Srivastava
2016-09-09 15:43       ` Radoslaw Zarzynski
2016-09-07 21:09   ` Casey Bodley
2016-09-08 15:46     ` Radoslaw Zarzynski [this message]
2016-09-08 20:49       ` Casey Bodley
2016-09-11 23:20         ` Radoslaw Zarzynski

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CA+H5UW3J3XtMeqhH7FjRCe-ocep-ZidLSpNX=1y=sX6GmcamRQ@mail.gmail.com' \
    --to=rzarzynski@mirantis.com \
    --cc=cbodley@redhat.com \
    --cc=ceph-devel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.