OpenIO swift deny host headers

Question

OpenIO 7.2.0.

I have an OpenIO with keystone (queens) auth cluster.

By default any user can configure his own acls and public url.

I would like to restrict user only for read and write in containers and objects.

Apparently deny_host_headers can do the job in proxy-server.conf but it not seems to be working -> nothing append.

I didn't find any "super admin" acls.

Any idea ?

My proxy-server.conf ->

# OpenIO managed
[DEFAULT]
use_stderr = False
bind_ip = ip
bind_port = port
workers = 72
max_clients = 1024
user = openio
log_facility = /dev/log
log_header = true
log_level = INFO
log_name = OIO,OPENIO,oioswift,0
eventlet_debug = false

sds_namespace = OPENIO
sds_proxy_url = http://ip:port
sds_default_account = openio

sds_connection_timeout = 5
sds_read_timeout = 35
sds_write_timeout = 35

sds_pool_connections = 500
sds_pool_maxsize = 500
sds_max_retries = 0

sds_tls = False


[pipeline:main]

pipeline = catch_errors  gatekeeper healthcheck proxy-logging cache bulk proxy-logging authtoken keystoneauth proxy-logging copy container-quotas account-quotas slo dlo versioned_writes proxy-logging proxy-server


[filter:catch_errors]
use = egg:swift#catch_errors

[filter:gatekeeper]
use = egg:swift#gatekeeper


[filter:healthcheck]
use = egg:oioswift#healthcheck

[filter:proxy-logging]
use = egg:swift#proxy_logging
access_log_headers = false
access_log_headers_only =  



[filter:cache]
use = egg:swift#memcache
memcache_servers = ip:port
memcache_max_connections = 10
oio_cache = False
oio_cache_ttl = 0

[filter:bulk]
use = egg:swift#bulk

#[filter:tempurl]
#use = egg:swift#tempurl

#[filter:swift3]
#use = egg:swift3#swift3
#force_swift_request_proxy_log = True
#s3_acl = True
#check_bucket_owner = True
#location = us-east-1
#max_bucket_listing = 1000
#max_multi_delete_objects = 1000
#max_upload_part_num = 10000
#log_s3api_command = False
#bucket_db_enabled = True
#bucket_db_prefix = s3bucket:
#storage_domain = s3.openio.io
#bucket_db_master_name = OPENIO-master-1
#bucket_db_sentinel_hosts = ip:port

#[filter:tempauth]
#use = egg:oioswift#tempauth
#user_demo_demo = DEMO_PASS .admin

[filter:copy]
use = egg:oioswift#copy
object_post_as_copy = False


[filter:container-quotas]
use = egg:swift#container_quotas

[filter:account-quotas]
use = egg:swift#account_quotas


[filter:slo]
use = egg:oioswift#slo
max_manifest_segments = 10000
concurrency = 10

[filter:dlo]
use = egg:swift#dlo

[filter:versioned_writes]
use = egg:oioswift#versioned_writes
allow_versioned_writes = True


[app:proxy-server]
use = egg:oioswift#main
object_post_as_copy = False
allow_account_management = True
account_autocreate = True
sds_chunk_checksum_algo = 
deny_host_headers = x-container-sync-key, x-container-sync-to, x-account-meta-temp-url-key, x-account-meta-temp-url-key-2, x-container-meta-temp-url-key, x-container-meta-temp-url-key-2, x-account-access-control

[filter:authtoken]
auth_type = password
#username = swift
username = user
project_name = user
region_name = region
user_domain_id = domain
memcache_secret_key = memcache_secret_key
paste.filter_factory = keystonemiddleware.auth_token:filter_factory
insecure = True
cache = swift.cache
delay_auth_decision = True
token_cache_time = 300
auth_url = http://ip:port
include_service_catalog = False
www_authenticate_uri = http://ip:port
memcached_servers = ip:port
password = password
revocation_cache_time = 60
memcache_security_strategy = ENCRYPT
project_domain_id = dommain

[filter:keystoneauth]
use = egg:swift#keystoneauth
operator_roles = role
reseller_admin_role = role

Answer 1

delay_auth_decision = False in authtoken section in proxy-server.conf file do the job.

delay_auth_decision : delay_auth_decision defaults to False, but leaving it as false will prevent other auth systems, staticweb, tempurl, formpost, and ACLs from working. This value must be explicitly set to True.

Now only files owners can view/create/edit containers/objects -> ACLs and sharing won't works.