diff options
author | Samuel Merritt <sam@swiftstack.com> | 2014-03-20 18:53:54 -0700 |
---|---|---|
committer | Samuel Merritt <sam@swiftstack.com> | 2014-03-20 18:53:54 -0700 |
commit | c4a2313f4540c4512454788d4d4a3f330d5f65d3 (patch) | |
tree | e235d39937062131926f5c473ac9cc852de2bd41 | |
parent | 182ff7aefc15ce2325be41076d62adb2baf8f50b (diff) | |
download | swift-c4a2313f4540c4512454788d4d4a3f330d5f65d3.tar.gz |
Block X-Backend* in gatekeeper
By moving the blocking to gatekeeper from the proxy server, we gain
the ability to pass X-Backend headers in via InternalClient while
still keeping real clients from using them.
I wanted this functionality while working on storage policies; I had
an InternalClient and wanted to tell it to use a specific policy index
instead of what the container said, and that seemed like a good time
for an X-Backend header.
Change-Id: I4089e980d3cfca660365c7df799723b1f16ba277
-rw-r--r-- | swift/common/middleware/gatekeeper.py | 3 | ||||
-rw-r--r-- | swift/proxy/server.py | 5 | ||||
-rw-r--r-- | test/unit/common/middleware/test_gatekeeper.py | 9 |
3 files changed, 9 insertions, 8 deletions
diff --git a/swift/common/middleware/gatekeeper.py b/swift/common/middleware/gatekeeper.py index f645d1dd5..5e680d0e2 100644 --- a/swift/common/middleware/gatekeeper.py +++ b/swift/common/middleware/gatekeeper.py @@ -45,7 +45,8 @@ import re # rather than prefix match. inbound_exclusions = [get_sys_meta_prefix('account'), get_sys_meta_prefix('container'), - get_sys_meta_prefix('object')] + get_sys_meta_prefix('object'), + 'x-backend'] # 'x-object-sysmeta' is reserved in anticipation of future support # for system metadata being applied to objects diff --git a/swift/proxy/server.py b/swift/proxy/server.py index 5b4a5b7b2..f6af6e63c 100644 --- a/swift/proxy/server.py +++ b/swift/proxy/server.py @@ -264,11 +264,6 @@ class Application(object): try: if self.memcache is None: self.memcache = cache_from_env(env) - # Remove any x-backend-* headers since those are reserved for use - # by backends communicating with each other; no end user should be - # able to send those into the cluster. - for key in list(k for k in env if k.startswith('HTTP_X_BACKEND_')): - del env[key] req = self.update_request(Request(env)) return self.handle_request(req)(env, start_response) except UnicodeError: diff --git a/test/unit/common/middleware/test_gatekeeper.py b/test/unit/common/middleware/test_gatekeeper.py index 0220eca91..846baecb7 100644 --- a/test/unit/common/middleware/test_gatekeeper.py +++ b/test/unit/common/middleware/test_gatekeeper.py @@ -68,8 +68,13 @@ class TestGatekeeper(unittest.TestCase): 'X-Container-Sysmeta-BAR': 'value', 'X-Object-Sysmeta-BAR': 'value'} - forbidden_headers_out = dict(sysmeta_headers) - forbidden_headers_in = dict(sysmeta_headers) + x_backend_headers = {'X-Backend-Replication': 'true', + 'X-Backend-Replication-Headers': 'stuff'} + + forbidden_headers_out = dict(sysmeta_headers.items() + + x_backend_headers.items()) + forbidden_headers_in = dict(sysmeta_headers.items() + + x_backend_headers.items()) def _assertHeadersEqual(self, expected, actual): for key in expected: |