OpenStack Object Storage (swift)

Merge lp:~gholt/swift/consync into lp:~hudson-openstack/swift/trunk

consync
Merge into trunk

Proposed by gholt on 2011-02-24

Status:	Superseded
Proposed branch:	lp:~gholt/swift/consync
Merge into:	lp:~hudson-openstack/swift/trunk
Diff against target:	8295 lines (+1918/-5294) 38 files modified bin/st (+47/-15) bin/swauth-add-account (+0/-68) bin/swauth-add-user (+0/-93) bin/swauth-cleanup-tokens (+0/-118) bin/swauth-delete-account (+0/-60) bin/swauth-delete-user (+0/-60) bin/swauth-list (+0/-86) bin/swauth-prep (+0/-59) bin/swauth-set-account-service (+0/-73) bin/swift-container-sync (+23/-0) doc/source/admin_guide.rst (+0/-16) doc/source/container.rst (+7/-0) doc/source/deployment_guide.rst (+33/-28) doc/source/development_auth.rst (+7/-7) doc/source/development_saio.rst (+19/-19) doc/source/howto_installmultinode.rst (+11/-52) doc/source/index.rst (+1/-0) doc/source/misc.rst (+6/-6) doc/source/overview_auth.rst (+8/-151) doc/source/overview_container_sync.rst (+220/-0) etc/container-server.conf-sample (+13/-0) etc/proxy-server.conf-sample (+27/-17) setup.py (+2/-6) swift/common/client.py (+28/-10) swift/common/db.py (+64/-9) swift/common/manager.py (+4/-3) swift/common/middleware/staticweb.py (+1/-1) swift/common/middleware/swauth.py (+0/-1374) swift/common/middleware/tempauth.py (+495/-0) swift/common/utils.py (+26/-0) swift/container/server.py (+21/-4) swift/container/sync.py (+409/-0) swift/obj/server.py (+20/-11) swift/proxy/server.py (+65/-22) test/probe/common.py (+19/-21) test/unit/common/middleware/test_tempauth.py (+230/-2905) test/unit/common/test_db.py (+92/-0) test/unit/common/test_utils.py (+20/-0)
To merge this branch:	bzr merge lp:~gholt/swift/consync
Related bugs:	Link a bug report
Related blueprints:	Multiple Cluster Container Syncing (Undefined)

Reviewer	Review Type	Date Requested	Status
Swift Core security contacts		2011-02-24	Pending
Review via email: mp+51081@code.launchpad.net

Commit message

Container synchronization feature

Description of the change

First, create containers that will sync to each other. The -t specifies the x-container-sync-to value, which should be the full URL to the other container. The -k specifies the x-container-sync-key value, which should be set to the same value on each container:
$ st post -t 'http://127.0.0.1:8080/v1/AUTH_gholt/container2' -k 'abc' container
$ st post -t 'http://127.0.0.1:8080/v1/AUTH_gholt/container' -k 'abc' container2

Then, upload a file to one container and quickly note that it's not in the other:
$ st upload container README
$ st list container2

Now, run the synchronizer:
$ swift-init container-sync once

The file should have been synced over to the container missing it:
$ st list container2
README

To show it goes both ways, upload a file to the other container and note that it's not in the first:
$ st upload container2 AUTHORS
$ st list container
README

Run the synchronizer:
$ swift-init container-sync once

And see the file is in the first container now:
$ st list container
AUTHORS
README

Deletes work as well.

I still have a lot of work to do, but it's basically working.

Known To Do List
----------------

* Merge with DeSwauth
* Add support to TempAuth
* HTTP Proxy
* Change POSTs to in-place COPYs
* Write tests
* Update documentation
* Release Swauth 1.0.2

lp:~gholt/swift/consync updated on 2011-07-14

226. By gholt on 2011-02-24: Restrict hosts that can be targets/sources of container syncing
227. By gholt on 2011-02-24: made x_container_sync_row its own column
228. By gholt on 2011-02-24: More docs
229. By gholt on 2011-02-26: Added [container-sync] to SAIO instructions
230. By gholt on 2011-02-28: Merged from trunk
231. By gholt on 2011-03-02: Double sync point code to divy up work amongst main nodes
232. By gholt on 2011-03-02: Container sync doc updates
233. By gholt on 2011-03-03: Merged from trunk
234. By gholt on 2011-03-18: Require x-timestamp for container-sync requests
235. By gholt on 2011-03-18: Merged from trunk
236. By gholt on 2011-04-15: Merged from trunk
237. By gholt on 2011-04-15: Merged from trunk
238. By gholt on 2011-04-15: consync: Make send-all-keys be send-all-keys-we-didnt-already-send
239. By gholt on 2011-04-15: Bring st to date with client.py
240. By gholt on 2011-04-15: consync: Make validate_sync_to explicitly return None on validation
241. By gholt on 2011-04-16: Merged from trunk
242. By gholt on 2011-04-18: Merge from trunk
243. By gholt on 2011-05-11: Merged from trunk
244. By gholt on 2011-05-11: Merged from trunk
245. By gholt on 2011-06-01: Merged with trunk
246. By gholt on 2011-06-01: Merge from trunk
247. By gholt on 2011-06-03: Merged with deswauth
248. By gholt on 2011-06-03: container-sync: Support HTTP proxy.
249. By gholt on 2011-06-03: st: resync with client.py changes
250. By gholt on 2011-06-06: Updated container-server.conf-sample
251. By gholt on 2011-06-10: Merged from trunk
252. By gholt on 2011-06-10: Merged from trunk
253. By gholt on 2011-06-13: Merged from trunk
254. By gholt on 2011-06-14: Merged from trunk
255. By gholt on 2011-06-14: Removing bin/st in prep for merge from trunk
256. By gholt on 2011-06-14: Merge from trunk
257. By gholt on 2011-06-14: Readded changes to bin/swift after merge from trunk
258. By gholt on 2011-06-15: consync: Some more tests and bugfixes.
259. By gholt on 2011-06-16: consync: More tests and slight refactor to be more testable
260. By gholt on 2011-06-16: consync: Now queries all primary nodes for a put and uses the newest object if it is newer or equal to the object to sync
261. By gholt on 2011-06-16: consync: Minor change to ignore 404 is there is some other error from another node
262. By gholt on 2011-06-16: Merge from trunk
263. By gholt on 2011-06-22: Doc updates
264. By gholt on 2011-06-29: consync: updated class docs
265. By gholt on 2011-06-30: Merged from trunk
266. By gholt on 2011-07-05: consync: updated client.py to better work with proxies. Had to use the private httplib._set_tunnel though. :/
267. By gholt on 2011-07-07: Updated swift util with client.py changes.
268. By gholt on 2011-07-08: consync: fixes as per the code roast
269. By gholt on 2011-07-10: comment on domain_remap regarding container sync
270. By gholt on 2011-07-14: Merged from trunk
271. By gholt on 2011-07-14: Added notes about container sync and large objects
272. By gholt on 2011-07-14: Reset container sync points when the sync-to changes
273. By gholt on 2011-07-14: Ensure paired alter table commands are in same transaction

Unmerged revisions

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

The diff has been truncated for viewing.

Subscribers

People subscribed via source and target branches

to all changes:

Anne Gentle

Blake Barnett

Chmouel Boudjnah

Chuck Short

Colin Nicholson

David Goetz

Devin Carlen

Doug Weimer

Isaku Yamahata

JJ Asghar

Joe Arnold

Jonathan Bryce

Mike Barton

Pedro Perez

Pugazhendhi

Tomoya Masuko

anticw

autumn wang

clayg

gholt

jeremyb

wangkun

 === modified file 'bin/st'
 --- bin/st	2011-05-19 14:48:15 +0000
 +++ bin/st	2011-06-03 00:13:27 +0000
@@ -578,9 +578,9 @@
      return resp_headers
--def put_object(url, token, container, name, contents, content_length=None,
--               etag=None, chunk_size=65536, content_type=None, headers=None,
--               http_conn=None):
++def put_object(url, token=None, container=None, name=None, contents=None,
++               content_length=None, etag=None, chunk_size=65536,
++               content_type=None, headers=None, http_conn=None):
      """
      Put an object
@@ -604,10 +604,17 @@
          parsed, conn = http_conn
      else:
          parsed, conn = http_connection(url)
--    path = '%s/%s/%s' % (parsed.path, quote(container), quote(name))
--    if not headers:
++    path = parsed.path
++    if container:
++        path = '%s/%s' % (path.rstrip('/'), quote(container))
++    if name:
++        path = '%s/%s' % (path.rstrip('/'), quote(name))
++    if headers:
++        headers = dict(headers)
++    else:
          headers = {}
--    headers['X-Auth-Token'] = token
++    if token:
++        headers['X-Auth-Token'] = token
      if etag:
          headers['ETag'] = etag.strip('"')
      if content_length is not None:
@@ -646,7 +653,7 @@
          raise ClientException('Object PUT failed', http_scheme=parsed.scheme,
                  http_host=conn.host, http_port=conn.port, http_path=path,
                  http_status=resp.status, http_reason=resp.reason)
--    return resp.getheader('etag').strip('"')
++    return resp.getheader('etag', '').strip('"')
  def post_object(url, token, container, name, headers, http_conn=None):
@@ -677,7 +684,8 @@
                  http_status=resp.status, http_reason=resp.reason)
--def delete_object(url, token, container, name, http_conn=None):
++def delete_object(url, token=None, container=None, name=None, http_conn=None,
++                  headers=None):
      """
      Delete object
@@ -693,8 +701,18 @@
          parsed, conn = http_conn
      else:
          parsed, conn = http_connection(url)
--    path = '%s/%s/%s' % (parsed.path, quote(container), quote(name))
--    conn.request('DELETE', path, '', {'X-Auth-Token': token})
++    path = parsed.path
++    if container:
++        path = '%s/%s' % (path.rstrip('/'), quote(container))
++    if name:
++        path = '%s/%s' % (path.rstrip('/'), quote(name))
++    if headers:
++        headers = dict(headers)
++    else:
++        headers = {}
++    if token:
++        headers['X-Auth-Token'] = token
++    conn.request('DELETE', path, '', headers)
      resp = conn.getresponse()
      resp.read()
      if resp.status < 200 or resp.status >= 300:
@@ -1363,10 +1381,14 @@
    Objects: %d
      Bytes: %d
   Read ACL: %s
--Write ACL: %s'''.strip('\n') % (conn.url.rsplit('/', 1)[-1], args[0],
++Write ACL: %s
++  Sync To: %s
++ Sync Key: %s'''.strip('\n') % (conn.url.rsplit('/', 1)[-1], args[0],
                                  object_count, bytes_used,
                                  headers.get('x-container-read', ''),
--                                headers.get('x-container-write', '')))
++                                headers.get('x-container-write', ''),
++                                headers.get('x-container-sync-to', ''),
++                                headers.get('x-container-sync-key', '')))
              for key, value in headers.items():
                  if key.startswith('x-container-meta-'):
                      print_queue.put('%9s: %s' % ('Meta %s' %
@@ -1375,7 +1397,8 @@
                  if not key.startswith('x-container-meta-') and key not in (
                          'content-length', 'date', 'x-container-object-count',
                          'x-container-bytes-used', 'x-container-read',
--                        'x-container-write'):
++                        'x-container-write', 'x-container-sync-to',
++                        'x-container-sync-key'):
                      print_queue.put(
                          '%9s: %s' % (key.title(), value))
          except ClientException, err:
@@ -1440,13 +1463,18 @@
      parser.add_option('-w', '--write-acl', dest='write_acl', help='Sets the '
          'Write ACL for containers. Quick summary of ACL syntax: account1, '
          'account2:user2')
++    parser.add_option('-t', '--sync-to', dest='sync_to', help='Sets the '
++        'Sync To for containers, for multi-cluster replication.')
++    parser.add_option('-k', '--sync-key', dest='sync_key', help='Sets the '
++        'Sync Key for containers, for multi-cluster replication.')
      parser.add_option('-m', '--meta', action='append', dest='meta', default=[],
          help='Sets a meta data item with the syntax name:value. This option '
          'may be repeated. Example: -m Color:Blue -m Size:Large')
      (options, args) = parse_args(parser, args)
      args = args[1:]
--    if (options.read_acl or options.write_acl) and not args:
--        exit('-r and -w options only allowed for containers')
++    if (options.read_acl or options.write_acl or options.sync_to or
++        options.sync_key) and not args:
++        exit('-r, -w, -t, and -k options only allowed for containers')
      conn = Connection(options.auth, options.user, options.key)
      if not args:
          headers = {}
@@ -1474,6 +1502,10 @@
              headers['X-Container-Read'] = options.read_acl
          if options.write_acl is not None:
              headers['X-Container-Write'] = options.write_acl
++        if options.sync_to is not None:
++            headers['X-Container-Sync-To'] = options.sync_to
++        if options.sync_key is not None:
++            headers['X-Container-Sync-Key'] = options.sync_key
          try:
              conn.post_container(args[0], headers=headers)
          except ClientException, err:
 === removed file 'bin/swauth-add-account'
 --- bin/swauth-add-account	2011-04-18 16:08:48 +0000
 +++ bin/swauth-add-account	1970-01-01 00:00:00 +0000
@@ -1,68 +0,0 @@
--#!/usr/bin/env python
--# Copyright (c) 2010 OpenStack, LLC.
--#
--# Licensed under the Apache License, Version 2.0 (the "License");
--# you may not use this file except in compliance with the License.
--# You may obtain a copy of the License at
--#
--#    http://www.apache.org/licenses/LICENSE-2.0
--#
--# Unless required by applicable law or agreed to in writing, software
--# distributed under the License is distributed on an "AS IS" BASIS,
--# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
--# implied.
--# See the License for the specific language governing permissions and
--# limitations under the License.
--
--import gettext
--from optparse import OptionParser
--from os.path import basename
--from sys import argv, exit
--
--from swift.common.bufferedhttp import http_connect_raw as http_connect
--from swift.common.utils import urlparse
--
--
--if __name__ == '__main__':
--    gettext.install('swift', unicode=1)
--    parser = OptionParser(usage='Usage: %prog [options] <account>')
--    parser.add_option('-s', '--suffix', dest='suffix',
--        default='', help='The suffix to use with the reseller prefix as the '
--        'storage account name (default: <randomly-generated-uuid4>) Note: If '
--        'the account already exists, this will have no effect on existing '
--        'service URLs. Those will need to be updated with '
--        'swauth-set-account-service')
--    parser.add_option('-A', '--admin-url', dest='admin_url',
--        default='http://127.0.0.1:8080/auth/', help='The URL to the auth '
--        'subsystem (default: http://127.0.0.1:8080/auth/)')
--    parser.add_option('-U', '--admin-user', dest='admin_user',
--        default='.super_admin', help='The user with admin rights to add users '
--        '(default: .super_admin).')
--    parser.add_option('-K', '--admin-key', dest='admin_key',
--        help='The key for the user with admin rights to add users.')
--    args = argv[1:]
--    if not args:
--        args.append('-h')
--    (options, args) = parser.parse_args(args)
--    if len(args) != 1:
--        parser.parse_args(['-h'])
--    account = args[0]
--    parsed = urlparse(options.admin_url)
--    if parsed.scheme not in ('http', 'https'):
--        raise Exception('Cannot handle protocol scheme %s for url %s' %
--                        (parsed.scheme, repr(options.admin_url)))
--    parsed_path = parsed.path
--    if not parsed_path:
--        parsed_path = '/'
--    elif parsed_path[-1] != '/':
--        parsed_path += '/'
--    path = '%sv2/%s' % (parsed_path, account)
--    headers = {'X-Auth-Admin-User': options.admin_user,
--               'X-Auth-Admin-Key': options.admin_key}
--    if options.suffix:
--        headers['X-Account-Suffix'] = options.suffix
--    conn = http_connect(parsed.hostname, parsed.port, 'PUT', path, headers,
--                        ssl=(parsed.scheme == 'https'))
--    resp = conn.getresponse()
--    if resp.status // 100 != 2:
--        exit('Account creation failed: %s %s' % (resp.status, resp.reason))
 === removed file 'bin/swauth-add-user'
 --- bin/swauth-add-user	2011-04-18 16:08:48 +0000
 +++ bin/swauth-add-user	1970-01-01 00:00:00 +0000
@@ -1,93 +0,0 @@
--#!/usr/bin/env python
--# Copyright (c) 2010 OpenStack, LLC.
--#
--# Licensed under the Apache License, Version 2.0 (the "License");
--# you may not use this file except in compliance with the License.
--# You may obtain a copy of the License at
--#
--#    http://www.apache.org/licenses/LICENSE-2.0
--#
--# Unless required by applicable law or agreed to in writing, software
--# distributed under the License is distributed on an "AS IS" BASIS,
--# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
--# implied.
--# See the License for the specific language governing permissions and
--# limitations under the License.
--
--import gettext
--from optparse import OptionParser
--from os.path import basename
--from sys import argv, exit
--
--from swift.common.bufferedhttp import http_connect_raw as http_connect
--from swift.common.utils import urlparse
--
--
--if __name__ == '__main__':
--    gettext.install('swift', unicode=1)
--    parser = OptionParser(
--        usage='Usage: %prog [options] <account> <user> <password>')
--    parser.add_option('-a', '--admin', dest='admin', action='store_true',
--        default=False, help='Give the user administrator access; otherwise '
--        'the user will only have access to containers specifically allowed '
--        'with ACLs.')
--    parser.add_option('-r', '--reseller-admin', dest='reseller_admin',
--        action='store_true', default=False, help='Give the user full reseller '
--        'administrator access, giving them full access to all accounts within '
--        'the reseller, including the ability to create new accounts. Creating '
--        'a new reseller admin requires super_admin rights.')
--    parser.add_option('-s', '--suffix', dest='suffix',
--        default='', help='The suffix to use with the reseller prefix as the '
--        'storage account name (default: <randomly-generated-uuid4>) Note: If '
--        'the account already exists, this will have no effect on existing '
--        'service URLs. Those will need to be updated with '
--        'swauth-set-account-service')
--    parser.add_option('-A', '--admin-url', dest='admin_url',
--        default='http://127.0.0.1:8080/auth/', help='The URL to the auth '
--        'subsystem (default: http://127.0.0.1:8080/auth/')
--    parser.add_option('-U', '--admin-user', dest='admin_user',
--        default='.super_admin', help='The user with admin rights to add users '
--        '(default: .super_admin).')
--    parser.add_option('-K', '--admin-key', dest='admin_key',
--        help='The key for the user with admin rights to add users.')
--    args = argv[1:]
--    if not args:
--        args.append('-h')
--    (options, args) = parser.parse_args(args)
--    if len(args) != 3:
--        parser.parse_args(['-h'])
--    account, user, password = args
--    parsed = urlparse(options.admin_url)
--    if parsed.scheme not in ('http', 'https'):
--        raise Exception('Cannot handle protocol scheme %s for url %s' %
--                        (parsed.scheme, repr(options.admin_url)))
--    parsed_path = parsed.path
--    if not parsed_path:
--        parsed_path = '/'
--    elif parsed_path[-1] != '/':
--        parsed_path += '/'
--    # Ensure the account exists
--    path = '%sv2/%s' % (parsed_path, account)
--    headers = {'X-Auth-Admin-User': options.admin_user,
--               'X-Auth-Admin-Key': options.admin_key}
--    if options.suffix:
--        headers['X-Account-Suffix'] = options.suffix
--    conn = http_connect(parsed.hostname, parsed.port, 'PUT', path, headers,
--                        ssl=(parsed.scheme == 'https'))
--    resp = conn.getresponse()
--    if resp.status // 100 != 2:
--        print 'Account creation failed: %s %s' % (resp.status, resp.reason)
--    # Add the user
--    path = '%sv2/%s/%s' % (parsed_path, account, user)
--    headers = {'X-Auth-Admin-User': options.admin_user,
--               'X-Auth-Admin-Key': options.admin_key,
--               'X-Auth-User-Key': password}
--    if options.admin:
--        headers['X-Auth-User-Admin'] = 'true'
--    if options.reseller_admin:
--        headers['X-Auth-User-Reseller-Admin'] = 'true'
--    conn = http_connect(parsed.hostname, parsed.port, 'PUT', path, headers,
--                        ssl=(parsed.scheme == 'https'))
--    resp = conn.getresponse()
--    if resp.status // 100 != 2:
--        exit('User creation failed: %s %s' % (resp.status, resp.reason))
 === removed file 'bin/swauth-cleanup-tokens'
 --- bin/swauth-cleanup-tokens	2011-04-18 16:08:48 +0000
 +++ bin/swauth-cleanup-tokens	1970-01-01 00:00:00 +0000
@@ -1,118 +0,0 @@
--#!/usr/bin/env python
--# Copyright (c) 2010 OpenStack, LLC.
--#
--# Licensed under the Apache License, Version 2.0 (the "License");
--# you may not use this file except in compliance with the License.
--# You may obtain a copy of the License at
--#
--#    http://www.apache.org/licenses/LICENSE-2.0
--#
--# Unless required by applicable law or agreed to in writing, software
--# distributed under the License is distributed on an "AS IS" BASIS,
--# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
--# implied.
--# See the License for the specific language governing permissions and
--# limitations under the License.
--
--try:
--    import simplejson as json
--except ImportError:
--    import json
--import gettext
--import re
--from datetime import datetime, timedelta
--from optparse import OptionParser
--from sys import argv, exit
--from time import sleep, time
--
--from swift.common.client import Connection, ClientException
--
--
--if __name__ == '__main__':
--    gettext.install('swift', unicode=1)
--    parser = OptionParser(usage='Usage: %prog [options]')
--    parser.add_option('-t', '--token-life', dest='token_life',
--        default='86400', help='The expected life of tokens; token objects '
--        'modified more than this number of seconds ago will be checked for '
--        'expiration (default: 86400).')
--    parser.add_option('-s', '--sleep', dest='sleep',
--        default='0.1', help='The number of seconds to sleep between token '
--        'checks (default: 0.1)')
--    parser.add_option('-v', '--verbose', dest='verbose', action='store_true',
--        default=False, help='Outputs everything done instead of just the '
--        'deletions.')
--    parser.add_option('-A', '--admin-url', dest='admin_url',
--        default='http://127.0.0.1:8080/auth/', help='The URL to the auth '
--        'subsystem (default: http://127.0.0.1:8080/auth/)')
--    parser.add_option('-K', '--admin-key', dest='admin_key',
--        help='The key for .super_admin.')
--    args = argv[1:]
--    if not args:
--        args.append('-h')
--    (options, args) = parser.parse_args(args)
--    if len(args) != 0:
--        parser.parse_args(['-h'])
--    options.admin_url = options.admin_url.rstrip('/')
--    if not options.admin_url.endswith('/v1.0'):
--        options.admin_url += '/v1.0'
--    options.admin_user = '.super_admin:.super_admin'
--    options.token_life = timedelta(0, float(options.token_life))
--    options.sleep = float(options.sleep)
--    conn = Connection(options.admin_url, options.admin_user, options.admin_key)
--    for x in xrange(16):
--        container = '.token_%x' % x
--        marker = None
--        while True:
--            if options.verbose:
--                print 'GET %s?marker=%s' % (container, marker)
--            try:
--                objs = conn.get_container(container, marker=marker)[1]
--            except ClientException, e:
--                if e.http_status == 404:
--                    exit('Container %s not found. swauth-prep needs to be '
--                        'rerun' % (container))
--                else:
--                    exit('Object listing on container %s failed with status '
--                        'code %d' % (container, e.http_status))
--            if objs:
--                marker = objs[-1]['name']
--            else:
--                if options.verbose:
--                    print 'No more objects in %s' % container
--                break
--            for obj in objs:
--                last_modified = datetime(*map(int, re.split('[^\d]',
--                                              obj['last_modified'])[:-1]))
--                ago = datetime.utcnow() - last_modified
--                if ago > options.token_life:
--                    if options.verbose:
--                        print '%s/%s last modified %ss ago; investigating' % \
--                              (container, obj['name'],
--                               ago.days * 86400 + ago.seconds)
--                        print 'GET %s/%s' % (container, obj['name'])
--                    detail = conn.get_object(container, obj['name'])[1]
--                    detail = json.loads(detail)
--                    if detail['expires'] < time():
--                        if options.verbose:
--                            print '%s/%s expired %ds ago; deleting' % \
--                                  (container, obj['name'],
--                                   time() - detail['expires'])
--                        print 'DELETE %s/%s' % (container, obj['name'])
--                        try:
--                            conn.delete_object(container, obj['name'])
--                        except ClientException, e:
--                            if e.http_status != 404:
--                                print 'DELETE of %s/%s failed with status ' \
--                                    'code %d' % (container, obj['name'],
--                                    e.http_status)
--                    elif options.verbose:
--                        print "%s/%s won't expire for %ds; skipping" % \
--                              (container, obj['name'],
--                               detail['expires'] - time())
--                elif options.verbose:
--                    print '%s/%s last modified %ss ago; skipping' % \
--                          (container, obj['name'],
--                           ago.days * 86400 + ago.seconds)
--                sleep(options.sleep)
--    if options.verbose:
--        print 'Done.'
 === removed file 'bin/swauth-delete-account'
 --- bin/swauth-delete-account	2011-04-18 16:08:48 +0000
 +++ bin/swauth-delete-account	1970-01-01 00:00:00 +0000
@@ -1,60 +0,0 @@
--#!/usr/bin/env python
--# Copyright (c) 2010 OpenStack, LLC.
--#
--# Licensed under the Apache License, Version 2.0 (the "License");
--# you may not use this file except in compliance with the License.
--# You may obtain a copy of the License at
--#
--#    http://www.apache.org/licenses/LICENSE-2.0
--#
--# Unless required by applicable law or agreed to in writing, software
--# distributed under the License is distributed on an "AS IS" BASIS,
--# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
--# implied.
--# See the License for the specific language governing permissions and
--# limitations under the License.
--
--import gettext
--from optparse import OptionParser
--from os.path import basename
--from sys import argv, exit
--
--from swift.common.bufferedhttp import http_connect_raw as http_connect
--from swift.common.utils import urlparse
--
--
--if __name__ == '__main__':
--    gettext.install('swift', unicode=1)
--    parser = OptionParser(usage='Usage: %prog [options] <account>')
--    parser.add_option('-A', '--admin-url', dest='admin_url',
--        default='http://127.0.0.1:8080/auth/', help='The URL to the auth '
--        'subsystem (default: http://127.0.0.1:8080/auth/')
--    parser.add_option('-U', '--admin-user', dest='admin_user',
--        default='.super_admin', help='The user with admin rights to add users '
--        '(default: .super_admin).')
--    parser.add_option('-K', '--admin-key', dest='admin_key',
--        help='The key for the user with admin rights to add users.')
--    args = argv[1:]
--    if not args:
--        args.append('-h')
--    (options, args) = parser.parse_args(args)
--    if len(args) != 1:
--        parser.parse_args(['-h'])
--    account = args[0]
--    parsed = urlparse(options.admin_url)
--    if parsed.scheme not in ('http', 'https'):
--        raise Exception('Cannot handle protocol scheme %s for url %s' %
--                        (parsed.scheme, repr(options.admin_url)))
--    parsed_path = parsed.path
--    if not parsed_path:
--        parsed_path = '/'
--    elif parsed_path[-1] != '/':
--        parsed_path += '/'
--    path = '%sv2/%s' % (parsed_path, account)
--    headers = {'X-Auth-Admin-User': options.admin_user,
--               'X-Auth-Admin-Key': options.admin_key}
--    conn = http_connect(parsed.hostname, parsed.port, 'DELETE', path, headers,
--                        ssl=(parsed.scheme == 'https'))
--    resp = conn.getresponse()
--    if resp.status // 100 != 2:
--        exit('Account deletion failed: %s %s' % (resp.status, resp.reason))
 === removed file 'bin/swauth-delete-user'
 --- bin/swauth-delete-user	2011-04-18 16:08:48 +0000
 +++ bin/swauth-delete-user	1970-01-01 00:00:00 +0000
@@ -1,60 +0,0 @@
--#!/usr/bin/env python
--# Copyright (c) 2010 OpenStack, LLC.
--#
--# Licensed under the Apache License, Version 2.0 (the "License");
--# you may not use this file except in compliance with the License.
--# You may obtain a copy of the License at
--#
--#    http://www.apache.org/licenses/LICENSE-2.0
--#
--# Unless required by applicable law or agreed to in writing, software
--# distributed under the License is distributed on an "AS IS" BASIS,
--# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
--# implied.
--# See the License for the specific language governing permissions and
--# limitations under the License.
--
--import gettext
--from optparse import OptionParser
--from os.path import basename
--from sys import argv, exit
--
--from swift.common.bufferedhttp import http_connect_raw as http_connect
--from swift.common.utils import urlparse
--
--
--if __name__ == '__main__':
--    gettext.install('swift', unicode=1)
--    parser = OptionParser(usage='Usage: %prog [options] <account> <user>')
--    parser.add_option('-A', '--admin-url', dest='admin_url',
--        default='http://127.0.0.1:8080/auth/', help='The URL to the auth '
--        'subsystem (default: http://127.0.0.1:8080/auth/')
--    parser.add_option('-U', '--admin-user', dest='admin_user',
--        default='.super_admin', help='The user with admin rights to add users '
--        '(default: .super_admin).')
--    parser.add_option('-K', '--admin-key', dest='admin_key',
--        help='The key for the user with admin rights to add users.')
--    args = argv[1:]
--    if not args:
--        args.append('-h')
--    (options, args) = parser.parse_args(args)
--    if len(args) != 2:
--        parser.parse_args(['-h'])
--    account, user = args
--    parsed = urlparse(options.admin_url)
--    if parsed.scheme not in ('http', 'https'):
--        raise Exception('Cannot handle protocol scheme %s for url %s' %
--                        (parsed.scheme, repr(options.admin_url)))
--    parsed_path = parsed.path
--    if not parsed_path:
--        parsed_path = '/'
--    elif parsed_path[-1] != '/':
--        parsed_path += '/'
--    path = '%sv2/%s/%s' % (parsed_path, account, user)
--    headers = {'X-Auth-Admin-User': options.admin_user,
--               'X-Auth-Admin-Key': options.admin_key}
--    conn = http_connect(parsed.hostname, parsed.port, 'DELETE', path, headers,
--                        ssl=(parsed.scheme == 'https'))
--    resp = conn.getresponse()
--    if resp.status // 100 != 2:
--        exit('User deletion failed: %s %s' % (resp.status, resp.reason))
 === removed file 'bin/swauth-list'
 --- bin/swauth-list	2011-04-18 16:08:48 +0000
 +++ bin/swauth-list	1970-01-01 00:00:00 +0000
@@ -1,86 +0,0 @@
--#!/usr/bin/env python
--# Copyright (c) 2010 OpenStack, LLC.
--#
--# Licensed under the Apache License, Version 2.0 (the "License");
--# you may not use this file except in compliance with the License.
--# You may obtain a copy of the License at
--#
--#    http://www.apache.org/licenses/LICENSE-2.0
--#
--# Unless required by applicable law or agreed to in writing, software
--# distributed under the License is distributed on an "AS IS" BASIS,
--# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
--# implied.
--# See the License for the specific language governing permissions and
--# limitations under the License.
--
--try:
--    import simplejson as json
--except ImportError:
--    import json
--import gettext
--from optparse import OptionParser
--from os.path import basename
--from sys import argv, exit
--
--from swift.common.bufferedhttp import http_connect_raw as http_connect
--from swift.common.utils import urlparse
--
--
--if __name__ == '__main__':
--    gettext.install('swift', unicode=1)
--    parser = OptionParser(usage='''
--Usage: %prog [options] [account] [user]
--
--If [account] and [user] are omitted, a list of accounts will be output.
--
--If [account] is included but not [user], an account's information will be
--output, including a list of users within the account.
--
--If [account] and [user] are included, the user's information will be output,
--including a list of groups the user belongs to.
--
--If the [user] is '.groups', the active groups for the account will be listed.
--'''.strip())
--    parser.add_option('-p', '--plain-text', dest='plain_text',
--        action='store_true', default=False, help='Changes the output from '
--        'JSON to plain text. This will cause an account to list only the '
--        'users and a user to list only the groups.')
--    parser.add_option('-A', '--admin-url', dest='admin_url',
--        default='http://127.0.0.1:8080/auth/', help='The URL to the auth '
--        'subsystem (default: http://127.0.0.1:8080/auth/')
--    parser.add_option('-U', '--admin-user', dest='admin_user',
--        default='.super_admin', help='The user with admin rights to add users '
--        '(default: .super_admin).')
--    parser.add_option('-K', '--admin-key', dest='admin_key',
--        help='The key for the user with admin rights to add users.')
--    args = argv[1:]
--    if not args:
--        args.append('-h')
--    (options, args) = parser.parse_args(args)
--    if len(args) > 2:
--        parser.parse_args(['-h'])
--    parsed = urlparse(options.admin_url)
--    if parsed.scheme not in ('http', 'https'):
--        raise Exception('Cannot handle protocol scheme %s for url %s' %
--                        (parsed.scheme, repr(options.admin_url)))
--    parsed_path = parsed.path
--    if not parsed_path:
--        parsed_path = '/'
--    elif parsed_path[-1] != '/':
--        parsed_path += '/'
--    path = '%sv2/%s' % (parsed_path, '/'.join(args))
--    headers = {'X-Auth-Admin-User': options.admin_user,
--               'X-Auth-Admin-Key': options.admin_key}
--    conn = http_connect(parsed.hostname, parsed.port, 'GET', path, headers,
--                        ssl=(parsed.scheme == 'https'))
--    resp = conn.getresponse()
--    body = resp.read()
--    if resp.status // 100 != 2:
--        exit('List failed: %s %s' % (resp.status, resp.reason))
--    if options.plain_text:
--        info = json.loads(body)
--        for group in info[['accounts', 'users', 'groups'][len(args)]]:
--            print group['name']
--    else:
--        print body
 === removed file 'bin/swauth-prep'
 --- bin/swauth-prep	2011-04-18 16:08:48 +0000
 +++ bin/swauth-prep	1970-01-01 00:00:00 +0000
@@ -1,59 +0,0 @@
--#!/usr/bin/env python
--# Copyright (c) 2010 OpenStack, LLC.
--#
--# Licensed under the Apache License, Version 2.0 (the "License");
--# you may not use this file except in compliance with the License.
--# You may obtain a copy of the License at
--#
--#    http://www.apache.org/licenses/LICENSE-2.0
--#
--# Unless required by applicable law or agreed to in writing, software
--# distributed under the License is distributed on an "AS IS" BASIS,
--# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
--# implied.
--# See the License for the specific language governing permissions and
--# limitations under the License.
--
--import gettext
--from optparse import OptionParser
--from os.path import basename
--from sys import argv, exit
--
--from swift.common.bufferedhttp import http_connect_raw as http_connect
--from swift.common.utils import urlparse
--
--
--if __name__ == '__main__':
--    gettext.install('swift', unicode=1)
--    parser = OptionParser(usage='Usage: %prog [options]')
--    parser.add_option('-A', '--admin-url', dest='admin_url',
--        default='http://127.0.0.1:8080/auth/', help='The URL to the auth '
--        'subsystem (default: http://127.0.0.1:8080/auth/')
--    parser.add_option('-U', '--admin-user', dest='admin_user',
--        default='.super_admin', help='The user with admin rights to add users '
--        '(default: .super_admin).')
--    parser.add_option('-K', '--admin-key', dest='admin_key',
--        help='The key for the user with admin rights to add users.')
--    args = argv[1:]
--    if not args:
--        args.append('-h')
--    (options, args) = parser.parse_args(args)
--    if args:
--        parser.parse_args(['-h'])
--    parsed = urlparse(options.admin_url)
--    if parsed.scheme not in ('http', 'https'):
--        raise Exception('Cannot handle protocol scheme %s for url %s' %
--                        (parsed.scheme, repr(options.admin_url)))
--    parsed_path = parsed.path
--    if not parsed_path:
--        parsed_path = '/'
--    elif parsed_path[-1] != '/':
--        parsed_path += '/'
--    path = '%sv2/.prep' % parsed_path
--    headers = {'X-Auth-Admin-User': options.admin_user,
--               'X-Auth-Admin-Key': options.admin_key}
--    conn = http_connect(parsed.hostname, parsed.port, 'POST', path, headers,
--                        ssl=(parsed.scheme == 'https'))
--    resp = conn.getresponse()
--    if resp.status // 100 != 2:
--        exit('Auth subsystem prep failed: %s %s' % (resp.status, resp.reason))
 === removed file 'bin/swauth-set-account-service'
 --- bin/swauth-set-account-service	2011-04-18 16:08:48 +0000
 +++ bin/swauth-set-account-service	1970-01-01 00:00:00 +0000
@@ -1,73 +0,0 @@
--#!/usr/bin/env python
--# Copyright (c) 2010 OpenStack, LLC.
--#
--# Licensed under the Apache License, Version 2.0 (the "License");
--# you may not use this file except in compliance with the License.
--# You may obtain a copy of the License at
--#
--#    http://www.apache.org/licenses/LICENSE-2.0
--#
--# Unless required by applicable law or agreed to in writing, software
--# distributed under the License is distributed on an "AS IS" BASIS,
--# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
--# implied.
--# See the License for the specific language governing permissions and
--# limitations under the License.
--
--try:
--    import simplejson as json
--except ImportError:
--    import json
--import gettext
--from optparse import OptionParser
--from os.path import basename
--from sys import argv, exit
--
--from swift.common.bufferedhttp import http_connect_raw as http_connect
--from swift.common.utils import urlparse
--
--
--if __name__ == '__main__':
--    gettext.install('swift', unicode=1)
--    parser = OptionParser(usage='''
--Usage: %prog [options] <account> <service> <name> <value>
--
--Sets a service URL for an account. Can only be set by a reseller admin.
--
--Example: %prog -K swauthkey test storage local http://127.0.0.1:8080/v1/AUTH_018c3946-23f8-4efb-a8fb-b67aae8e4162
--'''.strip())
--    parser.add_option('-A', '--admin-url', dest='admin_url',
--        default='http://127.0.0.1:8080/auth/', help='The URL to the auth '
--        'subsystem (default: http://127.0.0.1:8080/auth/)')
--    parser.add_option('-U', '--admin-user', dest='admin_user',
--        default='.super_admin', help='The user with admin rights to add users '
--        '(default: .super_admin).')
--    parser.add_option('-K', '--admin-key', dest='admin_key',
--        help='The key for the user with admin rights to add users.')
--    args = argv[1:]
--    if not args:
--        args.append('-h')
--    (options, args) = parser.parse_args(args)
--    if len(args) != 4:
--        parser.parse_args(['-h'])
--    account, service, name, url = args
--    parsed = urlparse(options.admin_url)
--    if parsed.scheme not in ('http', 'https'):
--        raise Exception('Cannot handle protocol scheme %s for url %s' %
--                        (parsed.scheme, repr(options.admin_url)))
--    parsed_path = parsed.path
--    if not parsed_path:
--        parsed_path = '/'
--    elif parsed_path[-1] != '/':
--        parsed_path += '/'
--    path = '%sv2/%s/.services' % (parsed_path, account)
--    body = json.dumps({service: {name: url}})
--    headers = {'Content-Length': str(len(body)),
--               'X-Auth-Admin-User': options.admin_user,
--               'X-Auth-Admin-Key': options.admin_key}
--    conn = http_connect(parsed.hostname, parsed.port, 'POST', path, headers,
--                        ssl=(parsed.scheme == 'https'))
--    conn.send(body)
--    resp = conn.getresponse()
--    if resp.status // 100 != 2:
--        exit('Service set failed: %s %s' % (resp.status, resp.reason))
 === added file 'bin/swift-container-sync'
 --- bin/swift-container-sync	1970-01-01 00:00:00 +0000
 +++ bin/swift-container-sync	2011-06-03 00:13:27 +0000
@@ -0,0 +1,23 @@
++#!/usr/bin/python
++# Copyright (c) 2010-2011 OpenStack, LLC.
++#
++# Licensed under the Apache License, Version 2.0 (the "License");
++# you may not use this file except in compliance with the License.
++# You may obtain a copy of the License at
++#
++#    http://www.apache.org/licenses/LICENSE-2.0
++#
++# Unless required by applicable law or agreed to in writing, software
++# distributed under the License is distributed on an "AS IS" BASIS,
++# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
++# implied.
++# See the License for the specific language governing permissions and
++# limitations under the License.
++
++from swift.container.sync import ContainerSync
++from swift.common.utils import parse_options
++from swift.common.daemon import run_daemon
++
++if __name__ == '__main__':
++    conf_file, options = parse_options(once=True)
++    run_daemon(ContainerSync, conf_file, **options)
 === modified file 'doc/source/admin_guide.rst'
 --- doc/source/admin_guide.rst	2011-03-31 22:32:41 +0000
 +++ doc/source/admin_guide.rst	2011-06-03 00:13:27 +0000
@@ -222,22 +222,6 @@
      Sample represents 1.00% of the object partition space
--------------------------------------
--Additional Cleanup Script for Swauth
--------------------------------------
--
--With Swauth, you'll want to install a cronjob to clean up any
--orphaned expired tokens. These orphaned tokens can occur when a "stampede"
--occurs where a single user authenticates several times concurrently. Generally,
--these orphaned tokens don't pose much of an issue, but it's good to clean them
--up once a "token life" period (default: 1 day or 86400 seconds).
--
--This should be as simple as adding `swauth-cleanup-tokens -A
--https://<PROXY_HOSTNAME>:8080/auth/ -K swauthkey > /dev/null` to a crontab
--entry on one of the proxies that is running Swauth; but run
--`swauth-cleanup-tokens` with no arguments for detailed help on the options
--available.
--
  ------------------------
  Debugging Tips and Tools
  ------------------------
 === modified file 'doc/source/container.rst'
 --- doc/source/container.rst	2010-07-19 16:25:18 +0000
 +++ doc/source/container.rst	2011-06-03 00:13:27 +0000
@@ -34,3 +34,10 @@
      :undoc-members:
      :show-inheritance:
++Container Sync
++==============
++
++.. automodule:: swift.container.sync
++    :members:
++    :undoc-members:
++    :show-inheritance:
 === modified file 'doc/source/deployment_guide.rst'
 --- doc/source/deployment_guide.rst	2011-01-25 00:28:22 +0000
 +++ doc/source/deployment_guide.rst	2011-06-03 00:13:27 +0000
@@ -549,35 +549,17 @@
                                                 are even callable
  ============================  ===============  =============================
--[auth]
--
--============  ===================================  ========================
--Option        Default                              Description
--------------  -----------------------------------  ------------------------
--use                                                Entry point for paste.deploy
--                                                   to use for auth.  To
--                                                   use the swift dev auth,
--                                                   set to:
--                                                   `egg:swift#auth`
--ip            127.0.0.1                            IP address of auth
--                                                   server
--port          11000                                Port of auth server
--ssl           False                                If True, use SSL to
--                                                   connect to auth
--node_timeout  10                                   Request timeout
--============  ===================================  ========================
--
--[swauth]
++[tempauth]
  =====================  =============================== =======================
  Option                 Default                         Description
  ---------------------  ------------------------------- -----------------------
  use                                                    Entry point for
                                                         paste.deploy to use for
--                                                       auth. To use the swauth
++                                                       auth. To use tempauth
                                                         set to:
--                                                       `egg:swift#swauth`
--set log_name           auth-server                     Label used when logging
++                                                       `egg:swift#tempauth`
++set log_name           tempauth                        Label used when logging
  set log_facility       LOG_LOCAL0                      Syslog log facility
  set log_level          INFO                            Log level
  set log_headers        True                            If True, log headers in
@@ -593,16 +575,39 @@
                                                         reserves anything
                                                         beginning with the
                                                         letter `v`.
--default_swift_cluster  local#http://127.0.0.1:8080/v1  The default Swift
--                                                       cluster to place newly
--                                                       created accounts on.
  token_life             86400                           The number of seconds a
                                                         token is valid.
--node_timeout           10                              Request timeout
--super_admin_key        None                            The key for the
--                                                       .super_admin account.
  =====================  =============================== =======================
++Additionally, you need to list all the accounts/users you want here. The format
++is::
++
++    user_<account>_<user> = <key> [group] [group] [...] [storage_url]
++
++There are special groups of::
++
++    .reseller_admin = can do anything to any account for this auth
++    .admin = can do anything within the account
++
++If neither of these groups are specified, the user can only access containers
++that have been explicitly allowed for them by a .admin or .reseller_admin.
++
++The trailing optional storage_url allows you to specify an alternate url to
++hand back to the user upon authentication. If not specified, this defaults to::
++
++    http[s]://<ip>:<port>/v1/<reseller_prefix>_<account>
++
++Where http or https depends on whether cert_file is specified in the [DEFAULT]
++section, <ip> and <port> are based on the [DEFAULT] section's bind_ip and
++bind_port (falling back to 127.0.0.1 and 8080), <reseller_prefix> is from this
++section, and <account> is from the user_<account>_<user> name.
++
++Here are example entries, required for running the tests::
++
++    user_admin_admin = admin .admin .reseller_admin
++    user_test_tester = testing .admin
++    user_test2_tester2 = testing2 .admin
++    user_test_tester3 = testing3
  ------------------------
  Memcached Considerations
 === modified file 'doc/source/development_auth.rst'
 --- doc/source/development_auth.rst	2011-03-14 02:56:37 +0000
 +++ doc/source/development_auth.rst	2011-06-03 00:13:27 +0000
@@ -6,7 +6,7 @@
  Creating Your Own Auth Server and Middleware
  --------------------------------------------
--The included swift/common/middleware/swauth.py is a good example of how to
++The included swift/common/middleware/tempauth.py is a good example of how to
  create an auth subsystem with proxy server auth middleware. The main points are
  that the auth middleware can reject requests up front, before they ever get to
  the Swift Proxy application, and afterwards when the proxy issues callbacks to
@@ -27,7 +27,7 @@
  environ['REMOTE_USER'] set to the authenticated user string but often more
  information is needed than just that.
--The included Swauth will set the REMOTE_USER to a comma separated list of
++The included TempAuth will set the REMOTE_USER to a comma separated list of
  groups the user belongs to. The first group will be the "user's group", a group
  that only the user belongs to. The second group will be the "account's group",
  a group that includes all users for that auth account (different than the
@@ -37,7 +37,7 @@
  It is highly recommended that authentication server implementers prefix their
  tokens and Swift storage accounts they create with a configurable reseller
--prefix (`AUTH_` by default with the included Swauth). This prefix will avoid
++prefix (`AUTH_` by default with the included TempAuth). This prefix will avoid
  conflicts with other authentication servers that might be using the same
  Swift cluster. Otherwise, the Swift cluster will have to try all the resellers
  until one validates a token or all fail.
@@ -46,14 +46,14 @@
  '.' as that is reserved for internal Swift use (such as the .r for referrer
  designations as you'll see later).
--Example Authentication with Swauth:
++Example Authentication with TempAuth:
--    * Token AUTH_tkabcd is given to the Swauth middleware in a request's
++    * Token AUTH_tkabcd is given to the TempAuth middleware in a request's
        X-Auth-Token header.
--    * The Swauth middleware validates the token AUTH_tkabcd and discovers
++    * The TempAuth middleware validates the token AUTH_tkabcd and discovers
        it matches the "tester" user within the "test" account for the storage
        account "AUTH_storage_xyz".
--    * The Swauth server sets the REMOTE_USER to
++    * The TempAuth middleware sets the REMOTE_USER to
        "test:tester,test,AUTH_storage_xyz"
      * Now this user will have full access (via authorization procedures later)
        to the AUTH_storage_xyz Swift storage account and access to containers in
 === modified file 'doc/source/development_saio.rst'
 --- doc/source/development_saio.rst	2011-05-18 15:26:52 +0000
 +++ doc/source/development_saio.rst	2011-06-03 00:13:27 +0000
@@ -265,16 +265,18 @@
          log_facility = LOG_LOCAL1
          [pipeline:main]
--        pipeline = healthcheck cache swauth proxy-server
++        pipeline = healthcheck cache tempauth proxy-server
          [app:proxy-server]
          use = egg:swift#proxy
          allow_account_management = true
--        [filter:swauth]
--        use = egg:swift#swauth
--        # Highly recommended to change this.
--        super_admin_key = swauthkey
++        [filter:tempauth]
++        use = egg:swift#tempauth
++        user_admin_admin = admin .admin .reseller_admin
++        user_test_tester = testing .admin
++        user_test2_tester2 = testing2 .admin
++        user_test_tester3 = testing3
          [filter:healthcheck]
          use = egg:swift#healthcheck
@@ -398,6 +400,8 @@
          [container-auditor]
++        [container-sync]
++
    #. Create `/etc/swift/container-server/2.conf`::
          [DEFAULT]
@@ -420,6 +424,8 @@
          [container-auditor]
++        [container-sync]
++
    #. Create `/etc/swift/container-server/3.conf`::
          [DEFAULT]
@@ -442,6 +448,8 @@
          [container-auditor]
++        [container-sync]
++
    #. Create `/etc/swift/container-server/4.conf`::
          [DEFAULT]
@@ -464,6 +472,8 @@
          [container-auditor]
++        [container-sync]
++
    #. Create `/etc/swift/object-server/1.conf`::
@@ -558,8 +568,10 @@
  ------------------------------------
    #. Create `~/bin/resetswift.`
--  If you are using a loopback device substitute `/dev/sdb1` with `/srv/swift-disk`.
--  If you did not set up rsyslog for individual logging, remove the `find /var/log/swift...` line::
++
++     If you are using a loopback device substitute `/dev/sdb1` with `/srv/swift-disk`.
++
++     If you did not set up rsyslog for individual logging, remove the `find /var/log/swift...` line::
          #!/bin/bash
@@ -608,18 +620,6 @@
          swift-init main start
--  #. Create `~/bin/recreateaccounts`::
--
--        #!/bin/bash
--
--        # Replace swauthkey with whatever your super_admin key is (recorded in
--        # /etc/swift/proxy-server.conf).
--        swauth-prep -K swauthkey
--        swauth-add-user -K swauthkey -a test tester testing
--        swauth-add-user -K swauthkey -a test2 tester2 testing2
--        swauth-add-user -K swauthkey test tester3 testing3
--        swauth-add-user -K swauthkey -a -r reseller reseller reseller
--
    #. Create `~/bin/startrest`::
          #!/bin/bash
 === modified file 'doc/source/howto_installmultinode.rst'
 --- doc/source/howto_installmultinode.rst	2011-05-17 03:59:57 +0000
 +++ doc/source/howto_installmultinode.rst	2011-06-03 00:13:27 +0000
@@ -13,7 +13,7 @@
  Basic architecture and terms
  ----------------------------
  - *node* - a host machine running one or more Swift services
--- *Proxy node* - node that runs Proxy services; also runs Swauth
++- *Proxy node* - node that runs Proxy services; also runs TempAuth
  - *Storage node* - node that runs Account, Container, and Object services
  - *ring* - a set of mappings of Swift data to physical devices
@@ -23,7 +23,7 @@
    - Runs the swift-proxy-server processes which proxy requests to the
      appropriate Storage nodes. The proxy server will also contain
--    the Swauth service as WSGI middleware.
++    the TempAuth service as WSGI middleware.
  - five Storage nodes
@@ -130,17 +130,15 @@
          user = swift
          [pipeline:main]
--        pipeline = healthcheck cache swauth proxy-server
++        pipeline = healthcheck cache tempauth proxy-server
          [app:proxy-server]
          use = egg:swift#proxy
          allow_account_management = true
--        [filter:swauth]
--        use = egg:swift#swauth
--        default_swift_cluster = local#https://$PROXY_LOCAL_NET_IP:8080/v1
--        # Highly recommended to change this key to something else!
--        super_admin_key = swauthkey
++        [filter:tempauth]
++        use = egg:swift#tempauth
++        user_system_root = testpass .admin https://$PROXY_LOCAL_NET_IP:8080/v1/AUTH_system
          [filter:healthcheck]
          use = egg:swift#healthcheck
@@ -366,16 +364,6 @@
  You run these commands from the Proxy node.
--#. Create a user with administrative privileges (account = system,
--   username = root, password = testpass).  Make sure to replace
--   ``swauthkey`` with whatever super_admin key you assigned in
--   the proxy-server.conf file
--   above.  *Note: None of the values of
--   account, username, or password are special - they can be anything.*::
--
--        swauth-prep -A https://$PROXY_LOCAL_NET_IP:8080/auth/ -K swauthkey
--        swauth-add-user -A https://$PROXY_LOCAL_NET_IP:8080/auth/ -K swauthkey -a system root testpass
--
  #. Get an X-Storage-Url and X-Auth-Token::
          curl -k -v -H 'X-Storage-User: system:root' -H 'X-Storage-Pass: testpass' https://$PROXY_LOCAL_NET_IP:8080/auth/v1.0
@@ -430,45 +418,16 @@
          use = egg:swift#memcache
          memcache_servers = $PROXY_LOCAL_NET_IP:11211
--#. Change the default_cluster_url to point to the load balanced url, rather than the first proxy server you created in /etc/swift/proxy-server.conf::
--
--        [filter:swauth]
--        use = egg:swift#swauth
--        default_swift_cluster = local#http://<LOAD_BALANCER_HOSTNAME>/v1
--        # Highly recommended to change this key to something else!
--        super_admin_key = swauthkey
--
--#. The above will make new accounts with the new default_swift_cluster URL, however it won't change any existing accounts. You can change a service URL for existing accounts with::
--
--    First retreve what the URL was::
--
--         swauth-list -A https://$PROXY_LOCAL_NET_IP:8080/auth/ -K swauthkey <account>
--
--     And then update it with::
--
--         swauth-set-account-service -A https://$PROXY_LOCAL_NET_IP:8080/auth/ -K swauthkey <account> storage local <new_url_for_the_account>
--
--    Make the <new_url_for_the_account> look just like it's original URL but with the host:port update you want.
++#. Change the storage url for any users to point to the load balanced url, rather than the first proxy server you created in /etc/swift/proxy-server.conf::
++
++        [filter:tempauth]
++        use = egg:swift#tempauth
++        user_system_root = testpass .admin http[s]://<LOAD_BALANCER_HOSTNAME>:<PORT>/v1/AUTH_system
  #. Next, copy all the ring information to all the nodes, including your new proxy nodes, and ensure the ring info gets to all the storage nodes as well.
  #. After you sync all the nodes, make sure the admin has the keys in /etc/swift and the ownership for the ring file is correct.
--Additional Cleanup Script for Swauth
--------------------------------------
--
--With Swauth, you'll want to install a cronjob to clean up any
--orphaned expired tokens. These orphaned tokens can occur when a "stampede"
--occurs where a single user authenticates several times concurrently. Generally,
--these orphaned tokens don't pose much of an issue, but it's good to clean them
--up once a "token life" period (default: 1 day or 86400 seconds).
--
--This should be as simple as adding `swauth-cleanup-tokens -A
--https://<PROXY_HOSTNAME>:8080/auth/ -K swauthkey > /dev/null` to a crontab
--entry on one of the proxies that is running Swauth; but run
--`swauth-cleanup-tokens` with no arguments for detailed help on the options
--available.
--
  Troubleshooting Notes
  ---------------------
  If you see problems, look in var/log/syslog (or messages on some distros).
 === modified file 'doc/source/index.rst'
 --- doc/source/index.rst	2011-03-14 02:56:37 +0000
 +++ doc/source/index.rst	2011-06-03 00:13:27 +0000
@@ -45,6 +45,7 @@
      overview_stats
      ratelimit
      overview_large_objects
++    overview_container_sync
  Developer Documentation
  =======================
 === modified file 'doc/source/misc.rst'
 --- doc/source/misc.rst	2011-03-24 03:37:07 +0000
 +++ doc/source/misc.rst	2011-06-03 00:13:27 +0000
@@ -33,12 +33,12 @@
      :members:
      :show-inheritance:
--.. _common_swauth:
--
--Swauth
--======
--
--.. automodule:: swift.common.middleware.swauth
++.. _common_tempauth:
++
++TempAuth
++========
++
++.. automodule:: swift.common.middleware.tempauth
      :members:
      :show-inheritance:
 === modified file 'doc/source/overview_auth.rst'
 --- doc/source/overview_auth.rst	2011-03-14 02:56:37 +0000
 +++ doc/source/overview_auth.rst	2011-06-03 00:13:27 +0000
@@ -2,9 +2,9 @@
  The Auth System
  ===============
--------
--Swauth
--------
++--------
++TempAuth
++--------
  The auth system for Swift is loosely based on the auth system from the existing
  Rackspace architecture -- actually from a few existing auth systems -- and is
@@ -27,7 +27,7 @@
  Swift will make calls to the auth system, giving the auth token to be
  validated. For a valid token, the auth system responds with an overall
  expiration in seconds from now. Swift will cache the token up to the expiration
--time. The included Swauth also has the concept of admin and non-admin users
++time. The included TempAuth also has the concept of admin and non-admin users
  within an account. Admin users can do anything within the account. Non-admin
  users can only perform operations per container based on the container's
  X-Container-Read and X-Container-Write ACLs. For more information on ACLs, see
@@ -40,152 +40,9 @@
  Extending Auth
  --------------
--Swauth is written as wsgi middleware, so implementing your own auth is as easy
--as writing new wsgi middleware, and plugging it in to the proxy server.
++TempAuth is written as wsgi middleware, so implementing your own auth is as
++easy as writing new wsgi middleware, and plugging it in to the proxy server.
++The KeyStone project and the Swauth project are examples of additional auth
++services.
  Also, see :doc:`development_auth`.
--
--
----------------
--Swauth Details
----------------
--
--The Swauth system is included at swift/common/middleware/swauth.py; a scalable
--authentication and authorization system that uses Swift itself as its backing
--store. This section will describe how it stores its data.
--
--At the topmost level, the auth system has its own Swift account it stores its
--own account information within. This Swift account is known as
--self.auth_account in the code and its name is in the format
--self.reseller_prefix + ".auth". In this text, we'll refer to this account as
--<auth_account>.
--
--The containers whose names do not begin with a period represent the accounts
--within the auth service. For example, the <auth_account>/test container would
--represent the "test" account.
--
--The objects within each container represent the users for that auth service
--account. For example, the <auth_account>/test/bob object would represent the
--user "bob" within the auth service account of "test". Each of these user
--objects contain a JSON dictionary of the format::
--
--    {"auth": "<auth_type>:<auth_value>", "groups": <groups_array>}
--
--The `<auth_type>` can only be `plaintext` at this time, and the `<auth_value>`
--is the plain text password itself.
--
--The `<groups_array>` contains at least two groups. The first is a unique group
--identifying that user and it's name is of the format `<user>:<account>`. The
--second group is the `<account>` itself. Additional groups of `.admin` for
--account administrators and `.reseller_admin` for reseller administrators may
--exist. Here's an example user JSON dictionary::
--
--    {"auth": "plaintext:testing",
--     "groups": ["name": "test:tester", "name": "test", "name": ".admin"]}
--
--To map an auth service account to a Swift storage account, the Service Account
--Id string is stored in the `X-Container-Meta-Account-Id` header for the
--<auth_account>/<account> container. To map back the other way, an
--<auth_account>/.account_id/<account_id> object is created with the contents of
--the corresponding auth service's account name.
--
--Also, to support a future where the auth service will support multiple Swift
--clusters or even multiple services for the same auth service account, an
--<auth_account>/<account>/.services object is created with its contents having a
--JSON dictionary of the format::
--
--    {"storage": {"default": "local", "local": <url>}}
--
--The "default" is always "local" right now, and "local" is always the single
--Swift cluster URL; but in the future there can be more than one cluster with
--various names instead of just "local", and the "default" key's value will
--contain the primary cluster to use for that account. Also, there may be more
--services in addition to the current "storage" service right now.
--
--Here's an example .services dictionary at the moment::
--
--    {"storage":
--        {"default": "local",
--         "local": "http://127.0.0.1:8080/v1/AUTH_8980f74b1cda41e483cbe0a925f448a9"}}
--
--But, here's an example of what the dictionary may look like in the future::
--
--    {"storage":
--        {"default": "dfw",
--         "dfw": "http://dfw.storage.com:8080/v1/AUTH_8980f74b1cda41e483cbe0a925f448a9",
--         "ord": "http://ord.storage.com:8080/v1/AUTH_8980f74b1cda41e483cbe0a925f448a9",
--         "sat": "http://ord.storage.com:8080/v1/AUTH_8980f74b1cda41e483cbe0a925f448a9"},
--     "servers":
--        {"default": "dfw",
--         "dfw": "http://dfw.servers.com:8080/v1/AUTH_8980f74b1cda41e483cbe0a925f448a9",
--         "ord": "http://ord.servers.com:8080/v1/AUTH_8980f74b1cda41e483cbe0a925f448a9",
--         "sat": "http://ord.servers.com:8080/v1/AUTH_8980f74b1cda41e483cbe0a925f448a9"}}
--
--Lastly, the tokens themselves are stored as objects in the
--`<auth_account>/.token_[0-f]` containers. The names of the objects are the
--token strings themselves, such as `AUTH_tked86bbd01864458aa2bd746879438d5a`.
--The exact `.token_[0-f]` container chosen is based on the final digit of the
--token name, such as `.token_a` for the token
--`AUTH_tked86bbd01864458aa2bd746879438d5a`. The contents of the token objects
--are JSON dictionaries of the format::
--
--    {"account": <account>,
--     "user": <user>,
--     "account_id": <account_id>,
--     "groups": <groups_array>,
--     "expires": <time.time() value>}
--
--The `<account>` is the auth service account's name for that token. The `<user>`
--is the user within the account for that token. The `<account_id>` is the
--same as the `X-Container-Meta-Account-Id` for the auth service's account,
--as described above. The `<groups_array>` is the user's groups, as described
--above with the user object. The "expires" value indicates when the token is no
--longer valid, as compared to Python's time.time() value.
--
--Here's an example token object's JSON dictionary::
--
--    {"account": "test",
--     "user": "tester",
--     "account_id": "AUTH_8980f74b1cda41e483cbe0a925f448a9",
--     "groups": ["name": "test:tester", "name": "test", "name": ".admin"],
--     "expires": 1291273147.1624689}
--
--To easily map a user to an already issued token, the token name is stored in
--the user object's `X-Object-Meta-Auth-Token` header.
--
--Here is an example full listing of an <auth_account>::
--
--    .account_id
--        AUTH_2282f516-559f-4966-b239-b5c88829e927
--        AUTH_f6f57a3c-33b5-4e85-95a5-a801e67505c8
--        AUTH_fea96a36-c177-4ca4-8c7e-b8c715d9d37b
--    .token_0
--    .token_1
--    .token_2
--    .token_3
--    .token_4
--    .token_5
--    .token_6
--        AUTH_tk9d2941b13d524b268367116ef956dee6
--    .token_7
--    .token_8
--        AUTH_tk93627c6324c64f78be746f1e6a4e3f98
--    .token_9
--    .token_a
--    .token_b
--    .token_c
--    .token_d
--    .token_e
--        AUTH_tk0d37d286af2c43ffad06e99112b3ec4e
--    .token_f
--        AUTH_tk766bbde93771489982d8dc76979d11cf
--    reseller
--        .services
--        reseller
--    test
--        .services
--        tester
--        tester3
--    test2
--        .services
--        tester2
 === added file 'doc/source/overview_container_sync.rst'
 --- doc/source/overview_container_sync.rst	1970-01-01 00:00:00 +0000
 +++ doc/source/overview_container_sync.rst	2011-06-03 00:13:27 +0000
@@ -0,0 +1,220 @@
++======================================
++Container to Container Synchronization
++======================================
++
++--------
++Overview
++--------
++
++Swift has a feature where all the contents of a container can be mirrored to
++another container through background synchronization. Swift cluster operators
++configure their cluster to allow/accept sync requests to/from other clusters,
++and the user specifies where to sync their container to along with a secret
++synchronization key.
++
++.. note::
++
++    This does not sync standard object POSTs, as those do not cause container
++    updates. A workaround is to do X-Copy-From POSTs. We're considering
++    solutions to this limitation but leaving it as is for now since POSTs are
++    fairly uncommon.
++
++--------------------------------------------
++Configuring a Cluster's Allowable Sync Hosts
++--------------------------------------------
++
++The Swift cluster operator must allow synchronization with a set of hosts
++before the user can enable container synchronization. First, the backend
++container server needs to be given this list of hosts in the
++container-server.conf file::
++
++    [DEFAULT]
++    # This is a comma separated list of hosts allowed in the
++    # X-Container-Sync-To field for containers.
++    # allowed_sync_hosts = 127.0.0.1
++    allowed_sync_hosts = host1,host2,etc.
++    ...
++
++    [container-sync]
++    # You can override the default log routing for this app here (don't
++    # use set!):
++    # log_name = container-sync
++    # log_facility = LOG_LOCAL0
++    # log_level = INFO
++    # Will sync, at most, each container once per interval
++    # interval = 300
++    # Maximum amount of time to spend syncing each container
++    # container_time = 60
++
++The authentication system also needs to be configured to allow synchronization
++requests. Here are examples with DevAuth and Swauth::
++
++    [filter:auth]
++    # This is a comma separated list of hosts allowed to send
++    # X-Container-Sync-Key requests.
++    # allowed_sync_hosts = 127.0.0.1
++    allowed_sync_hosts = host1,host2,etc.
++
++    [filter:swauth]
++    # This is a comma separated list of hosts allowed to send
++    # X-Container-Sync-Key requests.
++    # allowed_sync_hosts = 127.0.0.1
++    allowed_sync_hosts = host1,host2,etc.
++
++The default of 127.0.0.1 is just so no configuration is required for SAIO
++setups -- for testing.
++
++----------------------------------------------
++Using ``st`` to set up synchronized containers
++----------------------------------------------
++
++.. note::
++
++    You must be the account admin on the account to set synchronization targets
++    and keys.
++
++You simply tell each container where to sync to and give it a secret
++synchronization key. First, let's get the account details for our two cluster
++accounts::
++
++    $ st -A http://cluster1/auth/v1.0 -U test:tester -K testing stat -v
++    StorageURL: http://cluster1/v1/AUTH_208d1854-e475-4500-b315-81de645d060e
++    Auth Token: AUTH_tkd5359e46ff9e419fa193dbd367f3cd19
++       Account: AUTH_208d1854-e475-4500-b315-81de645d060e
++    Containers: 0
++       Objects: 0
++         Bytes: 0
++
++    $ st -A http://cluster2/auth/v1.0 -U test2:tester2 -K testing2 stat -v
++    StorageURL: http://cluster2/v1/AUTH_33cdcad8-09fb-4940-90da-0f00cbf21c7c
++    Auth Token: AUTH_tk816a1aaf403c49adb92ecfca2f88e430
++       Account: AUTH_33cdcad8-09fb-4940-90da-0f00cbf21c7c
++    Containers: 0
++       Objects: 0
++         Bytes: 0
++
++Now, let's make our first container and tell it to synchronize to a second
++we'll make next::
++
++    $ st -A http://cluster1/auth/v1.0 -U test:tester -K testing post \
++      -t 'http://cluster2/v1/AUTH_33cdcad8-09fb-4940-90da-0f00cbf21c7c/container2' \
++      -k 'secret' container1
++
++The ``-t`` indicates the URL to sync to, which is the ``StorageURL`` from
++cluster2 we retrieved above plus the container name. The ``-k`` specifies the
++secret key the two containers will share for synchronization. Now, we'll do
++something similar for the second cluster's container::
++
++    $ st -A http://cluster2/auth/v1.0 -U test2:tester2 -K testing2 post \
++      -t 'http://cluster1/v1/AUTH_208d1854-e475-4500-b315-81de645d060e/container1' \
++      -k 'secret' container2
++
++That's it. Now we can upload a bunch of stuff to the first container and watch
++as it gets synchronized over to the second::
++
++    $ st -A http://cluster1/auth/v1.0 -U test:tester -K testing \
++      upload container1 .
++    photo002.png
++    photo004.png
++    photo001.png
++    photo003.png
++
++    $ st -A http://cluster2/auth/v1.0 -U test2:tester2 -K testing2 \
++      list container2
++
++    [Nothing there yet, so we wait a bit...]
++    [If you're an operator running SAIO and just testing, you may need to
++     run 'swift-init container-sync once' to perform a sync scan.]
++
++    $ st -A http://cluster2/auth/v1.0 -U test2:tester2 -K testing2 \
++      list container2
++    photo001.png
++    photo002.png
++    photo003.png
++    photo004.png
++
++You can also set up a chain of synced containers if you want more than two.
++You'd point 1 -> 2, then 2 -> 3, and finally 3 -> 1 for three containers.
++They'd all need to share the same secret synchronization key.
++
++-----------------------------------
++Using curl (or other tools) instead
++-----------------------------------
++
++So what's ``st`` doing behind the scenes? Nothing overly complicated. It
++translates the ``-t <value>`` option into an ``X-Container-Sync-To: <value>``
++header and the ``-k <value>`` option into an ``X-Container-Sync-Key: <value>``
++header.
++
++For instance, when we created the first container above and told it to
++synchronize to the second, we could have used this curl command::
++
++    $ curl -i -X POST -H 'X-Auth-Token: AUTH_tkd5359e46ff9e419fa193dbd367f3cd19' \
++      -H 'X-Container-Sync-To: http://cluster2/v1/AUTH_33cdcad8-09fb-4940-90da-0f00cbf21c7c/container2' \
++      -H 'X-Container-Sync-Key: secret' \
++      'http://cluster1/v1/AUTH_208d1854-e475-4500-b315-81de645d060e/container1'
++    HTTP/1.1 204 No Content
++    Content-Length: 0
++    Content-Type: text/plain; charset=UTF-8
++    Date: Thu, 24 Feb 2011 22:39:14 GMT
++
++--------------------------------------------------
++What's going on behind the scenes, in the cluster?
++--------------------------------------------------
++
++The swift-container-sync does the job of sending updates to the remote
++container.
++
++This is done by scanning the local devices for container databases and
++checking for x-container-sync-to and x-container-sync-key metadata values.
++If they exist, newer rows since the last sync will trigger PUTs or DELETEs
++to the other container.
++
++.. note::
++
++    This does not sync standard object POSTs, as those do not cause
++    container row updates. A workaround is to do X-Copy-From POSTs. We're
++    considering solutions to this limitation but leaving it as is for now
++    since POSTs are fairly uncommon.
++
++The actual syncing is slightly more complicated to make use of the three
++(or number-of-replicas) main nodes for a container without each trying to
++do the exact same work but also without missing work if one node happens to
++be down.
++
++Two sync points are kept per container database. All rows between the two
++sync points trigger updates. Any rows newer than both sync points cause
++updates depending on the node's position for the container (primary nodes
++do one third, etc. depending on the replica count of course). After a sync
++run, the first sync point is set to the newest ROWID known and the second
++sync point is set to newest ROWID for which all updates have been sent.
++
++An example may help. Assume replica count is 3 and perfectly matching
++ROWIDs starting at 1.
++
++    First sync run, database has 6 rows:
++
++        * SyncPoint1 starts as -1.
++        * SyncPoint2 starts as -1.
++        * No rows between points, so no "all updates" rows.
++        * Six rows newer than SyncPoint1, so a third of the rows are sent
++          by node 1, another third by node 2, remaining third by node 3.
++        * SyncPoint1 is set as 6 (the newest ROWID known).
++        * SyncPoint2 is left as -1 since no "all updates" rows were synced.
++
++    Next sync run, database has 12 rows:
++
++        * SyncPoint1 starts as 6.
++        * SyncPoint2 starts as -1.
++        * The rows between -1 and 6 all trigger updates (most of which
++          should short-circuit on the remote end as having already been
++          done).
++        * Six more rows newer than SyncPoint1, so a third of the rows are
++          sent by node 1, another third by node 2, remaining third by node
++          3.
++        * SyncPoint1 is set as 12 (the newest ROWID known).
++        * SyncPoint2 is set as 6 (the newest "all updates" ROWID).
++
++In this way, under normal circumstances each node sends its share of
++updates each run and just sends a batch of older updates to ensure nothing
++was missed.
 === modified file 'etc/container-server.conf-sample'
 --- etc/container-server.conf-sample	2011-01-25 00:28:22 +0000
 +++ etc/container-server.conf-sample	2011-06-03 00:13:27 +0000
@@ -7,6 +7,9 @@
  # swift_dir = /etc/swift
  # devices = /srv/node
  # mount_check = true
++# This is a comma separated list of hosts allowed in the X-Container-Sync-To
++# field for containers.
++# allowed_sync_hosts = 127.0.0.1
  # You can specify default log routing here if you want:
  # log_name = swift
  # log_facility = LOG_LOCAL0
@@ -60,3 +63,13 @@
  # log_level = INFO
  # Will audit, at most, 1 container per device per interval
  # interval = 1800
++
++[container-sync]
++# You can override the default log routing for this app here (don't use set!):
++# log_name = container-sync
++# log_facility = LOG_LOCAL0
++# log_level = INFO
++# Will sync, at most, each container once per interval
++# interval = 300
++# Maximum amount of time to spend syncing each container
++# container_time = 60
 === modified file 'etc/proxy-server.conf-sample'
 --- etc/proxy-server.conf-sample	2011-03-25 08:33:46 +0000
 +++ etc/proxy-server.conf-sample	2011-06-03 00:13:27 +0000
@@ -13,7 +13,7 @@
  # log_level = INFO
  [pipeline:main]
--pipeline = catch_errors healthcheck cache ratelimit swauth proxy-server
++pipeline = catch_errors healthcheck cache ratelimit tempauth proxy-server
  [app:proxy-server]
  use = egg:swift#proxy
@@ -41,10 +41,10 @@
  # 'false' no one, even authorized, can.
  # allow_account_management = false
--[filter:swauth]
--use = egg:swift#swauth
++[filter:tempauth]
++use = egg:swift#tempauth
  # You can override the default log routing for this filter here:
--# set log_name = auth-server
++# set log_name = tempauth
  # set log_facility = LOG_LOCAL0
  # set log_level = INFO
  # set log_headers = False
@@ -54,21 +54,31 @@
  # multiple auth systems are in use for one Swift cluster.
  # reseller_prefix = AUTH
  # The auth prefix will cause requests beginning with this prefix to be routed
--# to the auth subsystem, for granting tokens, creating accounts, users, etc.
++# to the auth subsystem, for granting tokens, etc.
  # auth_prefix = /auth/
--# Cluster strings are of the format name#url where name is a short name for the
--# Swift cluster and url is the url to the proxy server(s) for the cluster.
--# default_swift_cluster = local#http://127.0.0.1:8080/v1
--# You may also use the format name#url#url where the first url is the one
--# given to users to access their account (public url) and the second is the one
--# used by swauth itself to create and delete accounts (private url). This is
--# useful when a load balancer url should be used by users, but swauth itself is
--# behind the load balancer. Example:
--# default_swift_cluster = local#https://public.com:8080/v1#http://private.com:8080/v1
  # token_life = 86400
--# node_timeout = 10
--# Highly recommended to change this.
--super_admin_key = swauthkey
++# This is a comma separated list of hosts allowed to send X-Container-Sync-Key
++# requests.
++# allowed_sync_hosts = 127.0.0.1
++# Lastly, you need to list all the accounts/users you want here. The format is:
++#   user_<account>_<user> = <key> [group] [group] [...] [storage_url]
++# There are special groups of:
++#   .reseller_admin = can do anything to any account for this auth
++#   .admin = can do anything within the account
++# If neither of these groups are specified, the user can only access containers
++# that have been explicitly allowed for them by a .admin or .reseller_admin.
++# The trailing optional storage_url allows you to specify an alternate url to
++# hand back to the user upon authentication. If not specified, this defaults to
++# http[s]://<ip>:<port>/v1/<reseller_prefix>_<account> where http or https
++# depends on whether cert_file is specified in the [DEFAULT] section, <ip> and
++# <port> are based on the [DEFAULT] section's bind_ip and bind_port (falling
++# back to 127.0.0.1 and 8080), <reseller_prefix> is from this section, and
++# <account> is from the user_<account>_<user> name.
++# Here are example entries, required for running the tests:
++user_admin_admin = admin .admin .reseller_admin
++user_test_tester = testing .admin
++user_test2_tester2 = testing2 .admin
++user_test_tester3 = testing3
  [filter:healthcheck]
  use = egg:swift#healthcheck
 === modified file 'setup.py'
 --- setup.py	2011-05-26 09:25:39 +0000
 +++ setup.py	2011-06-03 00:13:27 +0000
@@ -80,7 +80,7 @@
          'bin/swift-account-audit', 'bin/swift-account-reaper',
          'bin/swift-account-replicator', 'bin/swift-account-server',
          'bin/swift-container-auditor',
--        'bin/swift-container-replicator',
++        'bin/swift-container-replicator', 'bin/swift-container-sync',
          'bin/swift-container-server', 'bin/swift-container-updater',
          'bin/swift-drive-audit', 'bin/swift-get-nodes',
          'bin/swift-init', 'bin/swift-object-auditor',
@@ -96,10 +96,6 @@
          'bin/swift-log-stats-collector',
          'bin/swift-account-stats-logger',
          'bin/swift-container-stats-logger',
--        'bin/swauth-add-account', 'bin/swauth-add-user',
--        'bin/swauth-cleanup-tokens', 'bin/swauth-delete-account',
--        'bin/swauth-delete-user', 'bin/swauth-list', 'bin/swauth-prep',
--        'bin/swauth-set-account-service',
          ],
      entry_points={
          'paste.app_factory': [
@@ -109,7 +105,6 @@
              'account=swift.account.server:app_factory',
              ],
          'paste.filter_factory': [
--            'swauth=swift.common.middleware.swauth:filter_factory',
              'healthcheck=swift.common.middleware.healthcheck:filter_factory',
              'memcache=swift.common.middleware.memcache:filter_factory',
              'ratelimit=swift.common.middleware.ratelimit:filter_factory',
@@ -118,6 +113,7 @@
              'domain_remap=swift.common.middleware.domain_remap:filter_factory',
              'swift3=swift.common.middleware.swift3:filter_factory',
              'staticweb=swift.common.middleware.staticweb:filter_factory',
++            'tempauth=swift.common.middleware.tempauth:filter_factory',
              ],
          },
+     )
 === modified file 'swift/common/client.py'
 --- swift/common/client.py	2011-05-14 02:31:47 +0000
 +++ swift/common/client.py	2011-06-03 00:13:27 +0000
@@ -565,9 +565,9 @@
      return resp_headers
--def put_object(url, token, container, name, contents, content_length=None,
--               etag=None, chunk_size=65536, content_type=None, headers=None,
--               http_conn=None):
++def put_object(url, token=None, container=None, name=None, contents=None,
++               content_length=None, etag=None, chunk_size=65536,
++               content_type=None, headers=None, http_conn=None):
      """
      Put an object
@@ -591,10 +591,17 @@
          parsed, conn = http_conn
      else:
          parsed, conn = http_connection(url)
--    path = '%s/%s/%s' % (parsed.path, quote(container), quote(name))
--    if not headers:
++    path = parsed.path
++    if container:
++        path = '%s/%s' % (path.rstrip('/'), quote(container))
++    if name:
++        path = '%s/%s' % (path.rstrip('/'), quote(name))
++    if headers:
++        headers = dict(headers)
++    else:
          headers = {}
--    headers['X-Auth-Token'] = token
++    if token:
++        headers['X-Auth-Token'] = token
      if etag:
          headers['ETag'] = etag.strip('"')
      if content_length is not None:
@@ -633,7 +640,7 @@
          raise ClientException('Object PUT failed', http_scheme=parsed.scheme,
                  http_host=conn.host, http_port=conn.port, http_path=path,
                  http_status=resp.status, http_reason=resp.reason)
--    return resp.getheader('etag').strip('"')
++    return resp.getheader('etag', '').strip('"')
  def post_object(url, token, container, name, headers, http_conn=None):
@@ -664,7 +671,8 @@
                  http_status=resp.status, http_reason=resp.reason)
--def delete_object(url, token, container, name, http_conn=None):
++def delete_object(url, token=None, container=None, name=None, http_conn=None,
++                  headers=None):
      """
      Delete object
@@ -680,8 +688,18 @@
          parsed, conn = http_conn
      else:
          parsed, conn = http_connection(url)
--    path = '%s/%s/%s' % (parsed.path, quote(container), quote(name))
--    conn.request('DELETE', path, '', {'X-Auth-Token': token})
++    path = parsed.path
++    if container:
++        path = '%s/%s' % (path.rstrip('/'), quote(container))
++    if name:
++        path = '%s/%s' % (path.rstrip('/'), quote(name))
++    if headers:
++        headers = dict(headers)
++    else:
++        headers = {}
++    if token:
++        headers['X-Auth-Token'] = token
++    conn.request('DELETE', path, '', headers)
      resp = conn.getresponse()
      resp.read()
      if resp.status < 200 or resp.status >= 300:
 === modified file 'swift/common/db.py'
 --- swift/common/db.py	2011-05-05 01:47:56 +0000
 +++ swift/common/db.py	2011-06-03 00:13:27 +0000
@@ -666,7 +666,9 @@
                  id TEXT,
                  status TEXT DEFAULT '',
                  status_changed_at TEXT DEFAULT '0',
--                metadata TEXT DEFAULT ''
++                metadata TEXT DEFAULT '',
++                x_container_sync_point1 INTEGER DEFAULT -1,
++                x_container_sync_point2 INTEGER DEFAULT -1
              );
              INSERT INTO container_stat (object_count, bytes_used)
@@ -886,7 +888,8 @@
          :returns: sqlite.row of (account, container, created_at, put_timestamp,
                    delete_timestamp, object_count, bytes_used,
                    reported_put_timestamp, reported_delete_timestamp,
--                  reported_object_count, reported_bytes_used, hash, id)
++                  reported_object_count, reported_bytes_used, hash, id,
++                  x_container_sync_point1, x_container_sync_point2)
          """
          try:
              self._commit_puts()
@@ -894,13 +897,65 @@
              if not self.stale_reads_ok:
                  raise
          with self.get() as conn:
--            return conn.execute('''
--                SELECT account, container, created_at, put_timestamp,
--                    delete_timestamp, object_count, bytes_used,
--                    reported_put_timestamp, reported_delete_timestamp,
--                    reported_object_count, reported_bytes_used, hash, id
--                FROM container_stat
--            ''').fetchone()
++            try:
++                return conn.execute('''
++                    SELECT account, container, created_at, put_timestamp,
++                        delete_timestamp, object_count, bytes_used,
++                        reported_put_timestamp, reported_delete_timestamp,
++                        reported_object_count, reported_bytes_used, hash, id,
++                        x_container_sync_point1, x_container_sync_point2
++                    FROM container_stat
++                ''').fetchone()
++            except sqlite3.OperationalError, err:
++                if 'no such column: x_container_sync_point' not in str(err):
++                    raise
++                return conn.execute('''
++                    SELECT account, container, created_at, put_timestamp,
++                        delete_timestamp, object_count, bytes_used,
++                        reported_put_timestamp, reported_delete_timestamp,
++                        reported_object_count, reported_bytes_used, hash, id,
++                        -1 AS x_container_sync_point1,
++                        -1 AS x_container_sync_point2
++                    FROM container_stat
++                ''').fetchone()
++
++    def set_x_container_sync_points(self, sync_point1, sync_point2):
++        with self.get() as conn:
++            try:
++                self._set_x_container_sync_points(conn, sync_point1,
++                                                  sync_point2)
++            except sqlite3.OperationalError, err:
++                if 'no such column: x_container_sync_point' not in str(err):
++                    raise
++                conn.execute('''
++                    ALTER TABLE container_stat
++                    ADD COLUMN x_container_sync_point1 INTEGER DEFAULT -1
++                ''')
++                conn.execute('''
++                    ALTER TABLE container_stat
++                    ADD COLUMN x_container_sync_point2 INTEGER DEFAULT -1
++                ''')
++                self._set_x_container_sync_points(conn, sync_point1,
++                                                  sync_point2)
++            conn.commit()
++
++    def _set_x_container_sync_points(self, conn, sync_point1, sync_point2):
++        if sync_point1 is not None and sync_point2 is not None:
++            conn.execute('''
++                UPDATE container_stat
++                SET x_container_sync_point1 = ?,
++                    x_container_sync_point2 = ?
++            ''', (sync_point1, sync_point2))
++        elif sync_point1 is not None:
++            conn.execute('''
++                UPDATE container_stat
++                SET x_container_sync_point1 = ?
++            ''', (sync_point1,))
++        elif sync_point2 is not None:
++            conn.execute('''
++                UPDATE container_stat
++                SET x_container_sync_point2 = ?
++            ''', (sync_point2,))
      def reported(self, put_timestamp, delete_timestamp, object_count,
                   bytes_used):
 === modified file 'swift/common/manager.py'
 --- swift/common/manager.py	2011-03-30 20:04:15 +0000
 +++ swift/common/manager.py	2011-06-03 00:13:27 +0000
@@ -31,9 +31,10 @@
  # auth-server has been removed from ALL_SERVERS, start it explicitly
  ALL_SERVERS = ['account-auditor', 'account-server', 'container-auditor',
--    'container-replicator', 'container-server', 'container-updater',
--    'object-auditor', 'object-server', 'object-replicator', 'object-updater',
--    'proxy-server', 'account-replicator', 'account-reaper']
++    'container-replicator', 'container-server', 'container-sync',
++    'container-updater', 'object-auditor', 'object-server',
++    'object-replicator', 'object-updater', 'proxy-server',
++    'account-replicator', 'account-reaper']
  MAIN_SERVERS = ['proxy-server', 'account-server', 'container-server',
                  'object-server']
  REST_SERVERS = [s for s in ALL_SERVERS if s not in MAIN_SERVERS]
 === modified file 'swift/common/middleware/staticweb.py'
 --- swift/common/middleware/staticweb.py	2011-03-25 19:21:35 +0000
 +++ swift/common/middleware/staticweb.py	2011-06-03 00:13:27 +0000
@@ -28,7 +28,7 @@
      ...
      [pipeline:main]
--    pipeline = healthcheck cache swauth staticweb proxy-server
++    pipeline = healthcheck cache tempauth staticweb proxy-server
      ...
 === removed file 'swift/common/middleware/swauth.py'
 --- swift/common/middleware/swauth.py	2011-05-09 20:21:34 +0000
 +++ swift/common/middleware/swauth.py	1970-01-01 00:00:00 +0000
@@ -1,1374 +0,0 @@
--# Copyright (c) 2010 OpenStack, LLC.
--#
--# Licensed under the Apache License, Version 2.0 (the "License");
--# you may not use this file except in compliance with the License.
--# You may obtain a copy of the License at
--#
--#    http://www.apache.org/licenses/LICENSE-2.0
--#
--# Unless required by applicable law or agreed to in writing, software
--# distributed under the License is distributed on an "AS IS" BASIS,
--# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
--# implied.
--# See the License for the specific language governing permissions and
--# limitations under the License.
--
--try:
--    import simplejson as json
--except ImportError:
--    import json
--from httplib import HTTPConnection, HTTPSConnection
--from time import gmtime, strftime, time
--from traceback import format_exc
--from urllib import quote, unquote
--from uuid import uuid4
--from hashlib import md5, sha1
--import hmac
--import base64
--
--from eventlet.timeout import Timeout
--from eventlet import TimeoutError
--from webob import Response, Request
--from webob.exc import HTTPAccepted, HTTPBadRequest, HTTPConflict, \
--    HTTPCreated, HTTPForbidden, HTTPNoContent, HTTPNotFound, \
--    HTTPServiceUnavailable, HTTPUnauthorized
--
--from swift.common.bufferedhttp import http_connect_raw as http_connect
--from swift.common.middleware.acl import clean_acl, parse_acl, referrer_allowed
--from swift.common.utils import cache_from_env, get_logger, split_path, urlparse
--
--
--class Swauth(object):
--    """
--    Scalable authentication and authorization system that uses Swift as its
--    backing store.
--
--    :param app: The next WSGI app in the pipeline
--    :param conf: The dict of configuration values
--    """
--
--    def __init__(self, app, conf):
--        self.app = app
--        self.conf = conf
--        self.logger = get_logger(conf, log_route='swauth')
--        self.log_headers = conf.get('log_headers') == 'True'
--        self.reseller_prefix = conf.get('reseller_prefix', 'AUTH').strip()
--        if self.reseller_prefix and self.reseller_prefix[-1] != '_':
--            self.reseller_prefix += '_'
--        self.auth_prefix = conf.get('auth_prefix', '/auth/')
--        if not self.auth_prefix:
--            self.auth_prefix = '/auth/'
--        if self.auth_prefix[0] != '/':
--            self.auth_prefix = '/' + self.auth_prefix
--        if self.auth_prefix[-1] != '/':
--            self.auth_prefix += '/'
--        self.auth_account = '%s.auth' % self.reseller_prefix
--        self.default_swift_cluster = conf.get('default_swift_cluster',
--            'local#http://127.0.0.1:8080/v1')
--        # This setting is a little messy because of the options it has to
--        # provide. The basic format is cluster_name#url, such as the default
--        # value of local#http://127.0.0.1:8080/v1.
--        # If the URL given to the user needs to differ from the url used by
--        # Swauth to create/delete accounts, there's a more complex format:
--        # cluster_name#url#url, such as
--        # local#https://public.com:8080/v1#http://private.com:8080/v1.
--        cluster_parts = self.default_swift_cluster.split('#', 2)
--        self.dsc_name = cluster_parts[0]
--        if len(cluster_parts) == 3:
--            self.dsc_url = cluster_parts[1].rstrip('/')
--            self.dsc_url2 = cluster_parts[2].rstrip('/')
--        elif len(cluster_parts) == 2:
--            self.dsc_url = self.dsc_url2 = cluster_parts[1].rstrip('/')
--        else:
--            raise Exception('Invalid cluster format')
--        self.dsc_parsed = urlparse(self.dsc_url)
--        if self.dsc_parsed.scheme not in ('http', 'https'):
--            raise Exception('Cannot handle protocol scheme %s for url %s' %
--                            (self.dsc_parsed.scheme, repr(self.dsc_url)))
--        self.dsc_parsed2 = urlparse(self.dsc_url2)
--        if self.dsc_parsed2.scheme not in ('http', 'https'):
--            raise Exception('Cannot handle protocol scheme %s for url %s' %
--                            (self.dsc_parsed2.scheme, repr(self.dsc_url2)))
--        self.super_admin_key = conf.get('super_admin_key')
--        if not self.super_admin_key:
--            msg = _('No super_admin_key set in conf file! Exiting.')
--            try:
--                self.logger.critical(msg)
--            except Exception:
--                pass
--            raise ValueError(msg)
--        self.token_life = int(conf.get('token_life', 86400))
--        self.timeout = int(conf.get('node_timeout', 10))
--        self.itoken = None
--        self.itoken_expires = None
--
--    def __call__(self, env, start_response):
--        """
--        Accepts a standard WSGI application call, authenticating the request
--        and installing callback hooks for authorization and ACL header
--        validation. For an authenticated request, REMOTE_USER will be set to a
--        comma separated list of the user's groups.
--
--        With a non-empty reseller prefix, acts as the definitive auth service
--        for just tokens and accounts that begin with that prefix, but will deny
--        requests outside this prefix if no other auth middleware overrides it.
--
--        With an empty reseller prefix, acts as the definitive auth service only
--        for tokens that validate to a non-empty set of groups. For all other
--        requests, acts as the fallback auth service when no other auth
--        middleware overrides it.
--
--        Alternatively, if the request matches the self.auth_prefix, the request
--        will be routed through the internal auth request handler (self.handle).
--        This is to handle creating users, accounts, granting tokens, etc.
--        """
--        if 'HTTP_X_CF_TRANS_ID' not in env:
--            env['HTTP_X_CF_TRANS_ID'] = 'tx' + str(uuid4())
--        if env.get('PATH_INFO', '').startswith(self.auth_prefix):
--            return self.handle(env, start_response)
--        s3 = env.get('HTTP_AUTHORIZATION')
--        token = env.get('HTTP_X_AUTH_TOKEN', env.get('HTTP_X_STORAGE_TOKEN'))
--        if s3 or (token and token.startswith(self.reseller_prefix)):
--            # Note: Empty reseller_prefix will match all tokens.
--            groups = self.get_groups(env, token)
--            if groups:
--                env['REMOTE_USER'] = groups
--                user = groups and groups.split(',', 1)[0] or ''
--                # We know the proxy logs the token, so we augment it just a bit
--                # to also log the authenticated user.
--                env['HTTP_X_AUTH_TOKEN'] = \
--                    '%s,%s' % (user, 's3' if s3 else token)
--                env['swift.authorize'] = self.authorize
--                env['swift.clean_acl'] = clean_acl
--            else:
--                # Unauthorized token
--                if self.reseller_prefix:
--                    # Because I know I'm the definitive auth for this token, I
--                    # can deny it outright.
--                    return HTTPUnauthorized()(env, start_response)
--                # Because I'm not certain if I'm the definitive auth for empty
--                # reseller_prefixed tokens, I won't overwrite swift.authorize.
--                elif 'swift.authorize' not in env:
--                    env['swift.authorize'] = self.denied_response
--        else:
--            if self.reseller_prefix:
--                # With a non-empty reseller_prefix, I would like to be called
--                # back for anonymous access to accounts I know I'm the
--                # definitive auth for.
--                try:
--                    version, rest = split_path(env.get('PATH_INFO', ''),
--                                               1, 2, True)
--                except ValueError:
--                    return HTTPNotFound()(env, start_response)
--                if rest and rest.startswith(self.reseller_prefix):
--                    # Handle anonymous access to accounts I'm the definitive
--                    # auth for.
--                    env['swift.authorize'] = self.authorize
--                    env['swift.clean_acl'] = clean_acl
--                # Not my token, not my account, I can't authorize this request,
--                # deny all is a good idea if not already set...
--                elif 'swift.authorize' not in env:
--                    env['swift.authorize'] = self.denied_response
--            # Because I'm not certain if I'm the definitive auth for empty
--            # reseller_prefixed accounts, I won't overwrite swift.authorize.
--            elif 'swift.authorize' not in env:
--                env['swift.authorize'] = self.authorize
--                env['swift.clean_acl'] = clean_acl
--        return self.app(env, start_response)
--
--    def get_groups(self, env, token):
--        """
--        Get groups for the given token.
--
--        :param env: The current WSGI environment dictionary.
--        :param token: Token to validate and return a group string for.
--
--        :returns: None if the token is invalid or a string containing a comma
--                  separated list of groups the authenticated user is a member
--                  of. The first group in the list is also considered a unique
--                  identifier for that user.
--        """
--        groups = None
--        memcache_client = cache_from_env(env)
--        if memcache_client:
--            memcache_key = '%s/auth/%s' % (self.reseller_prefix, token)
--            cached_auth_data = memcache_client.get(memcache_key)
--            if cached_auth_data:
--                expires, groups = cached_auth_data
--                if expires < time():
--                    groups = None
--
--        if env.get('HTTP_AUTHORIZATION'):
--            account = env['HTTP_AUTHORIZATION'].split(' ')[1]
--            account, user, sign = account.split(':')
--            path = quote('/v1/%s/%s/%s' % (self.auth_account, account, user))
--            resp = self.make_request(env, 'GET', path).get_response(self.app)
--            if resp.status_int // 100 != 2:
--                return None
--
--            if 'x-object-meta-account-id' in resp.headers:
--                account_id = resp.headers['x-object-meta-account-id']
--            else:
--                path = quote('/v1/%s/%s' % (self.auth_account, account))
--                resp2 = self.make_request(env, 'HEAD',
--                                          path).get_response(self.app)
--                if resp2.status_int // 100 != 2:
--                    return None
--                account_id = resp2.headers['x-container-meta-account-id']
--
--            path = env['PATH_INFO']
--            env['PATH_INFO'] = path.replace("%s:%s" % (account, user),
--                                            account_id, 1)
--            detail = json.loads(resp.body)
--
--            password = detail['auth'].split(':')[-1]
--            msg = base64.urlsafe_b64decode(unquote(token))
--            s = base64.encodestring(hmac.new(detail['auth'].split(':')[-1],
--                                             msg, sha1).digest()).strip()
--            if s != sign:
--                return None
--            groups = [g['name'] for g in detail['groups']]
--            if '.admin' in groups:
--                groups.remove('.admin')
--                groups.append(account_id)
--            groups = ','.join(groups)
--            return groups
--
--        if not groups:
--            path = quote('/v1/%s/.token_%s/%s' %
--                         (self.auth_account, token[-1], token))
--            resp = self.make_request(env, 'GET', path).get_response(self.app)
--            if resp.status_int // 100 != 2:
--                return None
--            detail = json.loads(resp.body)
--            if detail['expires'] < time():
--                self.make_request(env, 'DELETE', path).get_response(self.app)
--                return None
--            groups = [g['name'] for g in detail['groups']]
--            if '.admin' in groups:
--                groups.remove('.admin')
--                groups.append(detail['account_id'])
--            groups = ','.join(groups)
--            if memcache_client:
--                memcache_client.set(memcache_key, (detail['expires'], groups),
--                                    timeout=float(detail['expires'] - time()))
--        return groups
--
--    def authorize(self, req):
--        """
--        Returns None if the request is authorized to continue or a standard
--        WSGI response callable if not.
--        """
--        try:
--            version, account, container, obj = split_path(req.path, 1, 4, True)
--        except ValueError:
--            return HTTPNotFound(request=req)
--        if not account or not account.startswith(self.reseller_prefix):
--            return self.denied_response(req)
--        user_groups = (req.remote_user or '').split(',')
--        if '.reseller_admin' in user_groups and \
--                account != self.reseller_prefix and \
--                account[len(self.reseller_prefix)] != '.':
--            return None
--        if account in user_groups and \
--                (req.method not in ('DELETE', 'PUT') or container):
--            # If the user is admin for the account and is not trying to do an
--            # account DELETE or PUT...
--            return None
--        referrers, groups = parse_acl(getattr(req, 'acl', None))
--        if referrer_allowed(req.referer, referrers):
--            if obj or '.rlistings' in groups:
--                return None
--            return self.denied_response(req)
--        if not req.remote_user:
--            return self.denied_response(req)
--        for user_group in user_groups:
--            if user_group in groups:
--                return None
--        return self.denied_response(req)
--
--    def denied_response(self, req):
--        """
--        Returns a standard WSGI response callable with the status of 403 or 401
--        depending on whether the REMOTE_USER is set or not.
--        """
--        if req.remote_user:
--            return HTTPForbidden(request=req)
--        else:
--            return HTTPUnauthorized(request=req)
--
--    def handle(self, env, start_response):
--        """
--        WSGI entry point for auth requests (ones that match the
--        self.auth_prefix).
--        Wraps env in webob.Request object and passes it down.
--
--        :param env: WSGI environment dictionary
--        :param start_response: WSGI callable
--        """
--        try:
--            req = Request(env)
--            if self.auth_prefix:
--                req.path_info_pop()
--            req.bytes_transferred = '-'
--            req.client_disconnect = False
--            if 'x-storage-token' in req.headers and \
--                    'x-auth-token' not in req.headers:
--                req.headers['x-auth-token'] = req.headers['x-storage-token']
--            if 'eventlet.posthooks' in env:
--                env['eventlet.posthooks'].append(
--                    (self.posthooklogger, (req,), {}))
--                return self.handle_request(req)(env, start_response)
--            else:
--                # Lack of posthook support means that we have to log on the
--                # start of the response, rather than after all the data has
--                # been sent. This prevents logging client disconnects
--                # differently than full transmissions.
--                response = self.handle_request(req)(env, start_response)
--                self.posthooklogger(env, req)
--                return response
--        except (Exception, TimeoutError):
--            print "EXCEPTION IN handle: %s: %s" % (format_exc(), env)
--            start_response('500 Server Error',
--                           [('Content-Type', 'text/plain')])
--            return ['Internal server error.\n']
--
--    def handle_request(self, req):
--        """
--        Entry point for auth requests (ones that match the self.auth_prefix).
--        Should return a WSGI-style callable (such as webob.Response).
--
--        :param req: webob.Request object
--        """
--        req.start_time = time()
--        handler = None
--        try:
--            version, account, user, _junk = split_path(req.path_info,
--                minsegs=1, maxsegs=4, rest_with_last=True)
--        except ValueError:
--            return HTTPNotFound(request=req)
--        if version in ('v1', 'v1.0', 'auth'):
--            if req.method == 'GET':
--                handler = self.handle_get_token
--        elif version == 'v2':
--            req.path_info_pop()
--            if req.method == 'GET':
--                if not account and not user:
--                    handler = self.handle_get_reseller
--                elif account:
--                    if not user:
--                        handler = self.handle_get_account
--                    elif account == '.token':
--                        req.path_info_pop()
--                        handler = self.handle_validate_token
--                    else:
--                        handler = self.handle_get_user
--            elif req.method == 'PUT':
--                if not user:
--                    handler = self.handle_put_account
--                else:
--                    handler = self.handle_put_user
--            elif req.method == 'DELETE':
--                if not user:
--                    handler = self.handle_delete_account
--                else:
--                    handler = self.handle_delete_user
--            elif req.method == 'POST':
--                if account == '.prep':
--                    handler = self.handle_prep
--                elif user == '.services':
--                    handler = self.handle_set_services
--        if not handler:
--            req.response = HTTPBadRequest(request=req)
--        else:
--            req.response = handler(req)
--        return req.response
--
--    def handle_prep(self, req):
--        """
--        Handles the POST v2/.prep call for preparing the backing store Swift
--        cluster for use with the auth subsystem. Can only be called by
--        .super_admin.
--
--        :param req: The webob.Request to process.
--        :returns: webob.Response, 204 on success
--        """
--        if not self.is_super_admin(req):
--            return HTTPForbidden(request=req)
--        path = quote('/v1/%s' % self.auth_account)
--        resp = self.make_request(req.environ, 'PUT',
--                                 path).get_response(self.app)
--        if resp.status_int // 100 != 2:
--            raise Exception('Could not create the main auth account: %s %s' %
--                            (path, resp.status))
--        path = quote('/v1/%s/.account_id' % self.auth_account)
--        resp = self.make_request(req.environ, 'PUT',
--                                 path).get_response(self.app)
--        if resp.status_int // 100 != 2:
--            raise Exception('Could not create container: %s %s' %
--                            (path, resp.status))
--        for container in xrange(16):
--            path = quote('/v1/%s/.token_%x' % (self.auth_account, container))
--            resp = self.make_request(req.environ, 'PUT',
--                                     path).get_response(self.app)
--            if resp.status_int // 100 != 2:
--                raise Exception('Could not create container: %s %s' %
--                                (path, resp.status))
--        return HTTPNoContent(request=req)
--
--    def handle_get_reseller(self, req):
--        """
--        Handles the GET v2 call for getting general reseller information
--        (currently just a list of accounts). Can only be called by a
--        .reseller_admin.
--
--        On success, a JSON dictionary will be returned with a single `accounts`
--        key whose value is list of dicts. Each dict represents an account and
--        currently only contains the single key `name`. For example::
--
--            {"accounts": [{"name": "reseller"}, {"name": "test"},
--                          {"name": "test2"}]}
--
--        :param req: The webob.Request to process.
--        :returns: webob.Response, 2xx on success with a JSON dictionary as
--                  explained above.
--        """
--        if not self.is_reseller_admin(req):
--            return HTTPForbidden(request=req)
--        listing = []
--        marker = ''
--        while True:
--            path = '/v1/%s?format=json&marker=%s' % (quote(self.auth_account),
--                                                     quote(marker))
--            resp = self.make_request(req.environ, 'GET',
--                                     path).get_response(self.app)
--            if resp.status_int // 100 != 2:
--                raise Exception('Could not list main auth account: %s %s' %
--                                (path, resp.status))
--            sublisting = json.loads(resp.body)
--            if not sublisting:
--                break
--            for container in sublisting:
--                if container['name'][0] != '.':
--                    listing.append({'name': container['name']})
--            marker = sublisting[-1]['name']
--        return Response(body=json.dumps({'accounts': listing}))
--
--    def handle_get_account(self, req):
--        """
--        Handles the GET v2/<account> call for getting account information.
--        Can only be called by an account .admin.
--
--        On success, a JSON dictionary will be returned containing the keys
--        `account_id`, `services`, and `users`. The `account_id` is the value
--        used when creating service accounts. The `services` value is a dict as
--        described in the :func:`handle_get_token` call. The `users` value is a
--        list of dicts, each dict representing a user and currently only
--        containing the single key `name`. For example::
--
--             {"account_id": "AUTH_018c3946-23f8-4efb-a8fb-b67aae8e4162",
--              "services": {"storage": {"default": "local",
--                           "local": "http://127.0.0.1:8080/v1/AUTH_018c3946"}},
--              "users": [{"name": "tester"}, {"name": "tester3"}]}
--
--        :param req: The webob.Request to process.
--        :returns: webob.Response, 2xx on success with a JSON dictionary as
--                  explained above.
--        """
--        account = req.path_info_pop()
--        if req.path_info or not account or account[0] == '.':
--            return HTTPBadRequest(request=req)
--        if not self.is_account_admin(req, account):
--            return HTTPForbidden(request=req)
--        path = quote('/v1/%s/%s/.services' % (self.auth_account, account))
--        resp = self.make_request(req.environ, 'GET',
--                                 path).get_response(self.app)
--        if resp.status_int == 404:
--            return HTTPNotFound(request=req)
--        if resp.status_int // 100 != 2:
--            raise Exception('Could not obtain the .services object: %s %s' %
--                            (path, resp.status))
--        services = json.loads(resp.body)
--        listing = []
--        marker = ''
--        while True:
--            path = '/v1/%s?format=json&marker=%s' % (quote('%s/%s' %
--                (self.auth_account, account)), quote(marker))
--            resp = self.make_request(req.environ, 'GET',
--                                     path).get_response(self.app)
--            if resp.status_int == 404:
--                return HTTPNotFound(request=req)
--            if resp.status_int // 100 != 2:
--                raise Exception('Could not list in main auth account: %s %s' %
--                                (path, resp.status))
--            account_id = resp.headers['X-Container-Meta-Account-Id']
--            sublisting = json.loads(resp.body)
--            if not sublisting:
--                break
--            for obj in sublisting:
--                if obj['name'][0] != '.':
--                    listing.append({'name': obj['name']})
--            marker = sublisting[-1]['name']
--        return Response(body=json.dumps({'account_id': account_id,
--                                    'services': services, 'users': listing}))
--
--    def handle_set_services(self, req):
--        """
--        Handles the POST v2/<account>/.services call for setting services
--        information. Can only be called by a reseller .admin.
--
--        In the :func:`handle_get_account` (GET v2/<account>) call, a section of
--        the returned JSON dict is `services`. This section looks something like
--        this::
--
--              "services": {"storage": {"default": "local",
--                            "local": "http://127.0.0.1:8080/v1/AUTH_018c3946"}}
--
--        Making use of this section is described in :func:`handle_get_token`.
--
--        This function allows setting values within this section for the
--        <account>, allowing the addition of new service end points or updating
--        existing ones.
--
--        The body of the POST request should contain a JSON dict with the
--        following format::
--
--            {"service_name": {"end_point_name": "end_point_value"}}
--
--        There can be multiple services and multiple end points in the same
--        call.
--
--        Any new services or end points will be added to the existing set of
--        services and end points. Any existing services with the same service
--        name will be merged with the new end points. Any existing end points
--        with the same end point name will have their values updated.
--
--        The updated services dictionary will be returned on success.
--
--        :param req: The webob.Request to process.
--        :returns: webob.Response, 2xx on success with the udpated services JSON
--                  dict as described above
--        """
--        if not self.is_reseller_admin(req):
--            return HTTPForbidden(request=req)
--        account = req.path_info_pop()
--        if req.path_info != '/.services' or not account or account[0] == '.':
--            return HTTPBadRequest(request=req)
--        try:
--            new_services = json.loads(req.body)
--        except ValueError, err:
--            return HTTPBadRequest(body=str(err))
--        # Get the current services information
--        path = quote('/v1/%s/%s/.services' % (self.auth_account, account))
--        resp = self.make_request(req.environ, 'GET',
--                                 path).get_response(self.app)
--        if resp.status_int == 404:
--            return HTTPNotFound(request=req)
--        if resp.status_int // 100 != 2:
--            raise Exception('Could not obtain services info: %s %s' %
--                            (path, resp.status))
--        services = json.loads(resp.body)
--        for new_service, value in new_services.iteritems():
--            if new_service in services:
--                services[new_service].update(value)
--            else:
--                services[new_service] = value
--        # Save the new services information
--        services = json.dumps(services)
--        resp = self.make_request(req.environ, 'PUT', path,
--                                 services).get_response(self.app)
--        if resp.status_int // 100 != 2:
--            raise Exception('Could not save .services object: %s %s' %
--                            (path, resp.status))
--        return Response(request=req, body=services)
--
--    def handle_put_account(self, req):
--        """
--        Handles the PUT v2/<account> call for adding an account to the auth
--        system. Can only be called by a .reseller_admin.
--
--        By default, a newly created UUID4 will be used with the reseller prefix
--        as the account id used when creating corresponding service accounts.
--        However, you can provide an X-Account-Suffix header to replace the
--        UUID4 part.
--
--        :param req: The webob.Request to process.
--        :returns: webob.Response, 2xx on success.
--        """
--        if not self.is_reseller_admin(req):
--            return HTTPForbidden(request=req)
--        account = req.path_info_pop()
--        if req.path_info or not account or account[0] == '.':
--            return HTTPBadRequest(request=req)
--        # Ensure the container in the main auth account exists (this
--        # container represents the new account)
--        path = quote('/v1/%s/%s' % (self.auth_account, account))
--        resp = self.make_request(req.environ, 'HEAD',
--                                 path).get_response(self.app)
--        if resp.status_int == 404:
--            resp = self.make_request(req.environ, 'PUT',
--                                     path).get_response(self.app)
--            if resp.status_int // 100 != 2:
--                raise Exception('Could not create account within main auth '
--                    'account: %s %s' % (path, resp.status))
--        elif resp.status_int // 100 == 2:
--            if 'x-container-meta-account-id' in resp.headers:
--                # Account was already created
--                return HTTPAccepted(request=req)
--        else:
--            raise Exception('Could not verify account within main auth '
--                'account: %s %s' % (path, resp.status))
--        account_suffix = req.headers.get('x-account-suffix')
--        if not account_suffix:
--            account_suffix = str(uuid4())
--        # Create the new account in the Swift cluster
--        path = quote('%s/%s%s' % (self.dsc_parsed2.path,
--                                  self.reseller_prefix, account_suffix))
--        try:
--            conn = self.get_conn()
--            conn.request('PUT', path,
--                        headers={'X-Auth-Token': self.get_itoken(req.environ)})
--            resp = conn.getresponse()
--            resp.read()
--            if resp.status // 100 != 2:
--                raise Exception('Could not create account on the Swift '
--                    'cluster: %s %s %s' % (path, resp.status, resp.reason))
--        except (Exception, TimeoutError):
--            self.logger.error(_('ERROR: Exception while trying to communicate '
--                'with %(scheme)s://%(host)s:%(port)s/%(path)s'),
--                {'scheme': self.dsc_parsed2.scheme,
--                 'host': self.dsc_parsed2.hostname,
--                 'port': self.dsc_parsed2.port, 'path': path})
--            raise
--        # Record the mapping from account id back to account name
--        path = quote('/v1/%s/.account_id/%s%s' %
--                     (self.auth_account, self.reseller_prefix, account_suffix))
--        resp = self.make_request(req.environ, 'PUT', path,
--                                 account).get_response(self.app)
--        if resp.status_int // 100 != 2:
--            raise Exception('Could not create account id mapping: %s %s' %
--                            (path, resp.status))
--        # Record the cluster url(s) for the account
--        path = quote('/v1/%s/%s/.services' % (self.auth_account, account))
--        services = {'storage': {}}
--        services['storage'][self.dsc_name] = '%s/%s%s' % (self.dsc_url,
--            self.reseller_prefix, account_suffix)
--        services['storage']['default'] = self.dsc_name
--        resp = self.make_request(req.environ, 'PUT', path,
--                                 json.dumps(services)).get_response(self.app)
--        if resp.status_int // 100 != 2:
--            raise Exception('Could not create .services object: %s %s' %
--                            (path, resp.status))
--        # Record the mapping from account name to the account id
--        path = quote('/v1/%s/%s' % (self.auth_account, account))
--        resp = self.make_request(req.environ, 'POST', path,
--            headers={'X-Container-Meta-Account-Id': '%s%s' %
--            (self.reseller_prefix, account_suffix)}).get_response(self.app)
--        if resp.status_int // 100 != 2:
--            raise Exception('Could not record the account id on the account: '
--                            '%s %s' % (path, resp.status))
--        return HTTPCreated(request=req)
--
--    def handle_delete_account(self, req):
--        """
--        Handles the DELETE v2/<account> call for removing an account from the
--        auth system. Can only be called by a .reseller_admin.
--
--        :param req: The webob.Request to process.
--        :returns: webob.Response, 2xx on success.
--        """
--        if not self.is_reseller_admin(req):
--            return HTTPForbidden(request=req)
--        account = req.path_info_pop()
--        if req.path_info or not account or account[0] == '.':
--            return HTTPBadRequest(request=req)
--        # Make sure the account has no users and get the account_id
--        marker = ''
--        while True:
--            path = '/v1/%s?format=json&marker=%s' % (quote('%s/%s' %
--                (self.auth_account, account)), quote(marker))
--            resp = self.make_request(req.environ, 'GET',
--                                     path).get_response(self.app)
--            if resp.status_int == 404:
--                return HTTPNotFound(request=req)
--            if resp.status_int // 100 != 2:
--                raise Exception('Could not list in main auth account: %s %s' %
--                                (path, resp.status))
--            account_id = resp.headers['x-container-meta-account-id']
--            sublisting = json.loads(resp.body)
--            if not sublisting:
--                break
--            for obj in sublisting:
--                if obj['name'][0] != '.':
--                    return HTTPConflict(request=req)
--            marker = sublisting[-1]['name']
--        # Obtain the listing of services the account is on.
--        path = quote('/v1/%s/%s/.services' % (self.auth_account, account))
--        resp = self.make_request(req.environ, 'GET',
--                                 path).get_response(self.app)
--        if resp.status_int // 100 != 2 and resp.status_int != 404:
--            raise Exception('Could not obtain .services object: %s %s' %
--                            (path, resp.status))
--        if resp.status_int // 100 == 2:
--            services = json.loads(resp.body)
--            # Delete the account on each cluster it is on.
--            deleted_any = False
--            for name, url in services['storage'].iteritems():
--                if name != 'default':
--                    parsed = urlparse(url)
--                    conn = self.get_conn(parsed)
--                    conn.request('DELETE', parsed.path,
--                        headers={'X-Auth-Token': self.get_itoken(req.environ)})
--                    resp = conn.getresponse()
--                    resp.read()
--                    if resp.status == 409:
--                        if deleted_any:
--                            raise Exception('Managed to delete one or more '
--                                'service end points, but failed with: '
--                                '%s %s %s' % (url, resp.status, resp.reason))
--                        else:
--                            return HTTPConflict(request=req)
--                    if resp.status // 100 != 2 and resp.status != 404:
--                        raise Exception('Could not delete account on the '
--                            'Swift cluster: %s %s %s' %
--                            (url, resp.status, resp.reason))
--                    deleted_any = True
--            # Delete the .services object itself.
--            path = quote('/v1/%s/%s/.services' %
--                         (self.auth_account, account))
--            resp = self.make_request(req.environ, 'DELETE',
--                                     path).get_response(self.app)
--            if resp.status_int // 100 != 2 and resp.status_int != 404:
--                raise Exception('Could not delete .services object: %s %s' %
--                                (path, resp.status))
--        # Delete the account id mapping for the account.
--        path = quote('/v1/%s/.account_id/%s' %
--                     (self.auth_account, account_id))
--        resp = self.make_request(req.environ, 'DELETE',
--                                 path).get_response(self.app)
--        if resp.status_int // 100 != 2 and resp.status_int != 404:
--            raise Exception('Could not delete account id mapping: %s %s' %
--                            (path, resp.status))
--        # Delete the account marker itself.
--        path = quote('/v1/%s/%s' % (self.auth_account, account))
--        resp = self.make_request(req.environ, 'DELETE',
--                                 path).get_response(self.app)
--        if resp.status_int // 100 != 2 and resp.status_int != 404:
--            raise Exception('Could not delete account marked: %s %s' %
--                            (path, resp.status))
--        return HTTPNoContent(request=req)
--
--    def handle_get_user(self, req):
--        """
--        Handles the GET v2/<account>/<user> call for getting user information.
--        Can only be called by an account .admin.
--
--        On success, a JSON dict will be returned as described::
--
--            {"groups": [  # List of groups the user is a member of
--                {"name": "<act>:<usr>"},
--                    # The first group is a unique user identifier
--                {"name": "<account>"},
--                    # The second group is the auth account name
--                {"name": "<additional-group>"}
--                    # There may be additional groups, .admin being a special
--                    # group indicating an account admin and .reseller_admin
--                    # indicating a reseller admin.
--             ],
--             "auth": "plaintext:<key>"
--             # The auth-type and key for the user; currently only plaintext is
--             # implemented.
--            }
--
--        For example::
--
--            {"groups": [{"name": "test:tester"}, {"name": "test"},
--                        {"name": ".admin"}],
--             "auth": "plaintext:testing"}
--
--        If the <user> in the request is the special user `.groups`, the JSON
--        dict will contain a single key of `groups` whose value is a list of
--        dicts representing the active groups within the account. Each dict
--        currently has the single key `name`. For example::
--
--            {"groups": [{"name": ".admin"}, {"name": "test"},
--                        {"name": "test:tester"}, {"name": "test:tester3"}]}
--
--        :param req: The webob.Request to process.
--        :returns: webob.Response, 2xx on success with a JSON dictionary as
--                  explained above.
--        """
--        account = req.path_info_pop()
--        user = req.path_info_pop()
--        if req.path_info or not account or account[0] == '.' or not user or \
--                (user[0] == '.' and user != '.groups'):
--            return HTTPBadRequest(request=req)
--        if not self.is_account_admin(req, account):
--            return HTTPForbidden(request=req)
--        if user == '.groups':
--            # TODO: This could be very slow for accounts with a really large
--            # number of users. Speed could be improved by concurrently
--            # requesting user group information. Then again, I don't *know*
--            # it's slow for `normal` use cases, so testing should be done.
--            groups = set()
--            marker = ''
--            while True:
--                path = '/v1/%s?format=json&marker=%s' % (quote('%s/%s' %
--                    (self.auth_account, account)), quote(marker))
--                resp = self.make_request(req.environ, 'GET',
--                                         path).get_response(self.app)
--                if resp.status_int == 404:
--                    return HTTPNotFound(request=req)
--                if resp.status_int // 100 != 2:
--                    raise Exception('Could not list in main auth account: '
--                                    '%s %s' % (path, resp.status))
--                sublisting = json.loads(resp.body)
--                if not sublisting:
--                    break
--                for obj in sublisting:
--                    if obj['name'][0] != '.':
--                        path = quote('/v1/%s/%s/%s' % (self.auth_account,
--                                                       account, obj['name']))
--                        resp = self.make_request(req.environ, 'GET',
--                                                 path).get_response(self.app)
--                        if resp.status_int // 100 != 2:
--                            raise Exception('Could not retrieve user object: '
--                                            '%s %s' % (path, resp.status))
--                        groups.update(g['name']
--                            for g in json.loads(resp.body)['groups'])
--                marker = sublisting[-1]['name']
--            body = json.dumps({'groups':
--                                [{'name': g} for g in sorted(groups)]})
--        else:
--            path = quote('/v1/%s/%s/%s' % (self.auth_account, account, user))
--            resp = self.make_request(req.environ, 'GET',
--                                     path).get_response(self.app)
--            if resp.status_int == 404:
--                return HTTPNotFound(request=req)
--            if resp.status_int // 100 != 2:
--                raise Exception('Could not retrieve user object: %s %s' %
--                                (path, resp.status))
--            body = resp.body
--            display_groups = [g['name'] for g in json.loads(body)['groups']]
--            if ('.admin' in display_groups and
--                not self.is_reseller_admin(req)) or \
--               ('.reseller_admin' in display_groups and
--                not self.is_super_admin(req)):
--                return HTTPForbidden(request=req)
--        return Response(body=body)
--
--    def handle_put_user(self, req):
--        """
--        Handles the PUT v2/<account>/<user> call for adding a user to an
--        account.
--
--        X-Auth-User-Key represents the user's key, X-Auth-User-Admin may be set
--        to `true` to create an account .admin, and X-Auth-User-Reseller-Admin
--        may be set to `true` to create a .reseller_admin.
--
--        Can only be called by an account .admin unless the user is to be a
--        .reseller_admin, in which case the request must be by .super_admin.
--
--        :param req: The webob.Request to process.
--        :returns: webob.Response, 2xx on success.
--        """
--        # Validate path info
--        account = req.path_info_pop()
--        user = req.path_info_pop()
--        key = req.headers.get('x-auth-user-key')
--        admin = req.headers.get('x-auth-user-admin') == 'true'
--        reseller_admin = \
--            req.headers.get('x-auth-user-reseller-admin') == 'true'
--        if reseller_admin:
--            admin = True
--        if req.path_info or not account or account[0] == '.' or not user or \
--                user[0] == '.' or not key:
--            return HTTPBadRequest(request=req)
--        if reseller_admin:
--            if not self.is_super_admin(req):
--                return HTTPForbidden(request=req)
--        elif not self.is_account_admin(req, account):
--            return HTTPForbidden(request=req)
--
--        path = quote('/v1/%s/%s' % (self.auth_account, account))
--        resp = self.make_request(req.environ, 'HEAD',
--                                 path).get_response(self.app)
--        if resp.status_int // 100 != 2:
--            raise Exception('Could not retrieve account id value: %s %s' %
--                            (path, resp.status))
--        headers = {'X-Object-Meta-Account-Id':
--                        resp.headers['x-container-meta-account-id']}
--        # Create the object in the main auth account (this object represents
--        # the user)
--        path = quote('/v1/%s/%s/%s' % (self.auth_account, account, user))
--        groups = ['%s:%s' % (account, user), account]
--        if admin:
--            groups.append('.admin')
--        if reseller_admin:
--            groups.append('.reseller_admin')
--        resp = self.make_request(req.environ, 'PUT', path,
--            json.dumps({'auth': 'plaintext:%s' % key,
--                        'groups': [{'name': g} for g in groups]}),
--            headers=headers).get_response(self.app)
--        if resp.status_int == 404:
--            return HTTPNotFound(request=req)
--        if resp.status_int // 100 != 2:
--            raise Exception('Could not create user object: %s %s' %
--                            (path, resp.status))
--        return HTTPCreated(request=req)
--
--    def handle_delete_user(self, req):
--        """
--        Handles the DELETE v2/<account>/<user> call for deleting a user from an
--        account.
--
--        Can only be called by an account .admin.
--
--        :param req: The webob.Request to process.
--        :returns: webob.Response, 2xx on success.
--        """
--        # Validate path info
--        account = req.path_info_pop()
--        user = req.path_info_pop()
--        if req.path_info or not account or account[0] == '.' or not user or \
--                user[0] == '.':
--            return HTTPBadRequest(request=req)
--        if not self.is_account_admin(req, account):
--            return HTTPForbidden(request=req)
--        # Delete the user's existing token, if any.
--        path = quote('/v1/%s/%s/%s' % (self.auth_account, account, user))
--        resp = self.make_request(req.environ, 'HEAD',
--                                 path).get_response(self.app)
--        if resp.status_int == 404:
--            return HTTPNotFound(request=req)
--        elif resp.status_int // 100 != 2:
--            raise Exception('Could not obtain user details: %s %s' %
--                            (path, resp.status))
--        candidate_token = resp.headers.get('x-object-meta-auth-token')
--        if candidate_token:
--            path = quote('/v1/%s/.token_%s/%s' %
--                (self.auth_account, candidate_token[-1], candidate_token))
--            resp = self.make_request(req.environ, 'DELETE',
--                                     path).get_response(self.app)
--            if resp.status_int // 100 != 2 and resp.status_int != 404:
--                raise Exception('Could not delete possibly existing token: '
--                                '%s %s' % (path, resp.status))
--        # Delete the user entry itself.
--        path = quote('/v1/%s/%s/%s' % (self.auth_account, account, user))
--        resp = self.make_request(req.environ, 'DELETE',
--                                 path).get_response(self.app)
--        if resp.status_int // 100 != 2 and resp.status_int != 404:
--            raise Exception('Could not delete the user object: %s %s' %
--                            (path, resp.status))
--        return HTTPNoContent(request=req)
--
--    def handle_get_token(self, req):
--        """
--        Handles the various `request for token and service end point(s)` calls.
--        There are various formats to support the various auth servers in the
--        past. Examples::
--
--            GET <auth-prefix>/v1/<act>/auth
--                X-Auth-User: <act>:<usr>  or  X-Storage-User: <usr>
--                X-Auth-Key: <key>         or  X-Storage-Pass: <key>
--            GET <auth-prefix>/auth
--                X-Auth-User: <act>:<usr>  or  X-Storage-User: <act>:<usr>
--                X-Auth-Key: <key>         or  X-Storage-Pass: <key>
--            GET <auth-prefix>/v1.0
--                X-Auth-User: <act>:<usr>  or  X-Storage-User: <act>:<usr>
--                X-Auth-Key: <key>         or  X-Storage-Pass: <key>
--
--        On successful authentication, the response will have X-Auth-Token and
--        X-Storage-Token set to the token to use with Swift and X-Storage-URL
--        set to the URL to the default Swift cluster to use.
--
--        The response body will be set to the account's services JSON object as
--        described here::
--
--            {"storage": {     # Represents the Swift storage service end points
--                "default": "cluster1", # Indicates which cluster is the default
--                "cluster1": "<URL to use with Swift>",
--                    # A Swift cluster that can be used with this account,
--                    # "cluster1" is the name of the cluster which is usually a
--                    # location indicator (like "dfw" for a datacenter region).
--                "cluster2": "<URL to use with Swift>"
--                    # Another Swift cluster that can be used with this account,
--                    # there will always be at least one Swift cluster to use or
--                    # this whole "storage" dict won't be included at all.
--             },
--             "servers": {       # Represents the Nova server service end points
--                # Expected to be similar to the "storage" dict, but not
--                # implemented yet.
--             },
--             # Possibly other service dicts, not implemented yet.
--            }
--
--        :param req: The webob.Request to process.
--        :returns: webob.Response, 2xx on success with data set as explained
--                  above.
--        """
--        # Validate the request info
--        try:
--            pathsegs = split_path(req.path_info, minsegs=1, maxsegs=3,
--                                  rest_with_last=True)
--        except ValueError:
--            return HTTPNotFound(request=req)
--        if pathsegs[0] == 'v1' and pathsegs[2] == 'auth':
--            account = pathsegs[1]
--            user = req.headers.get('x-storage-user')
--            if not user:
--                user = req.headers.get('x-auth-user')
--                if not user or ':' not in user:
--                    return HTTPUnauthorized(request=req)
--                account2, user = user.split(':', 1)
--                if account != account2:
--                    return HTTPUnauthorized(request=req)
--            key = req.headers.get('x-storage-pass')
--            if not key:
--                key = req.headers.get('x-auth-key')
--        elif pathsegs[0] in ('auth', 'v1.0'):
--            user = req.headers.get('x-auth-user')
--            if not user:
--                user = req.headers.get('x-storage-user')
--            if not user or ':' not in user:
--                return HTTPUnauthorized(request=req)
--            account, user = user.split(':', 1)
--            key = req.headers.get('x-auth-key')
--            if not key:
--                key = req.headers.get('x-storage-pass')
--        else:
--            return HTTPBadRequest(request=req)
--        if not all((account, user, key)):
--            return HTTPUnauthorized(request=req)
--        if user == '.super_admin' and key == self.super_admin_key:
--            token = self.get_itoken(req.environ)
--            url = '%s/%s.auth' % (self.dsc_url, self.reseller_prefix)
--            return Response(request=req,
--              body=json.dumps({'storage': {'default': 'local', 'local': url}}),
--              headers={'x-auth-token': token, 'x-storage-token': token,
--                       'x-storage-url': url})
--        # Authenticate user
--        path = quote('/v1/%s/%s/%s' % (self.auth_account, account, user))
--        resp = self.make_request(req.environ, 'GET',
--                                 path).get_response(self.app)
--        if resp.status_int == 404:
--            return HTTPUnauthorized(request=req)
--        if resp.status_int // 100 != 2:
--            raise Exception('Could not obtain user details: %s %s' %
--                            (path, resp.status))
--        user_detail = json.loads(resp.body)
--        if not self.credentials_match(user_detail, key):
--            return HTTPUnauthorized(request=req)
--        # See if a token already exists and hasn't expired
--        token = None
--        candidate_token = resp.headers.get('x-object-meta-auth-token')
--        if candidate_token:
--            path = quote('/v1/%s/.token_%s/%s' %
--                (self.auth_account, candidate_token[-1], candidate_token))
--            resp = self.make_request(req.environ, 'GET',
--                                     path).get_response(self.app)
--            if resp.status_int // 100 == 2:
--                token_detail = json.loads(resp.body)
--                if token_detail['expires'] > time():
--                    token = candidate_token
--                else:
--                    self.make_request(req.environ, 'DELETE',
--                                      path).get_response(self.app)
--            elif resp.status_int != 404:
--                raise Exception('Could not detect whether a token already '
--                                'exists: %s %s' % (path, resp.status))
--        # Create a new token if one didn't exist
--        if not token:
--            # Retrieve account id, we'll save this in the token
--            path = quote('/v1/%s/%s' % (self.auth_account, account))
--            resp = self.make_request(req.environ, 'HEAD',
--                                     path).get_response(self.app)
--            if resp.status_int // 100 != 2:
--                raise Exception('Could not retrieve account id value: '
--                                '%s %s' % (path, resp.status))
--            account_id = \
--                resp.headers['x-container-meta-account-id']
--            # Generate new token
--            token = '%stk%s' % (self.reseller_prefix, uuid4().hex)
--            # Save token info
--            path = quote('/v1/%s/.token_%s/%s' %
--                         (self.auth_account, token[-1], token))
--            resp = self.make_request(req.environ, 'PUT', path,
--                json.dumps({'account': account, 'user': user,
--                'account_id': account_id,
--                'groups': user_detail['groups'],
--                'expires': time() + self.token_life})).get_response(self.app)
--            if resp.status_int // 100 != 2:
--                raise Exception('Could not create new token: %s %s' %
--                                (path, resp.status))
--            # Record the token with the user info for future use.
--            path = quote('/v1/%s/%s/%s' % (self.auth_account, account, user))
--            resp = self.make_request(req.environ, 'POST', path,
--                headers={'X-Object-Meta-Auth-Token': token}
--                ).get_response(self.app)
--            if resp.status_int // 100 != 2:
--                raise Exception('Could not save new token: %s %s' %
--                                (path, resp.status))
--        # Get the services information
--        path = quote('/v1/%s/%s/.services' % (self.auth_account, account))
--        resp = self.make_request(req.environ, 'GET',
--                                 path).get_response(self.app)
--        if resp.status_int // 100 != 2:
--            raise Exception('Could not obtain services info: %s %s' %
--                            (path, resp.status))
--        detail = json.loads(resp.body)
--        url = detail['storage'][detail['storage']['default']]
--        return Response(request=req, body=resp.body,
--            headers={'x-auth-token': token, 'x-storage-token': token,
--                     'x-storage-url': url})
--
--    def handle_validate_token(self, req):
--        """
--        Handles the GET v2/.token/<token> call for validating a token, usually
--        called by a service like Swift.
--
--        On a successful validation, X-Auth-TTL will be set for how much longer
--        this token is valid and X-Auth-Groups will contain a comma separated
--        list of groups the user belongs to.
--
--        The first group listed will be a unique identifier for the user the
--        token represents.
--
--        .reseller_admin is a special group that indicates the user should be
--        allowed to do anything on any account.
--
--        :param req: The webob.Request to process.
--        :returns: webob.Response, 2xx on success with data set as explained
--                  above.
--        """
--        token = req.path_info_pop()
--        if req.path_info or not token.startswith(self.reseller_prefix):
--            return HTTPBadRequest(request=req)
--        expires = groups = None
--        memcache_client = cache_from_env(req.environ)
--        if memcache_client:
--            memcache_key = '%s/auth/%s' % (self.reseller_prefix, token)
--            cached_auth_data = memcache_client.get(memcache_key)
--            if cached_auth_data:
--                expires, groups = cached_auth_data
--                if expires < time():
--                    groups = None
--        if not groups:
--            path = quote('/v1/%s/.token_%s/%s' %
--                         (self.auth_account, token[-1], token))
--            resp = self.make_request(req.environ, 'GET',
--                                     path).get_response(self.app)
--            if resp.status_int // 100 != 2:
--                return HTTPNotFound(request=req)
--            detail = json.loads(resp.body)
--            expires = detail['expires']
--            if expires < time():
--                self.make_request(req.environ, 'DELETE',
--                                  path).get_response(self.app)
--                return HTTPNotFound(request=req)
--            groups = [g['name'] for g in detail['groups']]
--            if '.admin' in groups:
--                groups.remove('.admin')
--                groups.append(detail['account_id'])
--            groups = ','.join(groups)
--        return HTTPNoContent(headers={'X-Auth-TTL': expires - time(),
--                                      'X-Auth-Groups': groups})
--
--    def make_request(self, env, method, path, body=None, headers=None):
--        """
--        Makes a new webob.Request based on the current env but with the
--        parameters specified.
--
--        :param env: Current WSGI environment dictionary
--        :param method: HTTP method of new request
--        :param path: HTTP path of new request
--        :param body: HTTP body of new request; None by default
--        :param headers: Extra HTTP headers of new request; None by default
--
--        :returns: webob.Request object
--        """
--        newenv = {'REQUEST_METHOD': method, 'HTTP_USER_AGENT': 'Swauth'}
--        for name in ('swift.cache', 'HTTP_X_CF_TRANS_ID'):
--            if name in env:
--                newenv[name] = env[name]
--        if not headers:
--            headers = {}
--        if body:
--            return Request.blank(path, environ=newenv, body=body,
--                                 headers=headers)
--        else:
--            return Request.blank(path, environ=newenv, headers=headers)
--
--    def get_conn(self, urlparsed=None):
--        """
--        Returns an HTTPConnection based on the urlparse result given or the
--        default Swift cluster (internal url) urlparse result.
--
--        :param urlparsed: The result from urlparse.urlparse or None to use the
--                          default Swift cluster's value
--        """
--        if not urlparsed:
--            urlparsed = self.dsc_parsed2
--        if urlparsed.scheme == 'http':
--            return HTTPConnection(urlparsed.netloc)
--        else:
--            return HTTPSConnection(urlparsed.netloc)
--
--    def get_itoken(self, env):
--        """
--        Returns the current internal token to use for the auth system's own
--        actions with other services. Each process will create its own
--        itoken and the token will be deleted and recreated based on the
--        token_life configuration value. The itoken information is stored in
--        memcache because the auth process that is asked by Swift to validate
--        the token may not be the same as the auth process that created the
--        token.
--        """
--        if not self.itoken or self.itoken_expires < time():
--            self.itoken = '%sitk%s' % (self.reseller_prefix, uuid4().hex)
--            memcache_key = '%s/auth/%s' % (self.reseller_prefix, self.itoken)
--            self.itoken_expires = time() + self.token_life - 60
--            memcache_client = cache_from_env(env)
--            if not memcache_client:
--                raise Exception(
--                    'No memcache set up; required for Swauth middleware')
--            memcache_client.set(memcache_key, (self.itoken_expires,
--                '.auth,.reseller_admin,%s.auth' % self.reseller_prefix),
--                timeout=self.token_life)
--        return self.itoken
--
--    def get_admin_detail(self, req):
--        """
--        Returns the dict for the user specified as the admin in the request
--        with the addition of an `account` key set to the admin user's account.
--
--        :param req: The webob request to retrieve X-Auth-Admin-User and
--                    X-Auth-Admin-Key from.
--        :returns: The dict for the admin user with the addition of the
--                  `account` key.
--        """
--        if ':' not in req.headers.get('x-auth-admin-user', ''):
--            return None
--        admin_account, admin_user = \
--            req.headers.get('x-auth-admin-user').split(':', 1)
--        path = quote('/v1/%s/%s/%s' % (self.auth_account, admin_account,
--                                       admin_user))
--        resp = self.make_request(req.environ, 'GET',
--                                 path).get_response(self.app)
--        if resp.status_int == 404:
--            return None
--        if resp.status_int // 100 != 2:
--            raise Exception('Could not get admin user object: %s %s' %
--                            (path, resp.status))
--        admin_detail = json.loads(resp.body)
--        admin_detail['account'] = admin_account
--        return admin_detail
--
--    def credentials_match(self, user_detail, key):
--        """
--        Returns True if the key is valid for the user_detail. Currently, this
--        only supports plaintext key matching.
--
--        :param user_detail: The dict for the user.
--        :param key: The key to validate for the user.
--        :returns: True if the key is valid for the user, False if not.
--        """
--        return user_detail and user_detail.get('auth') == 'plaintext:%s' % key
--
--    def is_super_admin(self, req):
--        """
--        Returns True if the admin specified in the request represents the
--        .super_admin.
--
--        :param req: The webob.Request to check.
--        :param returns: True if .super_admin.
--        """
--        return req.headers.get('x-auth-admin-user') == '.super_admin' and \
--               req.headers.get('x-auth-admin-key') == self.super_admin_key
--
--    def is_reseller_admin(self, req, admin_detail=None):
--        """
--        Returns True if the admin specified in the request represents a
--        .reseller_admin.
--
--        :param req: The webob.Request to check.
--        :param admin_detail: The previously retrieved dict from
--                             :func:`get_admin_detail` or None for this function
--                             to retrieve the admin_detail itself.
--        :param returns: True if .reseller_admin.
--        """
--        if self.is_super_admin(req):
--            return True
--        if not admin_detail:
--            admin_detail = self.get_admin_detail(req)
--        if not self.credentials_match(admin_detail,
--                                      req.headers.get('x-auth-admin-key')):
--            return False
--        return '.reseller_admin' in (g['name'] for g in admin_detail['groups'])
--
--    def is_account_admin(self, req, account):
--        """
--        Returns True if the admin specified in the request represents a .admin
--        for the account specified.
--
--        :param req: The webob.Request to check.
--        :param account: The account to check for .admin against.
--        :param returns: True if .admin.
--        """
--        if self.is_super_admin(req):
--            return True
--        admin_detail = self.get_admin_detail(req)
--        if admin_detail:
--            if self.is_reseller_admin(req, admin_detail=admin_detail):
--                return True
--            if not self.credentials_match(admin_detail,
--                                          req.headers.get('x-auth-admin-key')):
--                return False
--            return admin_detail and admin_detail['account'] == account and \
--                   '.admin' in (g['name'] for g in admin_detail['groups'])
--        return False
--
--    def posthooklogger(self, env, req):
--        if not req.path.startswith(self.auth_prefix):
--            return
--        response = getattr(req, 'response', None)
--        if not response:
--            return
--        trans_time = '%.4f' % (time() - req.start_time)
--        the_request = quote(unquote(req.path))
--        if req.query_string:
--            the_request = the_request + '?' + req.query_string
--        # remote user for zeus
--        client = req.headers.get('x-cluster-client-ip')
--        if not client and 'x-forwarded-for' in req.headers:
--            # remote user for other lbs
--            client = req.headers['x-forwarded-for'].split(',')[0].strip()
--        logged_headers = None
--        if self.log_headers:
--            logged_headers = '\n'.join('%s: %s' % (k, v)
--                                       for k, v in req.headers.items())
--        status_int = response.status_int
--        if getattr(req, 'client_disconnect', False) or \
--                getattr(response, 'client_disconnect', False):
--            status_int = 499
--        self.logger.info(' '.join(quote(str(x)) for x in (client or '-',
--            req.remote_addr or '-', strftime('%d/%b/%Y/%H/%M/%S', gmtime()),
--            req.method, the_request, req.environ['SERVER_PROTOCOL'],
--            status_int, req.referer or '-', req.user_agent or '-',
--            req.headers.get('x-auth-token',
--                req.headers.get('x-auth-admin-user', '-')),
--            getattr(req, 'bytes_transferred', 0) or '-',
--            getattr(response, 'bytes_transferred', 0) or '-',
--            req.headers.get('etag', '-'),
--            req.headers.get('x-trans-id', '-'), logged_headers or '-',
--            trans_time)))
--
--
--def filter_factory(global_conf, **local_conf):
--    """Returns a WSGI filter app for use with paste.deploy."""
--    conf = global_conf.copy()
--    conf.update(local_conf)
--
--    def auth_filter(app):
--        return Swauth(app, conf)
--    return auth_filter
 === added file 'swift/common/middleware/tempauth.py'
 --- swift/common/middleware/tempauth.py	1970-01-01 00:00:00 +0000
 +++ swift/common/middleware/tempauth.py	2011-06-03 00:13:27 +0000
@@ -0,0 +1,495 @@
++# Copyright (c) 2011 OpenStack, LLC.
++#
++# Licensed under the Apache License, Version 2.0 (the "License");
++# you may not use this file except in compliance with the License.
++# You may obtain a copy of the License at
++#
++#    http://www.apache.org/licenses/LICENSE-2.0
++#
++# Unless required by applicable law or agreed to in writing, software
++# distributed under the License is distributed on an "AS IS" BASIS,
++# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
++# implied.
++# See the License for the specific language governing permissions and
++# limitations under the License.
++
++from time import gmtime, strftime, time
++from traceback import format_exc
++from urllib import quote, unquote
++from uuid import uuid4
++from hashlib import sha1
++import hmac
++import base64
++
++from eventlet import TimeoutError
++from webob import Response, Request
++from webob.exc import HTTPBadRequest, HTTPForbidden, HTTPNotFound, \
++    HTTPUnauthorized
++
++from swift.common.middleware.acl import clean_acl, parse_acl, referrer_allowed
++from swift.common.utils import cache_from_env, get_logger, get_remote_client, \
++    split_path
++
++
++class TempAuth(object):
++    """
++    Test authentication and authorization system.
++
++    Add to your pipeline in proxy-server.conf, such as::
++
++        [pipeline:main]
++        pipeline = catch_errors cache tempauth proxy-server
++
++    And add a tempauth filter section, such as::
++
++        [filter:tempauth]
++        use = egg:swift#tempauth
++        user_admin_admin = admin .admin .reseller_admin
++        user_test_tester = testing .admin
++        user_test2_tester2 = testing2 .admin
++        user_test_tester3 = testing3
++
++    See the proxy-server.conf-sample for more information.
++
++    :param app: The next WSGI app in the pipeline
++    :param conf: The dict of configuration values
++    """
++
++    def __init__(self, app, conf):
++        self.app = app
++        self.conf = conf
++        self.logger = get_logger(conf, log_route='tempauth')
++        self.log_headers = conf.get('log_headers') == 'True'
++        self.reseller_prefix = conf.get('reseller_prefix', 'AUTH').strip()
++        if self.reseller_prefix and self.reseller_prefix[-1] != '_':
++            self.reseller_prefix += '_'
++        self.auth_prefix = conf.get('auth_prefix', '/auth/')
++        if not self.auth_prefix:
++            self.auth_prefix = '/auth/'
++        if self.auth_prefix[0] != '/':
++            self.auth_prefix = '/' + self.auth_prefix
++        if self.auth_prefix[-1] != '/':
++            self.auth_prefix += '/'
++        self.token_life = int(conf.get('token_life', 86400))
++        self.allowed_sync_hosts = [h.strip()
++            for h in conf.get('allowed_sync_hosts', '127.0.0.1').split(',')
++            if h.strip()]
++        self.users = {}
++        for conf_key in conf:
++            if conf_key.startswith('user_'):
++                values = conf[conf_key].split()
++                if not values:
++                    raise ValueError('%s has no key set' % conf_key)
++                key = values.pop(0)
++                if values and '://' in values[-1]:
++                    url = values.pop()
++                else:
++                    url = 'https://' if 'cert_file' in conf else 'http://'
++                    ip = conf.get('bind_ip', '127.0.0.1')
++                    if ip == '0.0.0.0':
++                        ip = '127.0.0.1'
++                    url += ip
++                    url += ':' + conf.get('bind_port', 80) + '/v1/' + \
++                           self.reseller_prefix + conf_key.split('_')[1]
++                groups = values
++                self.users[conf_key.split('_', 1)[1].replace('_', ':')] = {
++                    'key': key, 'url': url, 'groups': values}
++        self.created_accounts = False
++
++    def __call__(self, env, start_response):
++        """
++        Accepts a standard WSGI application call, authenticating the request
++        and installing callback hooks for authorization and ACL header
++        validation. For an authenticated request, REMOTE_USER will be set to a
++        comma separated list of the user's groups.
++
++        With a non-empty reseller prefix, acts as the definitive auth service
++        for just tokens and accounts that begin with that prefix, but will deny
++        requests outside this prefix if no other auth middleware overrides it.
++
++        With an empty reseller prefix, acts as the definitive auth service only
++        for tokens that validate to a non-empty set of groups. For all other
++        requests, acts as the fallback auth service when no other auth
++        middleware overrides it.
++
++        Alternatively, if the request matches the self.auth_prefix, the request
++        will be routed through the internal auth request handler (self.handle).
++        This is to handle granting tokens, etc.
++        """
++        # Ensure the accounts we handle have been created
++        if not self.created_accounts and self.users:
++            newenv = {'REQUEST_METHOD': 'GET', 'HTTP_USER_AGENT': 'TempAuth'}
++            for name in ('swift.cache', 'HTTP_X_TRANS_ID'):
++                if name in env:
++                    newenv[name] = env[name]
++            account_id = self.users.values()[0]['url'].rsplit('/', 1)[-1]
++            resp = Request.blank('/v1/' + account_id,
++                                 environ=newenv).get_response(self.app)
++            if resp.status_int // 100 != 2:
++                newenv['REQUEST_METHOD'] = 'PUT'
++                for key, value in self.users.iteritems():
++                    account_id = value['url'].rsplit('/', 1)[-1]
++                    resp = Request.blank('/v1/' + account_id,
++                                         environ=newenv).get_response(self.app)
++                    if resp.status_int // 100 != 2:
++                        raise Exception('Could not create account %s for user '
++                            '%s' % (account_id, key))
++            self.created_accounts = True
++
++        if env.get('PATH_INFO', '').startswith(self.auth_prefix):
++            return self.handle(env, start_response)
++        s3 = env.get('HTTP_AUTHORIZATION')
++        token = env.get('HTTP_X_AUTH_TOKEN', env.get('HTTP_X_STORAGE_TOKEN'))
++        if s3 or (token and token.startswith(self.reseller_prefix)):
++            # Note: Empty reseller_prefix will match all tokens.
++            groups = self.get_groups(env, token)
++            if groups:
++                env['REMOTE_USER'] = groups
++                user = groups and groups.split(',', 1)[0] or ''
++                # We know the proxy logs the token, so we augment it just a bit
++                # to also log the authenticated user.
++                env['HTTP_X_AUTH_TOKEN'] = \
++                    '%s,%s' % (user, 's3' if s3 else token)
++                env['swift.authorize'] = self.authorize
++                env['swift.clean_acl'] = clean_acl
++            else:
++                # Unauthorized token
++                if self.reseller_prefix:
++                    # Because I know I'm the definitive auth for this token, I
++                    # can deny it outright.
++                    return HTTPUnauthorized()(env, start_response)
++                # Because I'm not certain if I'm the definitive auth for empty
++                # reseller_prefixed tokens, I won't overwrite swift.authorize.
++                elif 'swift.authorize' not in env:
++                    env['swift.authorize'] = self.denied_response
++        else:
++            if self.reseller_prefix:
++                # With a non-empty reseller_prefix, I would like to be called
++                # back for anonymous access to accounts I know I'm the
++                # definitive auth for.
++                try:
++                    version, rest = split_path(env.get('PATH_INFO', ''),
++                                               1, 2, True)
++                except ValueError:
++                    return HTTPNotFound()(env, start_response)
++                if rest and rest.startswith(self.reseller_prefix):
++                    # Handle anonymous access to accounts I'm the definitive
++                    # auth for.
++                    env['swift.authorize'] = self.authorize
++                    env['swift.clean_acl'] = clean_acl
++                # Not my token, not my account, I can't authorize this request,
++                # deny all is a good idea if not already set...
++                elif 'swift.authorize' not in env:
++                    env['swift.authorize'] = self.denied_response
++            # Because I'm not certain if I'm the definitive auth for empty
++            # reseller_prefixed accounts, I won't overwrite swift.authorize.
++            elif 'swift.authorize' not in env:
++                env['swift.authorize'] = self.authorize
++                env['swift.clean_acl'] = clean_acl
++        return self.app(env, start_response)
++
++    def get_groups(self, env, token):
++        """
++        Get groups for the given token.
++
++        :param env: The current WSGI environment dictionary.
++        :param token: Token to validate and return a group string for.
++
++        :returns: None if the token is invalid or a string containing a comma
++                  separated list of groups the authenticated user is a member
++                  of. The first group in the list is also considered a unique
++                  identifier for that user.
++        """
++        groups = None
++        memcache_client = cache_from_env(env)
++        if not memcache_client:
++            raise Exception('Memcache required')
++        memcache_token_key = '%s/token/%s' % (self.reseller_prefix, token)
++        cached_auth_data = memcache_client.get(memcache_token_key)
++        if cached_auth_data:
++            expires, groups = cached_auth_data
++            if expires < time():
++                groups = None
++
++        if env.get('HTTP_AUTHORIZATION'):
++            account_user, sign = \
++                env['HTTP_AUTHORIZATION'].split(' ')[1].rsplit(':', 1)
++            if account_user not in self.users:
++                return None
++            account, user = account_user.split(':', 1)
++            account_id = self.users[account_user]['url'].rsplit('/', 1)[-1]
++            path = env['PATH_INFO']
++            env['PATH_INFO'] = path.replace(account_user, account_id, 1)
++            msg = base64.urlsafe_b64decode(unquote(token))
++            key = self.users[account_user]['key']
++            s = base64.encodestring(hmac.new(key, msg, sha1).digest()).strip()
++            if s != sign:
++                return None
++            groups = [account, account_user]
++            groups.extend(self.users[account_user]['groups'])
++            if '.admin' in groups:
++                groups.remove('.admin')
++                groups.append(account_id)
++            groups = ','.join(groups)
++
++        return groups
++
++    def authorize(self, req):
++        """
++        Returns None if the request is authorized to continue or a standard
++        WSGI response callable if not.
++        """
++        try:
++            version, account, container, obj = split_path(req.path, 1, 4, True)
++        except ValueError:
++            return HTTPNotFound(request=req)
++        if not account or not account.startswith(self.reseller_prefix):
++            return self.denied_response(req)
++        user_groups = (req.remote_user or '').split(',')
++        if '.reseller_admin' in user_groups and \
++                account != self.reseller_prefix and \
++                account[len(self.reseller_prefix)] != '.':
++            req.environ['swift_owner'] = True
++            return None
++        if account in user_groups and \
++                (req.method not in ('DELETE', 'PUT') or container):
++            # If the user is admin for the account and is not trying to do an
++            # account DELETE or PUT...
++            req.environ['swift_owner'] = True
++            return None
++        if (req.environ.get('swift_sync_key') and
++            req.environ['swift_sync_key'] ==
++                req.headers.get('x-container-sync-key', None) and
++            'x-timestamp' in req.headers and
++            (req.remote_addr in self.allowed_sync_hosts or
++             get_remote_client(req) in self.allowed_sync_hosts)):
++            return None
++        referrers, groups = parse_acl(getattr(req, 'acl', None))
++        if referrer_allowed(req.referer, referrers):
++            if obj or '.rlistings' in groups:
++                return None
++            return self.denied_response(req)
++        if not req.remote_user:
++            return self.denied_response(req)
++        for user_group in user_groups:
++            if user_group in groups:
++                return None
++        return self.denied_response(req)
++
++    def denied_response(self, req):
++        """
++        Returns a standard WSGI response callable with the status of 403 or 401
++        depending on whether the REMOTE_USER is set or not.
++        """
++        if req.remote_user:
++            return HTTPForbidden(request=req)
++        else:
++            return HTTPUnauthorized(request=req)
++
++    def handle(self, env, start_response):
++        """
++        WSGI entry point for auth requests (ones that match the
++        self.auth_prefix).
++        Wraps env in webob.Request object and passes it down.
++
++        :param env: WSGI environment dictionary
++        :param start_response: WSGI callable
++        """
++        try:
++            req = Request(env)
++            if self.auth_prefix:
++                req.path_info_pop()
++            req.bytes_transferred = '-'
++            req.client_disconnect = False
++            if 'x-storage-token' in req.headers and \
++                    'x-auth-token' not in req.headers:
++                req.headers['x-auth-token'] = req.headers['x-storage-token']
++            if 'eventlet.posthooks' in env:
++                env['eventlet.posthooks'].append(
++                    (self.posthooklogger, (req,), {}))
++                return self.handle_request(req)(env, start_response)
++            else:
++                # Lack of posthook support means that we have to log on the
++                # start of the response, rather than after all the data has
++                # been sent. This prevents logging client disconnects
++                # differently than full transmissions.
++                response = self.handle_request(req)(env, start_response)
++                self.posthooklogger(env, req)
++                return response
++        except (Exception, TimeoutError):
++            print "EXCEPTION IN handle: %s: %s" % (format_exc(), env)
++            start_response('500 Server Error',
++                           [('Content-Type', 'text/plain')])
++            return ['Internal server error.\n']
++
++    def handle_request(self, req):
++        """
++        Entry point for auth requests (ones that match the self.auth_prefix).
++        Should return a WSGI-style callable (such as webob.Response).
++
++        :param req: webob.Request object
++        """
++        req.start_time = time()
++        handler = None
++        try:
++            version, account, user, _junk = split_path(req.path_info,
++                minsegs=1, maxsegs=4, rest_with_last=True)
++        except ValueError:
++            return HTTPNotFound(request=req)
++        if version in ('v1', 'v1.0', 'auth'):
++            if req.method == 'GET':
++                handler = self.handle_get_token
++        if not handler:
++            req.response = HTTPBadRequest(request=req)
++        else:
++            req.response = handler(req)
++        return req.response
++
++    def handle_get_token(self, req):
++        """
++        Handles the various `request for token and service end point(s)` calls.
++        There are various formats to support the various auth servers in the
++        past. Examples::
++
++            GET <auth-prefix>/v1/<act>/auth
++                X-Auth-User: <act>:<usr>  or  X-Storage-User: <usr>
++                X-Auth-Key: <key>         or  X-Storage-Pass: <key>
++            GET <auth-prefix>/auth
++                X-Auth-User: <act>:<usr>  or  X-Storage-User: <act>:<usr>
++                X-Auth-Key: <key>         or  X-Storage-Pass: <key>
++            GET <auth-prefix>/v1.0
++                X-Auth-User: <act>:<usr>  or  X-Storage-User: <act>:<usr>
++                X-Auth-Key: <key>         or  X-Storage-Pass: <key>
++
++        On successful authentication, the response will have X-Auth-Token and
++        X-Storage-Token set to the token to use with Swift and X-Storage-URL
++        set to the URL to the default Swift cluster to use.
++
++        :param req: The webob.Request to process.
++        :returns: webob.Response, 2xx on success with data set as explained
++                  above.
++        """
++        # Validate the request info
++        try:
++            pathsegs = split_path(req.path_info, minsegs=1, maxsegs=3,
++                                  rest_with_last=True)
++        except ValueError:
++            return HTTPNotFound(request=req)
++        if pathsegs[0] == 'v1' and pathsegs[2] == 'auth':
++            account = pathsegs[1]
++            user = req.headers.get('x-storage-user')
++            if not user:
++                user = req.headers.get('x-auth-user')
++                if not user or ':' not in user:
++                    return HTTPUnauthorized(request=req)
++                account2, user = user.split(':', 1)
++                if account != account2:
++                    return HTTPUnauthorized(request=req)
++            key = req.headers.get('x-storage-pass')
++            if not key:
++                key = req.headers.get('x-auth-key')
++        elif pathsegs[0] in ('auth', 'v1.0'):
++            user = req.headers.get('x-auth-user')
++            if not user:
++                user = req.headers.get('x-storage-user')
++            if not user or ':' not in user:
++                return HTTPUnauthorized(request=req)
++            account, user = user.split(':', 1)
++            key = req.headers.get('x-auth-key')
++            if not key:
++                key = req.headers.get('x-storage-pass')
++        else:
++            return HTTPBadRequest(request=req)
++        if not all((account, user, key)):
++            return HTTPUnauthorized(request=req)
++        # Authenticate user
++        account_user = account + ':' + user
++        if account_user not in self.users:
++            return HTTPUnauthorized(request=req)
++        if self.users[account_user]['key'] != key:
++            return HTTPUnauthorized(request=req)
++        # Get memcache client
++        memcache_client = cache_from_env(req.environ)
++        if not memcache_client:
++            raise Exception('Memcache required')
++        # See if a token already exists and hasn't expired
++        token = None
++        memcache_user_key = '%s/user/%s' % (self.reseller_prefix, account_user)
++        candidate_token = memcache_client.get(memcache_user_key)
++        if candidate_token:
++            memcache_token_key = \
++                '%s/token/%s' % (self.reseller_prefix, candidate_token)
++            cached_auth_data = memcache_client.get(memcache_token_key)
++            if cached_auth_data:
++                expires, groups = cached_auth_data
++                if expires > time():
++                    token = candidate_token
++        # Create a new token if one didn't exist
++        if not token:
++            # Generate new token
++            token = '%stk%s' % (self.reseller_prefix, uuid4().hex)
++            expires = time() + self.token_life
++            groups = [account, account_user]
++            groups.extend(self.users[account_user]['groups'])
++            if '.admin' in groups:
++                groups.remove('.admin')
++                account_id = self.users[account_user]['url'].rsplit('/', 1)[-1]
++                groups.append(account_id)
++            groups = ','.join(groups)
++            # Save token
++            memcache_token_key = '%s/token/%s' % (self.reseller_prefix, token)
++            memcache_client.set(memcache_token_key, (expires, groups),
++                                timeout=float(expires - time()))
++            # Record the token with the user info for future use.
++            memcache_user_key = \
++                '%s/user/%s' % (self.reseller_prefix, account_user)
++            memcache_client.set(memcache_user_key, token,
++                                timeout=float(expires - time()))
++        return Response(request=req,
++            headers={'x-auth-token': token, 'x-storage-token': token,
++                     'x-storage-url': self.users[account_user]['url']})
++
++    def posthooklogger(self, env, req):
++        if not req.path.startswith(self.auth_prefix):
++            return
++        response = getattr(req, 'response', None)
++        if not response:
++            return
++        trans_time = '%.4f' % (time() - req.start_time)
++        the_request = quote(unquote(req.path))
++        if req.query_string:
++            the_request = the_request + '?' + req.query_string
++        # remote user for zeus
++        client = req.headers.get('x-cluster-client-ip')
++        if not client and 'x-forwarded-for' in req.headers:
++            # remote user for other lbs
++            client = req.headers['x-forwarded-for'].split(',')[0].strip()
++        logged_headers = None
++        if self.log_headers:
++            logged_headers = '\n'.join('%s: %s' % (k, v)
++                                       for k, v in req.headers.items())
++        status_int = response.status_int
++        if getattr(req, 'client_disconnect', False) or \
++                getattr(response, 'client_disconnect', False):
++            status_int = 499
++        self.logger.info(' '.join(quote(str(x)) for x in (client or '-',
++            req.remote_addr or '-', strftime('%d/%b/%Y/%H/%M/%S', gmtime()),
++            req.method, the_request, req.environ['SERVER_PROTOCOL'],
++            status_int, req.referer or '-', req.user_agent or '-',
++            req.headers.get('x-auth-token',
++                req.headers.get('x-auth-admin-user', '-')),
++            getattr(req, 'bytes_transferred', 0) or '-',
++            getattr(response, 'bytes_transferred', 0) or '-',
++            req.headers.get('etag', '-'),
++            req.headers.get('x-trans-id', '-'), logged_headers or '-',
++            trans_time)))
++
++
++def filter_factory(global_conf, **local_conf):
++    """Returns a WSGI filter app for use with paste.deploy."""
++    conf = global_conf.copy()
++    conf.update(local_conf)
++
++    def auth_filter(app):
++        return TempAuth(app, conf)
++    return auth_filter
 === modified file 'swift/common/utils.py'
 --- swift/common/utils.py	2011-04-20 19:54:28 +0000
 +++ swift/common/utils.py	2011-06-03 00:13:27 +0000
@@ -972,6 +972,32 @@
      return ModifiedParseResult(*stdlib_urlparse(url))
++def validate_sync_to(value, allowed_sync_hosts):
++    p = urlparse(value)
++    if p.scheme not in ('http', 'https'):
++        return _('Invalid scheme %r in X-Container-Sync-To, must be "http" '
++                 'or "https".') % p.scheme
++    if not p.path:
++        return _('Path required in X-Container-Sync-To')
++    if p.params or p.query or p.fragment:
++        return _('Params, queries, and fragments not allowed in '
++                 'X-Container-Sync-To')
++    if p.hostname not in allowed_sync_hosts:
++        return _('Invalid host %r in X-Container-Sync-To') % p.hostname
++    return None
++
++
++def get_remote_client(req):
++    # remote host for zeus
++    client = req.headers.get('x-cluster-client-ip')
++    if not client and 'x-forwarded-for' in req.headers:
++        # remote host for other lbs
++        client = req.headers['x-forwarded-for'].split(',')[0].strip()
++    if not client:
++        client = req.remote_addr
++    return client
++
++
  def human_readable(value):
      """
      Returns the number in a human readable format; for example 1048576 = "1Mi".
 === modified file 'swift/container/server.py'
 --- swift/container/server.py	2011-05-27 23:31:58 +0000
 +++ swift/container/server.py	2011-06-03 00:13:27 +0000
@@ -32,7 +32,8 @@
  from swift.common.db import ContainerBroker
  from swift.common.utils import get_logger, get_param, hash_path, \
--    normalize_timestamp, storage_directory, split_path
++    normalize_timestamp, storage_directory, split_path, urlparse, \
++    validate_sync_to
  from swift.common.constraints import CONTAINER_LISTING_LIMIT, \
      check_mount, check_float, check_utf8
  from swift.common.bufferedhttp import http_connect
@@ -46,7 +47,8 @@
      """WSGI Controller for the container server."""
      # Ensure these are all lowercase
--    save_headers = ['x-container-read', 'x-container-write']
++    save_headers = ['x-container-read', 'x-container-write',
++                    'x-container-sync-key', 'x-container-sync-to']
      def __init__(self, conf):
          self.logger = get_logger(conf, log_route='container-server')
@@ -55,6 +57,9 @@
                                ('true', 't', '1', 'on', 'yes', 'y')
          self.node_timeout = int(conf.get('node_timeout', 3))
          self.conn_timeout = float(conf.get('conn_timeout', 0.5))
++        self.allowed_sync_hosts = [h.strip()
++            for h in conf.get('allowed_sync_hosts', '127.0.0.1').split(',')
++            if h.strip()]
          self.replicator_rpc = ReplicatorRpc(self.root, DATADIR,
              ContainerBroker, self.mount_check, logger=self.logger)
@@ -174,6 +179,11 @@
                      not check_float(req.headers['x-timestamp']):
              return HTTPBadRequest(body='Missing timestamp', request=req,
                          content_type='text/plain')
++        if 'x-container-sync-to' in req.headers:
++            err = validate_sync_to(req.headers['x-container-sync-to'],
++                                   self.allowed_sync_hosts)
++            if err:
++                return HTTPBadRequest(err)
          if self.mount_check and not check_mount(self.root, drive):
              return Response(status='507 %s is not mounted' % drive)
          timestamp = normalize_timestamp(req.headers['x-timestamp'])
@@ -232,7 +242,8 @@
+         }
          headers.update((key, value)
              for key, (value, timestamp) in broker.metadata.iteritems()
--            if value != '')
++            if value != '' and (key.lower() in self.save_headers or
++                                key.lower().startswith('x-container-meta-')))
          return HTTPNoContent(request=req, headers=headers)
      def GET(self, req):
@@ -259,7 +270,8 @@
+         }
          resp_headers.update((key, value)
              for key, (value, timestamp) in broker.metadata.iteritems()
--            if value != '')
++            if value != '' and (key.lower() in self.save_headers or
++                                key.lower().startswith('x-container-meta-')))
          try:
              path = get_param(req, 'path')
              prefix = get_param(req, 'prefix')
@@ -368,6 +380,11 @@
                  not check_float(req.headers['x-timestamp']):
              return HTTPBadRequest(body='Missing or bad timestamp',
                  request=req, content_type='text/plain')
++        if 'x-container-sync-to' in req.headers:
++            err = validate_sync_to(req.headers['x-container-sync-to'],
++                                   self.allowed_sync_hosts)
++            if err:
++                return HTTPBadRequest(err)
          if self.mount_check and not check_mount(self.root, drive):
              return Response(status='507 %s is not mounted' % drive)
          broker = self._get_container_broker(drive, part, account, container)
 === added file 'swift/container/sync.py'
 --- swift/container/sync.py	1970-01-01 00:00:00 +0000
 +++ swift/container/sync.py	2011-06-03 00:13:27 +0000
@@ -0,0 +1,409 @@
++# Copyright (c) 2010-2011 OpenStack, LLC.
++#
++# Licensed under the Apache License, Version 2.0 (the "License");
++# you may not use this file except in compliance with the License.
++# You may obtain a copy of the License at
++#
++#    http://www.apache.org/licenses/LICENSE-2.0
++#
++# Unless required by applicable law or agreed to in writing, software
++# distributed under the License is distributed on an "AS IS" BASIS,
++# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
++# implied.
++# See the License for the specific language governing permissions and
++# limitations under the License.
++
++import os
++import time
++import random
++from struct import unpack_from
++
++from swift.container import server as container_server
++from swift.common import client, direct_client
++from swift.common.ring import Ring
++from swift.common.db import ContainerBroker
++from swift.common.utils import audit_location_generator, get_logger, \
++    hash_path, normalize_timestamp, TRUE_VALUES, validate_sync_to, whataremyips
++from swift.common.daemon import Daemon
++
++
++class _Iter2FileLikeObject(object):
++    """
++    Returns an iterator's contents via :func:`read`, making it look like a file
++    object.
++    """
++
++    def __init__(self, iterator):
++        self.iterator = iterator
++        self._chunk = ''
++
++    def read(self, size=-1):
++        """
++        read([size]) -> read at most size bytes, returned as a string.
++
++        If the size argument is negative or omitted, read until EOF is reached.
++        Notice that when in non-blocking mode, less data than what was
++        requested may be returned, even if no size parameter was given.
++        """
++        if size < 0:
++            chunk = self._chunk
++            self._chunk = ''
++            return chunk + ''.join(self.iterator)
++        chunk = ''
++        try:
++            chunk = self.iterator.next()
++        except StopIteration:
++            pass
++        if len(chunk) <= size:
++            return chunk
++        self._chunk = chunk[size:]
++        return chunk[:size]
++
++
++class ContainerSync(Daemon):
++    """
++    Daemon to sync syncable containers.
++
++    This is done by scanning the local devices for container databases and
++    checking for x-container-sync-to and x-container-sync-key metadata values.
++    If they exist, newer rows since the last sync will trigger PUTs or DELETEs
++    to the other container.
++
++    .. note::
++
++        This does not sync standard object POSTs, as those do not cause
++        container row updates. A workaround is to do X-Copy-From POSTs. We're
++        considering solutions to this limitation but leaving it as is for now
++        since POSTs are fairly uncommon.
++
++    The actual syncing is slightly more complicated to make use of the three
++    (or number-of-replicas) main nodes for a container without each trying to
++    do the exact same work but also without missing work if one node happens to
++    be down.
++
++    Two sync points are kept per container database. All rows between the two
++    sync points trigger updates. Any rows newer than both sync points cause
++    updates depending on the node's position for the container (primary nodes
++    do one third, etc. depending on the replica count of course). After a sync
++    run, the first sync point is set to the newest ROWID known and the second
++    sync point is set to newest ROWID for which all updates have been sent.
++
++    An example may help. Assume replica count is 3 and perfectly matching
++    ROWIDs starting at 1.
++
++        First sync run, database has 6 rows:
++
++            * SyncPoint1 starts as -1.
++            * SyncPoint2 starts as -1.
++            * No rows between points, so no "all updates" rows.
++            * Six rows newer than SyncPoint1, so a third of the rows are sent
++              by node 1, another third by node 2, remaining third by node 3.
++            * SyncPoint1 is set as 6 (the newest ROWID known).
++            * SyncPoint2 is left as -1 since no "all updates" rows were synced.
++
++        Next sync run, database has 12 rows:
++
++            * SyncPoint1 starts as 6.
++            * SyncPoint2 starts as -1.
++            * The rows between -1 and 6 all trigger updates (most of which
++              should short-circuit on the remote end as having already been
++              done).
++            * Six more rows newer than SyncPoint1, so a third of the rows are
++              sent by node 1, another third by node 2, remaining third by node
++              3.
++            * SyncPoint1 is set as 12 (the newest ROWID known).
++            * SyncPoint2 is set as 6 (the newest "all updates" ROWID).
++
++    In this way, under normal circumstances each node sends its share of
++    updates each run and just sends a batch of older updates to ensure nothing
++    was missed.
++
++    :param conf: The dict of configuration values from the [container-sync]
++                 section of the container-server.conf
++    :param container_ring: If None, the <swift_dir>/container.ring.gz will be
++                           loaded. This is overridden by unit tests.
++    :param object_ring: If None, the <swift_dir>/object.ring.gz will be loaded.
++                        This is overridden by unit tests.
++    """
++
++    def __init__(self, conf, container_ring=None, object_ring=None):
++        #: The dict of configuration values from the [container-sync] section
++        #: of the container-server.conf.
++        self.conf = conf
++        #: Logger to use for container-sync log lines.
++        self.logger = get_logger(conf, log_route='container-sync')
++        #: Path to the local device mount points.
++        self.devices = conf.get('devices', '/srv/node')
++        #: Indicates whether mount points should be verified as actual mount
++        #: points (normally true, false for tests and SAIO).
++        self.mount_check = \
++            conf.get('mount_check', 'true').lower() in TRUE_VALUES
++        #: Minimum time between full scans. This is to keep the daemon from
++        #: running wild on near empty systems.
++        self.interval = int(conf.get('interval', 300))
++        #: Maximum amount of time to spend syncing a container before moving on
++        #: to the next one. If a conatiner sync hasn't finished in this time,
++        #: it'll just be resumed next scan.
++        self.container_time = int(conf.get('container_time', 60))
++        #: The list of hosts we're allowed to send syncs to.
++        self.allowed_sync_hosts = [h.strip()
++            for h in conf.get('allowed_sync_hosts', '127.0.0.1').split(',')
++            if h.strip()]
++        #: Number of containers with sync turned on that were successfully
++        #: synced.
++        self.container_syncs = 0
++        #: Number of successful DELETEs triggered.
++        self.container_deletes = 0
++        #: Number of successful PUTs triggered.
++        self.container_puts = 0
++        #: Number of containers that didn't have sync turned on.
++        self.container_skips = 0
++        #: Number of containers that had a failure of some type.
++        self.container_failures = 0
++        #: Time of last stats report.
++        self.reported = time.time()
++        swift_dir = conf.get('swift_dir', '/etc/swift')
++        #: swift.common.ring.Ring for locating containers.
++        self.container_ring = container_ring or \
++            Ring(os.path.join(swift_dir, 'container.ring.gz'))
++        #: swift.common.ring.Ring for locating objects.
++        self.object_ring = object_ring or \
++            Ring(os.path.join(swift_dir, 'object.ring.gz'))
++        self._myips = whataremyips()
++        self._myport = int(conf.get('bind_port', 6001))
++
++    def run_forever(self):
++        """
++        Runs container sync scans until stopped.
++        """
++        time.sleep(random.random() * self.interval)
++        while True:
++            begin = time.time()
++            all_locs = audit_location_generator(self.devices,
++                                                container_server.DATADIR,
++                                                mount_check=self.mount_check,
++                                                logger=self.logger)
++            for path, device, partition in all_locs:
++                self.container_sync(path)
++                if time.time() - self.reported >= 3600:  # once an hour
++                    self.report()
++            elapsed = time.time() - begin
++            if elapsed < self.interval:
++                time.sleep(self.interval - elapsed)
++
++    def run_once(self):
++        """
++        Runs a single container sync scan.
++        """
++        self.logger.info(_('Begin container sync "once" mode'))
++        begin = time.time()
++        all_locs = audit_location_generator(self.devices,
++                                            container_server.DATADIR,
++                                            mount_check=self.mount_check,
++                                            logger=self.logger)
++        for path, device, partition in all_locs:
++            self.container_sync(path)
++            if time.time() - self.reported >= 3600:  # once an hour
++                self.report()
++        self.report()
++        elapsed = time.time() - begin
++        self.logger.info(
++            _('Container sync "once" mode completed: %.02fs'), elapsed)
++
++    def report(self):
++        """
++        Writes a report of the stats to the logger and resets the stats for the
++        next report.
++        """
++        self.logger.info(
++            _('Since %(time)s: %(sync)s synced [%(delete)s deletes, %(put)s '
++              'puts], %(skip)s skipped, %(fail)s failed'),
++            {'time': time.ctime(self.reported),
++             'sync': self.container_syncs,
++             'delete': self.container_deletes,
++             'put': self.container_puts,
++             'skip': self.container_skips,
++             'fail': self.container_failures})
++        self.reported = time.time()
++        self.container_syncs = 0
++        self.container_deletes = 0
++        self.container_puts = 0
++        self.container_skips = 0
++        self.container_failures = 0
++
++    def container_sync(self, path):
++        """
++        Checks the given path for a container database, determines if syncing
++        is turned on for that database and, if so, sends any updates to the
++        other container.
++
++        :param path: the path to a container db
++        """
++        try:
++            if not path.endswith('.db'):
++                return
++            broker = ContainerBroker(path)
++            info = broker.get_info()
++            x, nodes = self.container_ring.get_nodes(info['account'],
++                                                     info['container'])
++            for ordinal, node in enumerate(nodes):
++                if node['ip'] in self._myips and node['port'] == self._myport:
++                    break
++            else:
++                return
++            if not broker.is_deleted():
++                sync_to = None
++                sync_key = None
++                sync_point1 = info['x_container_sync_point1']
++                sync_point2 = info['x_container_sync_point2']
++                for key, (value, timestamp) in broker.metadata.iteritems():
++                    if key.lower() == 'x-container-sync-to':
++                        sync_to = value
++                    elif key.lower() == 'x-container-sync-key':
++                        sync_key = value
++                if not sync_to or not sync_key:
++                    self.container_skips += 1
++                    return
++                sync_to = sync_to.rstrip('/')
++                err = validate_sync_to(sync_to, self.allowed_sync_hosts)
++                if err:
++                    self.logger.info(
++                        _('ERROR %(db_file)s: %(validate_sync_to_err)s'),
++                        {'db_file': broker.db_file,
++                         'validate_sync_to_err': err})
++                    self.container_failures += 1
++                    return
++                stop_at = time.time() + self.container_time
++                while time.time() < stop_at and sync_point2 < sync_point1:
++                    rows = broker.get_items_since(sync_point2, 1)
++                    if not rows:
++                        break
++                    row = rows[0]
++                    if row['ROWID'] >= sync_point1:
++                        break
++                    key = hash_path(info['account'], info['container'],
++                                    row['name'], raw_digest=True)
++                    # This node will only intially sync out one third of the
++                    # objects (if 3 replicas, 1/4 if 4, etc.). This section
++                    # will attempt to sync previously skipped rows in case the
++                    # other nodes didn't succeed.
++                    if unpack_from('>I', key)[0] % \
++                            self.container_ring.replica_count != ordinal:
++                        if not self.container_sync_row(row, sync_to, sync_key,
++                                                       broker, info):
++                            return
++                    sync_point2 = row['ROWID']
++                    broker.set_x_container_sync_points(None, sync_point2)
++                while time.time() < stop_at:
++                    rows = broker.get_items_since(sync_point1, 1)
++                    if not rows:
++                        break
++                    row = rows[0]
++                    key = hash_path(info['account'], info['container'],
++                                    row['name'], raw_digest=True)
++                    # This node will only intially sync out one third of the
++                    # objects (if 3 replicas, 1/4 if 4, etc.). It'll come back
++                    # around to the section above and attempt to sync
++                    # previously skipped rows in case the other nodes didn't
++                    # succeed.
++                    if unpack_from('>I', key)[0] % \
++                            self.container_ring.replica_count == ordinal:
++                        if not self.container_sync_row(row, sync_to, sync_key,
++                                                       broker, info):
++                            return
++                    sync_point1 = row['ROWID']
++                    broker.set_x_container_sync_points(sync_point1, None)
++                self.container_syncs += 1
++        except Exception:
++            self.container_failures += 1
++            self.logger.exception(_('ERROR Syncing %s'), (broker.db_file))
++
++    def container_sync_row(self, row, sync_to, sync_key, broker, info):
++        """
++        Sends the update the row indicates to the sync_to container.
++
++        :param row: The updated row in the local database triggering the sync
++                    update.
++        :param sync_to: The URL to the remote container.
++        :param sync_key: The X-Container-Sync-Key to use when sending requests
++                         to the other container.
++        :param broker: The local container database broker.
++        :param info: The get_info result from the local container database
++                     broker.
++        :returns: True on success
++        """
++        try:
++            if row['deleted']:
++                try:
++                    client.delete_object(sync_to, name=row['name'],
++                        headers={'X-Timestamp': row['created_at'],
++                                 'X-Container-Sync-Key': sync_key})
++                except client.ClientException, err:
++                    if err.http_status != 404:
++                        raise
++                self.container_deletes += 1
++            else:
++                part, nodes = self.object_ring.get_nodes(
++                    info['account'], info['container'],
++                    row['name'])
++                random.shuffle(nodes)
++                exc = None
++                for node in nodes:
++                    try:
++                        headers, body = \
++                            direct_client.direct_get_object(node, part,
++                                info['account'], info['container'],
++                                row['name'], resp_chunk_size=65536)
++                        break
++                    except client.ClientException, err:
++                        exc = err
++                else:
++                    if exc:
++                        raise exc
++                    raise Exception(_('Unknown exception trying to GET: '
++                        '%(node)r %(account)r %(container)r %(object)r'),
++                        {'node': node, 'part': part,
++                         'account': info['account'],
++                         'container': info['container'],
++                         'object': row['name']})
++                for key in ('date', 'last-modified'):
++                    if key in headers:
++                        del headers[key]
++                if 'etag' in headers:
++                    headers['etag'] = headers['etag'].strip('"')
++                headers['X-Timestamp'] = row['created_at']
++                headers['X-Container-Sync-Key'] = sync_key
++                client.put_object(sync_to, name=row['name'],
++                                headers=headers,
++                                contents=_Iter2FileLikeObject(body))
++                self.container_puts += 1
++        except client.ClientException, err:
++            if err.http_status == 401:
++                self.logger.info(_('Unauth %(sync_from)r '
++                    '=> %(sync_to)r key: %(sync_key)r'),
++                    {'sync_from': '%s/%s' %
++                        (client.quote(info['account']),
++                         client.quote(info['container'])),
++                     'sync_to': sync_to,
++                     'sync_key': sync_key})
++            elif err.http_status == 404:
++                self.logger.info(_('Not found %(sync_from)r '
++                    '=> %(sync_to)r key: %(sync_key)r'),
++                    {'sync_from': '%s/%s' %
++                        (client.quote(info['account']),
++                         client.quote(info['container'])),
++                     'sync_to': sync_to,
++                     'sync_key': sync_key})
++            else:
++                self.logger.exception(
++                    _('ERROR Syncing %(db_file)s %(row)s'),
++                    {'db_file': broker.db_file, 'row': row})
++            self.container_failures += 1
++            return False
++        except Exception:
++            self.logger.exception(
++                _('ERROR Syncing %(db_file)s %(row)s'),
++                {'db_file': broker.db_file, 'row': row})
++            self.container_failures += 1
++            return False
++        return True
 === modified file 'swift/obj/server.py'
 --- swift/obj/server.py	2011-05-09 20:21:34 +0000
 +++ swift/obj/server.py	2011-06-03 00:13:27 +0000
@@ -500,6 +500,7 @@
              return error_response
          file = DiskFile(self.devices, device, partition, account, container,
                          obj, self.logger, disk_chunk_size=self.disk_chunk_size)
++        orig_timestamp = file.metadata.get('X-Timestamp')
          upload_expiration = time.time() + self.max_upload_time
          etag = md5()
          upload_size = 0
@@ -544,13 +545,16 @@
                      metadata[header_caps] = request.headers[header_key]
              file.put(fd, tmppath, metadata)
          file.unlinkold(metadata['X-Timestamp'])
--        self.container_update('PUT', account, container, obj, request.headers,
--            {'x-size': file.metadata['Content-Length'],
--             'x-content-type': file.metadata['Content-Type'],
--             'x-timestamp': file.metadata['X-Timestamp'],
--             'x-etag': file.metadata['ETag'],
--             'x-trans-id': request.headers.get('x-trans-id', '-')},
--            device)
++        if not orig_timestamp or \
++                orig_timestamp < request.headers['x-timestamp']:
++            self.container_update('PUT', account, container, obj,
++                request.headers,
++                {'x-size': file.metadata['Content-Length'],
++                 'x-content-type': file.metadata['Content-Type'],
++                 'x-timestamp': file.metadata['X-Timestamp'],
++                 'x-etag': file.metadata['ETag'],
++                 'x-trans-id': request.headers.get('x-trans-id', '-')},
++                device)
          resp = HTTPCreated(request=request, etag=etag)
          return resp
@@ -654,6 +658,8 @@
                  response.headers[key] = value
          response.etag = file.metadata['ETag']
          response.last_modified = float(file.metadata['X-Timestamp'])
++        # Needed for container sync feature
++        response.headers['X-Timestamp'] = file.metadata['X-Timestamp']
          response.content_length = file_size
          if 'Content-Encoding' in file.metadata:
              response.content_encoding = file.metadata['Content-Encoding']
@@ -676,6 +682,7 @@
          response_class = HTTPNoContent
          file = DiskFile(self.devices, device, partition, account, container,
                          obj, self.logger, disk_chunk_size=self.disk_chunk_size)
++        orig_timestamp = file.metadata.get('X-Timestamp')
          if file.is_deleted():
              response_class = HTTPNotFound
          metadata = {
@@ -684,10 +691,12 @@
          with file.mkstemp() as (fd, tmppath):
              file.put(fd, tmppath, metadata, extension='.ts')
          file.unlinkold(metadata['X-Timestamp'])
--        self.container_update('DELETE', account, container, obj,
--            request.headers, {'x-timestamp': metadata['X-Timestamp'],
--            'x-trans-id': request.headers.get('x-trans-id', '-')},
--            device)
++        if not orig_timestamp or \
++                orig_timestamp < request.headers['x-timestamp']:
++            self.container_update('DELETE', account, container, obj,
++                request.headers, {'x-timestamp': metadata['X-Timestamp'],
++                'x-trans-id': request.headers.get('x-trans-id', '-')},
++                device)
          resp = response_class(request=request)
          return resp
 === modified file 'swift/proxy/server.py'
 --- swift/proxy/server.py	2011-05-12 15:57:35 +0000
 +++ swift/proxy/server.py	2011-06-03 00:13:27 +0000
@@ -33,7 +33,7 @@
  from eventlet import sleep, GreenPile, Queue, TimeoutError
  from eventlet.timeout import Timeout
--from webob.exc import HTTPBadRequest, HTTPMethodNotAllowed, \
++from webob.exc import HTTPAccepted, HTTPBadRequest, HTTPMethodNotAllowed, \
      HTTPNotFound, HTTPPreconditionFailed, \
      HTTPRequestTimeout, HTTPServiceUnavailable, \
      HTTPUnprocessableEntity, HTTPRequestEntityTooLarge, HTTPServerError, \
@@ -42,7 +42,7 @@
  from swift.common.ring import Ring
  from swift.common.utils import get_logger, normalize_timestamp, split_path, \
--    cache_from_env, ContextPool
++    cache_from_env, ContextPool, get_remote_client
  from swift.common.bufferedhttp import http_connect
  from swift.common.constraints import check_metadata, check_object_creation, \
      check_utf8, CONTAINER_LISTING_LIMIT, MAX_ACCOUNT_NAME_LENGTH, \
@@ -406,8 +406,8 @@
          :param account: account name for the container
          :param container: container name to look up
          :returns: tuple of (container partition, container nodes, container
--                  read acl, container write acl) or (None, None, None, None) if
--                  the container does not exist
++                  read acl, container write acl, container sync key) or (None,
++                  None, None, None, None) if the container does not exist
          """
          partition, nodes = self.app.container_ring.get_nodes(
                  account, container)
@@ -419,15 +419,17 @@
                  status = cache_value['status']
                  read_acl = cache_value['read_acl']
                  write_acl = cache_value['write_acl']
++                sync_key = cache_value.get('sync_key')
                  if status == 200:
--                    return partition, nodes, read_acl, write_acl
++                    return partition, nodes, read_acl, write_acl, sync_key
                  elif status == 404:
--                    return None, None, None, None
++                    return None, None, None, None, None
          if not self.account_info(account)[1]:
--            return None, None, None, None
++            return None, None, None, None, None
          result_code = 0
          read_acl = None
          write_acl = None
++        sync_key = None
          container_size = None
          attempts_left = self.app.container_ring.replica_count
          headers = {'x-trans-id': self.trans_id}
@@ -443,6 +445,7 @@
                          result_code = 200
                          read_acl = resp.getheader('x-container-read')
                          write_acl = resp.getheader('x-container-write')
++                        sync_key = resp.getheader('x-container-sync-key')
                          container_size = \
                              resp.getheader('X-Container-Object-Count')
                          break
@@ -471,11 +474,12 @@
                                    {'status': result_code,
                                     'read_acl': read_acl,
                                     'write_acl': write_acl,
++                                   'sync_key': sync_key,
                                     'container_size': container_size},
                                    timeout=cache_timeout)
          if result_code == 200:
--            return partition, nodes, read_acl, write_acl
--        return None, None, None, None
++            return partition, nodes, read_acl, write_acl, sync_key
++        return None, None, None, None, None
      def iter_nodes(self, partition, nodes, ring):
          """
@@ -645,6 +649,9 @@
                          raise
                  res.app_iter = file_iter()
                  update_headers(res, source.getheaders())
++                # Used by container sync feature
++                res.environ['swift_x_timestamp'] = \
++                    source.getheader('x-timestamp')
                  update_headers(res, {'accept-ranges': 'bytes'})
                  res.status = source.status
                  res.content_length = source.getheader('Content-Length')
@@ -655,6 +662,9 @@
              elif 200 <= source.status <= 399:
                  res = status_map[source.status](request=req)
                  update_headers(res, source.getheaders())
++                # Used by container sync feature
++                res.environ['swift_x_timestamp'] = \
++                    source.getheader('x-timestamp')
                  update_headers(res, {'accept-ranges': 'bytes'})
                  if req.method == 'HEAD':
                      res.content_length = source.getheader('Content-Length')
@@ -853,7 +863,7 @@
          error_response = check_metadata(req, 'object')
          if error_response:
              return error_response
--        container_partition, containers, _junk, req.acl = \
++        container_partition, containers, _junk, req.acl, _junk = \
              self.container_info(self.account_name, self.container_name)
          if 'swift.authorize' in req.environ:
              aresp = req.environ['swift.authorize'](req)
@@ -910,7 +920,8 @@
      @delay_denial
      def PUT(self, req):
          """HTTP PUT request handler."""
--        container_partition, containers, _junk, req.acl = \
++        (container_partition, containers, _junk, req.acl,
++         req.environ['swift_sync_key']) = \
              self.container_info(self.account_name, self.container_name)
          if 'swift.authorize' in req.environ:
              aresp = req.environ['swift.authorize'](req)
@@ -920,7 +931,27 @@
              return HTTPNotFound(request=req)
          partition, nodes = self.app.object_ring.get_nodes(
              self.account_name, self.container_name, self.object_name)
--        req.headers['X-Timestamp'] = normalize_timestamp(time.time())
++        # Used by container sync feature
++        if 'x-timestamp' in req.headers:
++            try:
++                req.headers['X-Timestamp'] = \
++                    normalize_timestamp(float(req.headers['x-timestamp']))
++                # For container sync PUTs, do a HEAD to see if we can
++                # shortcircuit
++                hreq = Request.blank(req.path_info,
++                                     environ={'REQUEST_METHOD': 'HEAD'})
++                self.GETorHEAD_base(hreq, _('Object'), partition, nodes,
++                    hreq.path_info, self.app.object_ring.replica_count)
++                if 'swift_x_timestamp' in hreq.environ and \
++                    float(hreq.environ['swift_x_timestamp']) >= \
++                        float(req.headers['x-timestamp']):
++                    return HTTPAccepted(request=req)
++            except ValueError:
++                return HTTPBadRequest(request=req, content_type='text/plain',
++                    body='X-Timestamp should be a UNIX timestamp float value; '
++                         'was %r' % req.headers['x-timestamp'])
++        else:
++            req.headers['X-Timestamp'] = normalize_timestamp(time.time())
          # Sometimes the 'content-type' header exists, but is set to None.
          content_type_manually_set = True
          if not req.headers.get('content-type'):
@@ -1093,7 +1124,8 @@
      @delay_denial
      def DELETE(self, req):
          """HTTP DELETE request handler."""
--        container_partition, containers, _junk, req.acl = \
++        (container_partition, containers, _junk, req.acl,
++         req.environ['swift_sync_key']) = \
              self.container_info(self.account_name, self.container_name)
          if 'swift.authorize' in req.environ:
              aresp = req.environ['swift.authorize'](req)
@@ -1103,7 +1135,17 @@
              return HTTPNotFound(request=req)
          partition, nodes = self.app.object_ring.get_nodes(
              self.account_name, self.container_name, self.object_name)
--        req.headers['X-Timestamp'] = normalize_timestamp(time.time())
++        # Used by container sync feature
++        if 'x-timestamp' in req.headers:
++            try:
++                req.headers['X-Timestamp'] = \
++                    normalize_timestamp(float(req.headers['x-timestamp']))
++            except ValueError:
++                return HTTPBadRequest(request=req, content_type='text/plain',
++                    body='X-Timestamp should be a UNIX timestamp float value; '
++                         'was %r' % req.headers['x-timestamp'])
++        else:
++            req.headers['X-Timestamp'] = normalize_timestamp(time.time())
          headers = []
          for container in containers:
              nheaders = dict(req.headers.iteritems())
@@ -1149,7 +1191,8 @@
      server_type = _('Container')
      # Ensure these are all lowercase
--    pass_through_headers = ['x-container-read', 'x-container-write']
++    pass_through_headers = ['x-container-read', 'x-container-write',
++                            'x-container-sync-key', 'x-container-sync-to']
      def __init__(self, app, account_name, container_name, **kwargs):
          Controller.__init__(self, app)
@@ -1185,6 +1228,7 @@
                {'status': resp.status_int,
                 'read_acl': resp.headers.get('x-container-read'),
                 'write_acl': resp.headers.get('x-container-write'),
++               'sync_key': resp.headers.get('x-container-sync-key'),
                 'container_size': resp.headers.get('x-container-object-count')},
                                    timeout=self.app.recheck_container_existence)
@@ -1193,6 +1237,11 @@
              aresp = req.environ['swift.authorize'](req)
              if aresp:
                  return aresp
++        if not req.environ.get('swift_owner', False):
++            for key in ('x-container-read', 'x-container-write',
++                        'x-container-sync-key', 'x-container-sync-to'):
++                if key in resp.headers:
++                    del resp.headers[key]
          return resp
      @public
@@ -1548,13 +1597,7 @@
          the_request = quote(unquote(req.path))
          if req.query_string:
              the_request = the_request + '?' + req.query_string
--        # remote user for zeus
--        client = req.headers.get('x-cluster-client-ip')
--        if not client and 'x-forwarded-for' in req.headers:
--            # remote user for other lbs
--            client = req.headers['x-forwarded-for'].split(',')[0].strip()
--        if not client:
--            client = req.remote_addr
++        client = get_remote_client(req)
          logged_headers = None
          if self.log_headers:
              logged_headers = '\n'.join('%s: %s' % (k, v)
 === modified file 'test/probe/common.py'
 --- test/probe/common.py	2011-03-14 02:56:37 +0000
 +++ test/probe/common.py	2011-06-03 00:13:27 +0000
@@ -13,29 +13,16 @@
  # See the License for the specific language governing permissions and
  # limitations under the License.
--from os import environ, kill
++from os import kill
  from signal import SIGTERM
  from subprocess import call, Popen
  from time import sleep
--from ConfigParser import ConfigParser
  from swift.common.bufferedhttp import http_connect_raw as http_connect
  from swift.common.client import get_auth
  from swift.common.ring import Ring
--SUPER_ADMIN_KEY = None
--
--c = ConfigParser()
--PROXY_SERVER_CONF_FILE = environ.get('SWIFT_PROXY_SERVER_CONF_FILE',
--                                     '/etc/swift/proxy-server.conf')
--if c.read(PROXY_SERVER_CONF_FILE):
--    conf = dict(c.items('filter:swauth'))
--    SUPER_ADMIN_KEY = conf.get('super_admin_key', 'swauthkey')
--else:
--    exit('Unable to read config file: %s' % PROXY_SERVER_CONF_FILE)
--
--
  def kill_pids(pids):
      for pid in pids.values():
          try:
@@ -48,8 +35,6 @@
      call(['resetswift'])
      pids = {}
      try:
--        pids['proxy'] = Popen(['swift-proxy-server',
--                               '/etc/swift/proxy-server.conf']).pid
          port2server = {}
          for s, p in (('account', 6002), ('container', 6001), ('object', 6000)):
              for n in xrange(1, 5):
@@ -57,14 +42,27 @@
                      Popen(['swift-%s-server' % s,
                             '/etc/swift/%s-server/%d.conf' % (s, n)]).pid
                  port2server[p + (n * 10)] = '%s%d' % (s, n)
++        pids['proxy'] = Popen(['swift-proxy-server',
++                               '/etc/swift/proxy-server.conf']).pid
          account_ring = Ring('/etc/swift/account.ring.gz')
          container_ring = Ring('/etc/swift/container.ring.gz')
          object_ring = Ring('/etc/swift/object.ring.gz')
--        sleep(5)
--        call(['recreateaccounts'])
--        url, token = get_auth('http://127.0.0.1:8080/auth/v1.0',
--                              'test:tester', 'testing')
--        account = url.split('/')[-1]
++        attempt = 0
++        while True:
++            attempt += 1
++            try:
++                url, token = get_auth('http://127.0.0.1:8080/auth/v1.0',
++                                      'test:tester', 'testing')
++                account = url.split('/')[-1]
++                break
++            except Exception, err:
++                if attempt > 9:
++                    print err
++                    print 'Giving up after %s retries.' % attempt
++                    raise err
++                print err
++                print 'Retrying in 2 seconds...'
++                sleep(2)
      except BaseException, err:
          kill_pids(pids)
          raise err
 === renamed file 'test/unit/common/middleware/test_swauth.py' => 'test/unit/common/middleware/test_tempauth.py'
 --- test/unit/common/middleware/test_swauth.py	2011-04-01 21:17:47 +0000
 +++ test/unit/common/middleware/test_tempauth.py	2011-06-03 00:13:27 +0000
@@ -1,4 +1,4 @@
--# Copyright (c) 2010 OpenStack, LLC.
++# Copyright (c) 2011 OpenStack, LLC.
+ #
  # Licensed under the Apache License, Version 2.0 (the "License");
  # you may not use this file except in compliance with the License.
@@ -23,7 +23,7 @@
  from webob import Request, Response
--from swift.common.middleware import swauth as auth
++from swift.common.middleware import tempauth as auth
  class FakeMemcache(object):
@@ -56,15 +56,21 @@
  class FakeApp(object):
--    def __init__(self, status_headers_body_iter=None):
++    def __init__(self, status_headers_body_iter=None, acl=None, sync_key=None):
          self.calls = 0
          self.status_headers_body_iter = status_headers_body_iter
          if not self.status_headers_body_iter:
              self.status_headers_body_iter = iter([('404 Not Found', {}, '')])
++        self.acl = acl
++        self.sync_key = sync_key
      def __call__(self, env, start_response):
          self.calls += 1
          self.request = Request.blank('', environ=env)
++        if self.acl:
++            self.request.acl = self.acl
++        if self.sync_key:
++            self.request.environ['swift_sync_key'] = self.sync_key
          if 'swift.authorize' in env:
              resp = env['swift.authorize'](self.request)
              if resp:
@@ -102,85 +108,50 @@
  class TestAuth(unittest.TestCase):
      def setUp(self):
--        self.test_auth = \
--            auth.filter_factory({'super_admin_key': 'supertest'})(FakeApp())
++        self.test_auth = auth.filter_factory({})(FakeApp())
--    def test_super_admin_key_required(self):
--        app = FakeApp()
--        exc = None
--        try:
--            auth.filter_factory({})(app)
--        except ValueError, err:
--            exc = err
--        self.assertEquals(str(exc),
--                          'No super_admin_key set in conf file! Exiting.')
--        auth.filter_factory({'super_admin_key': 'supertest'})(app)
++    def _make_request(self, path, **kwargs):
++        req = Request.blank(path, **kwargs)
++        req.environ['swift.cache'] = FakeMemcache()
++        return req
      def test_reseller_prefix_init(self):
          app = FakeApp()
--        ath = auth.filter_factory({'super_admin_key': 'supertest'})(app)
++        ath = auth.filter_factory({})(app)
          self.assertEquals(ath.reseller_prefix, 'AUTH_')
--        ath = auth.filter_factory({'super_admin_key': 'supertest',
--                                   'reseller_prefix': 'TEST'})(app)
++        ath = auth.filter_factory({'reseller_prefix': 'TEST'})(app)
          self.assertEquals(ath.reseller_prefix, 'TEST_')
--        ath = auth.filter_factory({'super_admin_key': 'supertest',
--                                   'reseller_prefix': 'TEST_'})(app)
++        ath = auth.filter_factory({'reseller_prefix': 'TEST_'})(app)
          self.assertEquals(ath.reseller_prefix, 'TEST_')
      def test_auth_prefix_init(self):
          app = FakeApp()
--        ath = auth.filter_factory({'super_admin_key': 'supertest'})(app)
--        self.assertEquals(ath.auth_prefix, '/auth/')
--        ath = auth.filter_factory({'super_admin_key': 'supertest',
--                                   'auth_prefix': ''})(app)
--        self.assertEquals(ath.auth_prefix, '/auth/')
--        ath = auth.filter_factory({'super_admin_key': 'supertest',
--                                   'auth_prefix': '/test/'})(app)
--        self.assertEquals(ath.auth_prefix, '/test/')
--        ath = auth.filter_factory({'super_admin_key': 'supertest',
--                                   'auth_prefix': '/test'})(app)
--        self.assertEquals(ath.auth_prefix, '/test/')
--        ath = auth.filter_factory({'super_admin_key': 'supertest',
--                                   'auth_prefix': 'test/'})(app)
--        self.assertEquals(ath.auth_prefix, '/test/')
--        ath = auth.filter_factory({'super_admin_key': 'supertest',
--                                   'auth_prefix': 'test'})(app)
--        self.assertEquals(ath.auth_prefix, '/test/')
--
--    def test_default_swift_cluster_init(self):
--        app = FakeApp()
--        self.assertRaises(Exception, auth.filter_factory({
--            'super_admin_key': 'supertest',
--            'default_swift_cluster': 'local#badscheme://host/path'}), app)
--        ath = auth.filter_factory({'super_admin_key': 'supertest'})(app)
--        self.assertEquals(ath.default_swift_cluster,
--                          'local#http://127.0.0.1:8080/v1')
--        ath = auth.filter_factory({'super_admin_key': 'supertest',
--            'default_swift_cluster': 'local#http://host/path'})(app)
--        self.assertEquals(ath.default_swift_cluster,
--                          'local#http://host/path')
--        ath = auth.filter_factory({'super_admin_key': 'supertest',
--            'default_swift_cluster': 'local#https://host/path/'})(app)
--        self.assertEquals(ath.dsc_url, 'https://host/path')
--        self.assertEquals(ath.dsc_url2, 'https://host/path')
--        ath = auth.filter_factory({'super_admin_key': 'supertest',
--            'default_swift_cluster':
--                'local#https://host/path/#http://host2/path2/'})(app)
--        self.assertEquals(ath.dsc_url, 'https://host/path')
--        self.assertEquals(ath.dsc_url2, 'http://host2/path2')
++        ath = auth.filter_factory({})(app)
++        self.assertEquals(ath.auth_prefix, '/auth/')
++        ath = auth.filter_factory({'auth_prefix': ''})(app)
++        self.assertEquals(ath.auth_prefix, '/auth/')
++        ath = auth.filter_factory({'auth_prefix': '/test/'})(app)
++        self.assertEquals(ath.auth_prefix, '/test/')
++        ath = auth.filter_factory({'auth_prefix': '/test'})(app)
++        self.assertEquals(ath.auth_prefix, '/test/')
++        ath = auth.filter_factory({'auth_prefix': 'test/'})(app)
++        self.assertEquals(ath.auth_prefix, '/test/')
++        ath = auth.filter_factory({'auth_prefix': 'test'})(app)
++        self.assertEquals(ath.auth_prefix, '/test/')
      def test_top_level_ignore(self):
--        resp = Request.blank('/').get_response(self.test_auth)
++        resp = self._make_request('/').get_response(self.test_auth)
          self.assertEquals(resp.status_int, 404)
      def test_anon(self):
--        resp = Request.blank('/v1/AUTH_account').get_response(self.test_auth)
++        resp = \
++            self._make_request('/v1/AUTH_account').get_response(self.test_auth)
          self.assertEquals(resp.status_int, 401)
          self.assertEquals(resp.environ['swift.authorize'],
                            self.test_auth.authorize)
      def test_auth_deny_non_reseller_prefix(self):
--        resp = Request.blank('/v1/BLAH_account',
++        resp = self._make_request('/v1/BLAH_account',
              headers={'X-Auth-Token': 'BLAH_t'}).get_response(self.test_auth)
          self.assertEquals(resp.status_int, 401)
          self.assertEquals(resp.environ['swift.authorize'],
@@ -188,7 +159,7 @@
      def test_auth_deny_non_reseller_prefix_no_override(self):
          fake_authorize = lambda x: Response(status='500 Fake')
--        resp = Request.blank('/v1/BLAH_account',
++        resp = self._make_request('/v1/BLAH_account',
              headers={'X-Auth-Token': 'BLAH_t'},
              environ={'swift.authorize': fake_authorize}
              ).get_response(self.test_auth)
@@ -200,192 +171,74 @@
          # outright but set up a denial swift.authorize and pass the request on
          # down the chain.
          local_app = FakeApp()
--        local_auth = auth.filter_factory({'super_admin_key': 'supertest',
--                                          'reseller_prefix': ''})(local_app)
--        resp = Request.blank('/v1/account',
++        local_auth = auth.filter_factory({'reseller_prefix': ''})(local_app)
++        resp = self._make_request('/v1/account',
              headers={'X-Auth-Token': 't'}).get_response(local_auth)
          self.assertEquals(resp.status_int, 401)
--        # one for checking auth, two for request passed along
--        self.assertEquals(local_app.calls, 2)
++        self.assertEquals(local_app.calls, 1)
          self.assertEquals(resp.environ['swift.authorize'],
                            local_auth.denied_response)
--    def test_auth_no_reseller_prefix_allow(self):
--        # Ensures that when we have no reseller prefix, we can still allow
--        # access if our auth server accepts requests
--        local_app = FakeApp(iter([
--            ('200 Ok', {},
--             json.dumps({'account': 'act', 'user': 'act:usr',
--                         'account_id': 'AUTH_cfa',
--                         'groups': [{'name': 'act:usr'}, {'name': 'act'},
--                                    {'name': '.admin'}],
--                         'expires': time() + 60})),
--            ('204 No Content', {}, '')]))
--        local_auth = auth.filter_factory({'super_admin_key': 'supertest',
--                                          'reseller_prefix': ''})(local_app)
--        resp = Request.blank('/v1/act',
--            headers={'X-Auth-Token': 't'}).get_response(local_auth)
--        self.assertEquals(resp.status_int, 204)
--        self.assertEquals(local_app.calls, 2)
--        self.assertEquals(resp.environ['swift.authorize'],
--                          local_auth.authorize)
--
      def test_auth_no_reseller_prefix_no_token(self):
          # Check that normally we set up a call back to our authorize.
          local_auth = \
--            auth.filter_factory({'super_admin_key': 'supertest',
--                                 'reseller_prefix': ''})(FakeApp(iter([])))
--        resp = Request.blank('/v1/account').get_response(local_auth)
++            auth.filter_factory({'reseller_prefix': ''})(FakeApp(iter([])))
++        resp = self._make_request('/v1/account').get_response(local_auth)
          self.assertEquals(resp.status_int, 401)
          self.assertEquals(resp.environ['swift.authorize'],
                            local_auth.authorize)
          # Now make sure we don't override an existing swift.authorize when we
          # have no reseller prefix.
          local_auth = \
--            auth.filter_factory({'super_admin_key': 'supertest',
--                                 'reseller_prefix': ''})(FakeApp())
++            auth.filter_factory({'reseller_prefix': ''})(FakeApp())
          local_authorize = lambda req: Response('test')
--        resp = Request.blank('/v1/account', environ={'swift.authorize':
++        resp = self._make_request('/v1/account', environ={'swift.authorize':
              local_authorize}).get_response(local_auth)
          self.assertEquals(resp.status_int, 200)
          self.assertEquals(resp.environ['swift.authorize'], local_authorize)
      def test_auth_fail(self):
--        resp = Request.blank('/v1/AUTH_cfa',
--            headers={'X-Auth-Token': 'AUTH_t'}).get_response(self.test_auth)