protected $authTTL; // integer seconds
protected $swiftAnonUser; // string; username to handle unauthenticated requests
protected $swiftUseCDN; // boolean; whether CloudFiles CDN is enabled
+ protected $swiftCDNExpiry; // integer; how long to cache things in the CDN
+ protected $swiftCDNPurgable; // boolean; whether object CDN purging is enabled
+
protected $maxContCacheSize = 300; // integer; max containers with entries
/** @var CF_Connection */
* swiftUser : Swift user used by MediaWiki (account:username)
* swiftKey : Swift authentication key for the above user
* swiftAuthTTL : Swift authentication TTL (seconds)
- * swiftAnonUser : Swift user used for end-user requests (account:username)
+ * swiftAnonUser : Swift user used for end-user requests (account:username).
+ * If set, then views of public containers are assumed to go
+ * through this user. If not set, then public containers are
+ * accessible to unauthenticated requests via ".r:*" in the ACL.
* swiftUseCDN : Whether a Cloud Files Content Delivery Network is set up
+ * swiftCDNExpiry : How long (in seconds) to store content in the CDN.
+ * If files may likely change, this should probably not exceed
+ * a few days. For example, deletions may take this long to apply.
+ * If object purging is enabled, however, this is not an issue.
+ * swiftCDNPurgable : Whether object purge requests are allowed by the CDN.
* shardViaHashLevels : Map of container names to sharding config with:
* 'base' : base of hash characters, 16 or 36
* 'levels' : the number of hash levels (and digits)
$this->swiftUseCDN = isset( $config['swiftUseCDN'] )
? $config['swiftUseCDN']
: false;
+ $this->swiftCDNExpiry = isset( $config['swiftCDNExpiry'] )
+ ? $config['swiftCDNExpiry']
+ : 3600; // hour
+ $this->swiftCDNPurgable = isset( $config['swiftCDNPurgable'] )
+ ? $config['swiftCDNPurgable']
+ : true;
// Cache container info to mask latency
$this->memCache = wfGetMainCache();
}
// (b) Create container as needed
try {
$contObj = $this->createContainer( $fullCont );
- // Make container public to end-users...
- if ( $this->swiftAnonUser != '' ) {
- $status->merge( $this->setContainerAccess(
- $contObj,
- array( $this->auth->username, $this->swiftAnonUser ), // read
- array( $this->auth->username ) // write
- ) );
+ if ( !empty( $params['noAccess'] ) ) {
+ // Make container private to end-users...
+ $status->merge( $this->doSecureInternal( $fullCont, $dir, $params ) );
+ } else {
+ // Make container public to end-users...
+ $status->merge( $this->doPublishInternal( $fullCont, $dir, $params ) );
}
if ( $this->swiftUseCDN ) { // Rackspace style CDN
- $contObj->make_public();
+ $contObj->make_public( $this->swiftCDNExpiry );
}
} catch ( CDNNotEnabledException $e ) {
// CDN not enabled; nothing to see here
*/
protected function doSecureInternal( $fullCont, $dir, array $params ) {
$status = Status::newGood();
+ if ( empty( $params['noAccess'] ) ) {
+ return $status; // nothing to do
+ }
// Restrict container from end-users...
try {
// NoSuchContainerException not thrown: container must exist
// Make container private to end-users...
- if ( $this->swiftAnonUser != '' && !isset( $contObj->mw_wasSecured ) ) {
+ $status->merge( $this->setContainerAccess(
+ $contObj,
+ array( $this->auth->username ), // read
+ array( $this->auth->username ) // write
+ ) );
+ if ( $this->swiftUseCDN && $contObj->is_public() ) { // Rackspace style CDN
+ $contObj->make_private();
+ }
+ } catch ( CDNNotEnabledException $e ) {
+ // CDN not enabled; nothing to see here
+ } catch ( CloudFilesException $e ) { // some other exception?
+ $this->handleException( $e, $status, __METHOD__, $params );
+ }
+
+ return $status;
+ }
+
+ /**
+ * @see FileBackendStore::doPublishInternal()
+ * @return Status
+ */
+ protected function doPublishInternal( $fullCont, $dir, array $params ) {
+ $status = Status::newGood();
+
+ // Unrestrict container from end-users...
+ try {
+ // doPrepareInternal() should have been called,
+ // so the Swift container should already exist...
+ $contObj = $this->getContainer( $fullCont ); // normally a cache hit
+ // NoSuchContainerException not thrown: container must exist
+
+ // Make container public to end-users...
+ if ( $this->swiftAnonUser != '' ) {
+ $status->merge( $this->setContainerAccess(
+ $contObj,
+ array( $this->auth->username, $this->swiftAnonUser ), // read
+ array( $this->auth->username, $this->swiftAnonUser ) // write
+ ) );
+ } else {
$status->merge( $this->setContainerAccess(
$contObj,
- array( $this->auth->username ), // read
+ array( $this->auth->username, '.r:*' ), // read
array( $this->auth->username ) // write
) );
- // @TODO: when php-cloudfiles supports container
- // metadata, we can make use of that to avoid RTTs
- $contObj->mw_wasSecured = true; // avoid useless RTTs
}
- if ( $this->swiftUseCDN && $contObj->is_public() ) { // Rackspace style CDN
- $contObj->make_private();
+ if ( $this->swiftUseCDN && !$contObj->is_public() ) { // Rackspace style CDN
+ $contObj->make_public();
}
} catch ( CDNNotEnabledException $e ) {
// CDN not enabled; nothing to see here
$stat = array(
// Convert dates like "Tue, 03 Jan 2012 22:01:04 GMT" to TS_MW
'mtime' => wfTimestamp( TS_MW, $srcObj->last_modified ),
- 'size' => $srcObj->content_length,
+ 'size' => (int)$srcObj->content_length,
'sha1' => $srcObj->metadata['Sha1base36']
);
} catch ( NoSuchContainerException $e ) {
* @return Array List of relative paths of dirs directly under $dir
*/
public function getDirListPageInternal( $fullCont, $dir, &$after, $limit, array $params ) {
+ $dirs = array();
+ if ( $after === INF ) {
+ return $dirs; // nothing more
+ }
wfProfileIn( __METHOD__ . '-' . $this->name );
- $dirs = array();
try {
$container = $this->getContainer( $fullCont );
$prefix = ( $dir == '' ) ? null : "{$dir}/";
if ( substr( $object, -1 ) === '/' ) {
$dirs[] = $object; // directories end in '/'
}
- $after = $object; // update last item
}
// Recursive: list all dirs under $dir and its subdirs
} else {
}
$lastDir = $objectDir;
}
- $after = $object; // update last item
}
}
+ if ( count( $objects ) < $limit ) {
+ $after = INF; // avoid a second RTT
+ } else {
+ $after = end( $objects ); // update last item
+ }
} catch ( NoSuchContainerException $e ) {
} catch ( CloudFilesException $e ) { // some other exception?
$this->handleException( $e, null, __METHOD__,
* @return Array List of relative paths of files under $dir
*/
public function getFileListPageInternal( $fullCont, $dir, &$after, $limit, array $params ) {
+ $files = array();
+ if ( $after === INF ) {
+ return $files; // nothing more
+ }
wfProfileIn( __METHOD__ . '-' . $this->name );
- $files = array();
try {
$container = $this->getContainer( $fullCont );
$prefix = ( $dir == '' ) ? null : "{$dir}/";
}
// Recursive: list all files under $dir and its subdirs
} else { // files
- $files = $container->list_objects( $limit, $after, $prefix );
+ $objects = $container->list_objects( $limit, $after, $prefix );
+ $files = $objects;
+ }
+ if ( count( $objects ) < $limit ) {
+ $after = INF; // avoid a second RTT
+ } else {
+ $after = end( $objects ); // update last item
}
- $after = end( $files ); // update last item
- reset( $files ); // reset pointer
} catch ( NoSuchContainerException $e ) {
} catch ( CloudFilesException $e ) { // some other exception?
$this->handleException( $e, null, __METHOD__,
}
/**
- * Set read/write permissions for a Swift container
+ * Set read/write permissions for a Swift container.
+ *
+ * $readGrps is a list of the possible criteria for a request to have
+ * access to read a container. Each item is one of the following formats:
+ * account:user - Grants access if the request is by the given user
+ * .r:<regex> - Grants access if the request is from a referrer host that
+ * matches the expression and the request is not for a listing.
+ * Setting this to '*' effectively makes a container public.
+ * .rlistings:<regex> - Grants access if the request is from a referrer host that
+ * matches the expression and the request for a listing.
+ * $writeGrps is a list of the possible criteria for a request to have
+ * access to write to a container. Each item is of the following format:
+ * account:user - Grants access if the request is by the given user
+ *
+ * @see http://swift.openstack.org/misc.html#acls
+ *
+ * In general, we don't allow listings to end-users. It's not useful, isn't well-defined
+ * (lists are truncated to 10000 item with no way to page), and is just a performance risk.
*
* @param $contObj CF_Container Swift container
- * @param $readGrps Array Swift users who can read (account:user)
- * @param $writeGrps Array Swift users who can write (account:user)
+ * @param $readGrps Array List of read access routes
+ * @param $writeGrps Array List of write access routes
* @return Status
*/
protected function setContainerAccess(
}
/**
- * Purge the CDN cache of affected objects if CDN caching is enabled
+ * Purge the CDN cache of affected objects if CDN caching is enabled.
+ * This is for Rackspace/Akamai CDNs.
*
* @param $objects Array List of CF_Object items
* @return void
*/
public function purgeCDNCache( array $objects ) {
- if ( $this->swiftUseCDN ) { // Rackspace style CDN
+ if ( $this->swiftUseCDN && $this->swiftCDNPurgable ) {
foreach ( $objects as $object ) {
try {
$object->purge_from_cdn();
*
* @param $container string Container name
* @return CF_Container
- * @throws InvalidResponseException
+ * @throws CloudFilesException
*/
protected function createContainer( $container ) {
$conn = $this->getConnection(); // Swift proxy connection
*
* @param $container string Container name
* @return void
- * @throws InvalidResponseException
+ * @throws CloudFilesException
*/
protected function deleteContainer( $container ) {
$conn = $this->getConnection(); // Swift proxy connection
- $conn->delete_container( $container );
unset( $this->connContainers[$container] ); // purge cache
+ $conn->delete_container( $container );
}
/**
dépôts / lhc / web / wiklou.git / blobdiff