Keystone-BP-S3Token

Old Design Page This page was used to help design a feature that has been implemented. As a result, this page is unlikely to be updated and could contain outdated information. It was last updated on 2013-10-07

• Launchpad Entry: KeystoneSpec:s3token
• Created: 2012-01-15
• Contributor: Akira YOSHIYAMA

Summary

Adds user auth-n/auth-z capability of Keystone for Swift S3 API. It's a port of that for Nova EC2 API.

Dependency

None.

Structure

This capability has 3 parts:

1. A keystone patch to add a new auth-n API for S3 API.
2. A middleware s3_token.py to use 1. from Swift.
3. A swift patch to use token and endpoint information from 2.

1 and 2 for Keystone, 3 for Swift.

Configuration

Add s3token to pipeline:main configuration for Swift proxy server. (/etc/swift/proxy-server.conf)

[pipeline:main]
pipeline = healthcheck cache s3token authtoken swift3 keystone proxy-server

And add some lines below to same configuration file.

[filter:s3token]
use = egg:keystone#s3token
auth_protocol = http
auth_host = 127.0.0.1
auth_port = 5000
admin_token = 999888777666

auth_protocol, auth_host, auth_port are for public API of Keystone. admin_token is for Keystone.

Then, reboot swift proxy server, so that apply configuration.

Sequence

This capability runs as same as Nova EC2 API with Keystone.

Additional API of Keystone

Request

• Method

 POST /v2.0/s3tokens

• Header

 Content-Type: application/json

• Body

 JSON style information

 ||access||S3 Access Key (Account Name)||
 ||signature||Signature Key||
 ||verb||Original request method||
 ||path||URL path of original request||
 ||expire||Date header of original request||
 ||content_type||Content-Type header of original request||
 ||content_md5||Content-MD5 header of original request||
 ||xheaders||X-Amz-* headers of original request||

Response

• 200 (OK)
• 400 (Bad Request)
• 401 (Unauthorized)
• 403 (UserDisabled)