Launchpad Entry: KeystoneSpec:s3token
Created: 2012-01-15
Contributor: Akira YOSHIYAMA
Summary
Adds user auth-n/auth-z capability of Keystone for Swift S3 API. It's a port of that for Nova EC2 API.
Dependency
None.
Structure
This capability has 3 parts:
- A keystone patch to add a new auth-n API for S3 API.
- A middleware s3_token.py to use 1. from Swift.
- A swift patch to use token and endpoint information from 2.
1 and 2 for Keystone, 3 for Swift.
Configuration
Add s3token to pipeline:main configuration for Swift proxy server. (/etc/swift/proxy-server.conf)
[pipeline:main] pipeline = healthcheck cache s3token authtoken swift3 keystone proxy-server
And add some lines below to same configuration file.
[filter:s3token] use = egg:keystone#s3token auth_protocol = http auth_host = 127.0.0.1 auth_port = 5000 admin_token = 999888777666
auth_protocol, auth_host, auth_port are for public API of Keystone. admin_token is for Keystone.
Then, reboot swift proxy server, so that apply configuration.
Sequence
This capability runs as same as Nova EC2 API with Keystone.
Swift clients |
|
Swift middleware |
|
Keystone |
Swift clients |
S3API request-> |
s3token |
|
|
|
|
s3token |
Keystone auth-n request-> |
Keystone public API |
|
|
s3token |
<-token and endpoints |
Keystone public API |
|
|
keystone |
token-> |
Keystone admin API |
|
|
keystone |
<-auth-z info |
Keystone admin API |
Swift clients |
<-S3 API response |
swift3(S3API) |
|
|
Additional API of Keystone
Request
- Method
- POST /v2.0/s3tokens
- Header
- Content-Type: application/json
- Body
- JSON style information
access
S3 Access Key (Account Name)
signature
Signature Key
verb
Original request method
path
URL path of original request
expire
Date header of original request
content_type
Content-Type header of original request
content_md5
Content-MD5 header of original request
xheaders
X-Amz-* headers of original request
- JSON style information
Response
- 200 (OK)
- 400 (Bad Request)
- 401 (Unauthorized)
403 (UserDisabled)