Keystone-BP-S3Token
- Launchpad Entry: KeystoneSpec:s3token
- Created: 2012-01-15
- Contributor: Akira YOSHIYAMA
Contents
Summary
Adds user auth-n/auth-z capability of Keystone for Swift S3 API. It's a port of that for Nova EC2 API.
Dependency
None.
Structure
This capability has 3 parts:
- A keystone patch to add a new auth-n API for S3 API.
- A middleware s3_token.py to use 1. from Swift.
- A swift patch to use token and endpoint information from 2.
1 and 2 for Keystone, 3 for Swift.
Configuration
Add s3token to pipeline:main configuration for Swift proxy server. (/etc/swift/proxy-server.conf)
[pipeline:main] pipeline = healthcheck cache s3token authtoken swift3 keystone proxy-server
And add some lines below to same configuration file.
[filter:s3token] use = egg:keystone#s3token auth_protocol = http auth_host = 127.0.0.1 auth_port = 5000 admin_token = 999888777666
auth_protocol, auth_host, auth_port are for public API of Keystone.
admin_token is for Keystone.
Then, reboot swift proxy server, so that apply configuration.
Sequence
This capability runs as same as Nova EC2 API with Keystone.
Swift clients | Swift middleware | ||
Swift clients | S3API request-> | s3token | |
s3token | Keystone auth-n request-> | ||
s3token | <-token and endpoints | ||
keystone | token-> | ||
keystone | <-auth-z info | ||
Swift clients | <-S3 API response | swift3(S3API) |
Additional API of Keystone
Request
- Method
POST /v2.0/s3tokens
- Header
Content-Type: application/json
- Body
JSON style information
||access||S3 Access Key (Account Name)|| ||signature||Signature Key|| ||verb||Original request method|| ||path||URL path of original request|| ||expire||Date header of original request|| ||content_type||Content-Type header of original request|| ||content_md5||Content-MD5 header of original request|| ||xheaders||X-Amz-* headers of original request||
Response
- 200 (OK)
- 400 (Bad Request)
- 401 (Unauthorized)
- 403 (UserDisabled)