Jump to: navigation, search


Warning.svg Old Design Page

This page was used to help design a feature that has been implemented. As a result, this page is unlikely to be updated and could contain outdated information. It was last updated on 2013-10-07

  • Launchpad Entry: KeystoneSpec:s3token
  • Created: 2012-01-15
  • Contributor: Akira YOSHIYAMA


Adds user auth-n/auth-z capability of Keystone for Swift S3 API. It's a port of that for Nova EC2 API.




This capability has 3 parts:

  1. A keystone patch to add a new auth-n API for S3 API.
  2. A middleware s3_token.py to use 1. from Swift.
  3. A swift patch to use token and endpoint information from 2.

1 and 2 for Keystone, 3 for Swift.


Add s3token to pipeline:main configuration for Swift proxy server. (/etc/swift/proxy-server.conf)

pipeline = healthcheck cache s3token authtoken swift3 keystone proxy-server

And add some lines below to same configuration file.

use = egg:keystone#s3token
auth_protocol = http
auth_host =
auth_port = 5000
admin_token = 999888777666

auth_protocol, auth_host, auth_port are for public API of Keystone. admin_token is for Keystone.

Then, reboot swift proxy server, so that apply configuration.


This capability runs as same as Nova EC2 API with Keystone.

Swift clients Swift middleware
Swift clients S3API request-> s3token
s3token Keystone auth-n request->
s3token <-token and endpoints
keystone token->
keystone <-auth-z info
Swift clients <-S3 API response swift3(S3API)

Additional API of Keystone


  • Method
 POST /v2.0/s3tokens
  • Header
 Content-Type: application/json
  • Body
 JSON style information
 ||access||S3 Access Key (Account Name)||
 ||signature||Signature Key||
 ||verb||Original request method||
 ||path||URL path of original request||
 ||expire||Date header of original request||
 ||content_type||Content-Type header of original request||
 ||content_md5||Content-MD5 header of original request||
 ||xheaders||X-Amz-* headers of original request||


  • 200 (OK)
  • 400 (Bad Request)
  • 401 (Unauthorized)
  • 403 (UserDisabled)