[openstack-dev] [keystone][ec2-api] Moving EC2 Auth and S3Token to Externally supported

Morgan Fainberg morgan.fainberg at gmail.com
Fri Feb 5 15:50:09 UTC 2016


Looking over the state [and relatively untested nature] of the Keystone EC2
API and S3Token APIs, I want to propose deprecating these mechanisms of
auth within Keystone at this time.

These systems have been historically poorly tested and supported and have
remained broken / incompatible for long periods at a time. With the move
that the EC2-API team is taking the code from nova out-of-tree, I would
like to propose that the auth mechanisms are also moved out of tree and
into the purview of the team focused on providing a solid EC2 compatibility
layer for OpenStack.

This will allow the EC2-API team to better ensure the long term viability
and compatibility of the required auth systems and can free this all from
the requirement to propose code to keystone to handle forward momentum as
required to support future/new signature versions and movement within the
libraries that rely on clear AWS compatibility.

This should ideally be moved to something standalone that can handle the
translation of EC2 or S3Token Auth to native Keystone api calls.

Thanks for reading,
--Morgan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20160205/b3b93dfc/attachment.html>


More information about the OpenStack-dev mailing list