[openstack-dev] [keystone][ec2-api] Moving EC2 Auth and S3Token to Externally supported

Dolph Mathews dolph.mathews at gmail.com
Fri Feb 5 19:03:20 UTC 2016 

On Fri, Feb 5, 2016 at 12:37 PM, Andrey Pavlov <andrey.mp at gmail.com> wrote:

> swift3(s3) works like ec2-api.
>
> 1. swift3/ec2-api recieves AWS request
> 2. it parses signature and access_key (and other headers)
> 3. it sends these values (and token that calculated from request) to
> keystone
> 4. keystone gets secret_key from DB, then calculates signature by
> recieved access_key and token
> 5. keystone compares recived signature and claculated signature and
> then return 'error' or auth_token
> 6. swift3/ec2-api recieves answer from keystone and return 'forbidden'
> or continues execution
> 7. in case of continue swift3/ec2-api uses recieved auth_token for
> calls other services: nova, cinder, neutron, swift...
>
> So I don't understand how implement this functionality outside of
> keystone...
>

EC2 support is implemented in middleware on top of keystone, and that
middleware happens to live in the openstack/keystone repository. This
change is just proposing to move that middleware code into a dedicated new
repository and change the community support & maintenance model - it would
not affect how the code actually operates. The only affect on operators is
that it would require an extra step to deploy it. End users would not be
affected.

https://github.com/openstack/keystone/blob/5f51912b54dff0a71f00987e9f5c1d6015ad08bd/keystone/contrib/ec2/routers.py#L27

https://github.com/openstack/keystone/blob/5f51912b54dff0a71f00987e9f5c1d6015ad08bd/etc/keystone-paste.ini#L27-L31


>
> On Fri, Feb 5, 2016 at 8:55 PM, Tim Bell <Tim.Bell at cern.ch> wrote:
> >
> >>
> >> Is it certain that there is no need for the functions with the new
> EC2-API
> >> functions ?
> >>
> >> The S3 functions are somewhat separated from the EC2 API. How does SWIFT
> >> implement the S3 compatibility layer ?
> >>
> >> Getting a ‘to be deprecated’ log entry into Mitaka would be useful to
> make
> >> sure we’re not using it somewhere else.
> >>
> >
> > This would be just a deprecation warning. Removal would be determined at
> a
> > later time with sufficient lead time.
> >
> > Do you know how S3 with SWIFT works ? Would they need to do something
> like
> > EC2-API ?
> >
> > Tim
> >
> >
> __________________________________________________________________________
> > OpenStack Development Mailing List (not for usage questions)
> > Unsubscribe:
> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> >
>
>
>
> --
> Kind regards,
> Andrey Pavlov.
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20160205/2f99df99/attachment.html>

More information about the OpenStack-dev mailing list