[openstack-dev] [keystone][ec2-api] Moving EC2 Auth and S3Token to Externally supported

Andrey Pavlov andrey.mp at gmail.com
Fri Feb 5 18:37:59 UTC 2016

swift3(s3) works like ec2-api.

1. swift3/ec2-api recieves AWS request
2. it parses signature and access_key (and other headers)
3. it sends these values (and token that calculated from request) to keystone
4. keystone gets secret_key from DB, then calculates signature by
recieved access_key and token
5. keystone compares recived signature and claculated signature and
then return 'error' or auth_token
6. swift3/ec2-api recieves answer from keystone and return 'forbidden'
or continues execution
7. in case of continue swift3/ec2-api uses recieved auth_token for
calls other services: nova, cinder, neutron, swift...

So I don't understand how implement this functionality outside of keystone...

On Fri, Feb 5, 2016 at 8:55 PM, Tim Bell <Tim.Bell at cern.ch> wrote:
>> Is it certain that there is no need for the functions with the new EC2-API
>> functions ?
>> The S3 functions are somewhat separated from the EC2 API. How does SWIFT
>> implement the S3 compatibility layer ?
>> Getting a ‘to be deprecated’ log entry into Mitaka would be useful to make
>> sure we’re not using it somewhere else.
> This would be just a deprecation warning. Removal would be determined at a
> later time with sufficient lead time.
> Do you know how S3 with SWIFT works ? Would they need to do something like
> EC2-API ?
> Tim
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Kind regards,
Andrey Pavlov.

More information about the OpenStack-dev mailing list