[openstack-dev] [keystone][ec2-api] Moving EC2 Auth and S3Token to Externally supported
andrey.mp at gmail.com
Fri Feb 5 19:15:01 UTC 2016
Can it be implemented as keystone plugin?
Is it possible to 'get' AUTH_TOKEN outside of keystone?
Will this code use keystone DB or it should create own?
So we will need one 'auth' module for swift3/ec2-api.
Sounds good but we need to understand some details before implementation.
On Fri, Feb 5, 2016 at 10:03 PM, Dolph Mathews <dolph.mathews at gmail.com> wrote:
> On Fri, Feb 5, 2016 at 12:37 PM, Andrey Pavlov <andrey.mp at gmail.com> wrote:
>> swift3(s3) works like ec2-api.
>> 1. swift3/ec2-api recieves AWS request
>> 2. it parses signature and access_key (and other headers)
>> 3. it sends these values (and token that calculated from request) to
>> 4. keystone gets secret_key from DB, then calculates signature by
>> recieved access_key and token
>> 5. keystone compares recived signature and claculated signature and
>> then return 'error' or auth_token
>> 6. swift3/ec2-api recieves answer from keystone and return 'forbidden'
>> or continues execution
>> 7. in case of continue swift3/ec2-api uses recieved auth_token for
>> calls other services: nova, cinder, neutron, swift...
>> So I don't understand how implement this functionality outside of
> EC2 support is implemented in middleware on top of keystone, and that
> middleware happens to live in the openstack/keystone repository. This change
> is just proposing to move that middleware code into a dedicated new
> repository and change the community support & maintenance model - it would
> not affect how the code actually operates. The only affect on operators is
> that it would require an extra step to deploy it. End users would not be
>> On Fri, Feb 5, 2016 at 8:55 PM, Tim Bell <Tim.Bell at cern.ch> wrote:
>> >> Is it certain that there is no need for the functions with the new
>> >> EC2-API
>> >> functions ?
>> >> The S3 functions are somewhat separated from the EC2 API. How does
>> >> SWIFT
>> >> implement the S3 compatibility layer ?
>> >> Getting a ‘to be deprecated’ log entry into Mitaka would be useful to
>> >> make
>> >> sure we’re not using it somewhere else.
>> > This would be just a deprecation warning. Removal would be determined at
>> > a
>> > later time with sufficient lead time.
>> > Do you know how S3 with SWIFT works ? Would they need to do something
>> > like
>> > EC2-API ?
>> > Tim
>> > __________________________________________________________________________
>> > OpenStack Development Mailing List (not for usage questions)
>> > Unsubscribe:
>> > OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>> Kind regards,
>> Andrey Pavlov.
>> OpenStack Development Mailing List (not for usage questions)
>> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
More information about the OpenStack-dev