[openstack-dev] [keystone][ec2-api] Moving EC2 Auth and S3Token to Externally supported
blk at acm.org
Fri Feb 5 21:18:52 UTC 2016
On Fri, Feb 5, 2016 at 1:03 PM, Dolph Mathews <dolph.mathews at gmail.com>
> On Fri, Feb 5, 2016 at 12:37 PM, Andrey Pavlov <andrey.mp at gmail.com>
>> swift3(s3) works like ec2-api.
>> 1. swift3/ec2-api recieves AWS request
>> 2. it parses signature and access_key (and other headers)
>> 3. it sends these values (and token that calculated from request) to
>> 4. keystone gets secret_key from DB, then calculates signature by
>> recieved access_key and token
>> 5. keystone compares recived signature and claculated signature and
>> then return 'error' or auth_token
>> 6. swift3/ec2-api recieves answer from keystone and return 'forbidden'
>> or continues execution
>> 7. in case of continue swift3/ec2-api uses recieved auth_token for
>> calls other services: nova, cinder, neutron, swift...
>> So I don't understand how implement this functionality outside of
> EC2 support is implemented in middleware on top of keystone, and that
> middleware happens to live in the openstack/keystone repository. This
> change is just proposing to move that middleware code into a dedicated new
> repository and change the community support & maintenance model - it would
> not affect how the code actually operates. The only affect on operators is
> that it would require an extra step to deploy it. End users would not be
One of the things that prompted this discussion is a proposal to make EC2
and S3 required, and not removable by editing the paste config:
Some of us were taking advantage of this ability, but others think that all
APIs should be supported.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OpenStack-dev