Can it be implemented as keystone plugin? Is it possible to 'get' AUTH_TOKEN outside of keystone? Will this code use keystone DB or it should create own?
So we will need one 'auth' module for swift3/ec2-api. Sounds good but we need to understand some details before implementation. On Fri, Feb 5, 2016 at 10:03 PM, Dolph Mathews <dolph.math...@gmail.com> wrote: > > On Fri, Feb 5, 2016 at 12:37 PM, Andrey Pavlov <andrey...@gmail.com> wrote: >> >> swift3(s3) works like ec2-api. >> >> 1. swift3/ec2-api recieves AWS request >> 2. it parses signature and access_key (and other headers) >> 3. it sends these values (and token that calculated from request) to >> keystone >> 4. keystone gets secret_key from DB, then calculates signature by >> recieved access_key and token >> 5. keystone compares recived signature and claculated signature and >> then return 'error' or auth_token >> 6. swift3/ec2-api recieves answer from keystone and return 'forbidden' >> or continues execution >> 7. in case of continue swift3/ec2-api uses recieved auth_token for >> calls other services: nova, cinder, neutron, swift... >> >> So I don't understand how implement this functionality outside of >> keystone... > > > EC2 support is implemented in middleware on top of keystone, and that > middleware happens to live in the openstack/keystone repository. This change > is just proposing to move that middleware code into a dedicated new > repository and change the community support & maintenance model - it would > not affect how the code actually operates. The only affect on operators is > that it would require an extra step to deploy it. End users would not be > affected. > > https://github.com/openstack/keystone/blob/5f51912b54dff0a71f00987e9f5c1d6015ad08bd/keystone/contrib/ec2/routers.py#L27 > > https://github.com/openstack/keystone/blob/5f51912b54dff0a71f00987e9f5c1d6015ad08bd/etc/keystone-paste.ini#L27-L31 > >> >> >> On Fri, Feb 5, 2016 at 8:55 PM, Tim Bell <tim.b...@cern.ch> wrote: >> > >> >> >> >> Is it certain that there is no need for the functions with the new >> >> EC2-API >> >> functions ? >> >> >> >> The S3 functions are somewhat separated from the EC2 API. How does >> >> SWIFT >> >> implement the S3 compatibility layer ? >> >> >> >> Getting a ‘to be deprecated’ log entry into Mitaka would be useful to >> >> make >> >> sure we’re not using it somewhere else. >> >> >> > >> > This would be just a deprecation warning. Removal would be determined at >> > a >> > later time with sufficient lead time. >> > >> > Do you know how S3 with SWIFT works ? Would they need to do something >> > like >> > EC2-API ? >> > >> > Tim >> > >> > >> > __________________________________________________________________________ >> > OpenStack Development Mailing List (not for usage questions) >> > Unsubscribe: >> > openstack-dev-requ...@lists.openstack.org?subject:unsubscribe >> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >> > >> >> >> >> -- >> Kind regards, >> Andrey Pavlov. >> >> __________________________________________________________________________ >> OpenStack Development Mailing List (not for usage questions) >> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > > > > __________________________________________________________________________ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > -- Kind regards, Andrey Pavlov. __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev