openstack team mailing list archive
-
openstack team
-
Mailing list archive
-
Message #07289
Re: Swift S3 with Keystone anyone?
Hi Pete,
2012/02/06 10:56 "Pete Zaitcev" <zaitcev@xxxxxxxxxx>:
>
> On Thu, 2 Feb 2012 19:03:54 +0900
> Akira Yoshiyama <akirayoshiyama@xxxxxxxxx> wrote:
>
> > I modified the wiki:
> > http://wiki.openstack.org/Keystone-BP-S3Token
> >
> > I added authtoken in main pipeline just now.
>
> I was unable to find the official configuration for "authtoken".
> Since it's only a name of convention, I cannot even guess what
> module is meant here.
>
> Some people seem to use authtoken like this:
>
> [filter:authtoken]
> paste.filter_factory = keystone.middleware.auth_token:filter_factory
> service_protocol = http
> service_host = 127.0.0.1
> service_port = 5000
> auth_host = 127.0.0.1
> auth_port = 35357
> auth_protocol = http
> auth_uri = http://127.0.0.1:5000/
> admin_token = 999888777666
> ;Uncomment next line and check ip:port to use memcached to cache token
requests
> ;memcache_hosts = 127.0.0.1:11211
>
> Is it what you meant? If yes, what does it do in case of S3?
Yes.
Swift has one port with two different APIs: AWS S3 compaible one and
OpenStack one.
So it needs two different authentication capabilities;
authtoken is one middleware for OpenStack API and s3token is the other for
S3 API.
If there are multiple authentication middleware, the primary shouldn't
reject requests without legal credentials because the second may accept
them. So s3token (and ec2token) have to come before authtoken and to be
used with authtoken because it doesn't reject non-S3 requests.
In other words, s3token is just a converter from S3 credentials to
OpenStack tokens.
Regards,
Akira Yoshiyama
References