openstack team mailing list archive
-
openstack team
-
Mailing list archive
-
Message #07903
Re: Swift S3 with Keystone anyone?
Hi all,
My co-worker built swift e3 environment (thank you Eguchi-san), so I checked
my patch and fix it. Then, I checked the last s3_token.py and swift3.py. I found
two problems.
a) swift3 sets HTTP_X_AUTH_TOKEN (= X-Auth-Token?) in constructors
of ServiceController, BucketController and ObjectController with base64ed
canonical_string(req). I think it's NOT necessary when s3_token already sets
X-Auth-Token header.
b) swift3 gets account information from Authorization header (I'm sorry that
I called it 'Signature' header) but it's an EC2 access key. I
think it's better to
create a new header for account information to pass it to swift3, but it's a
solution to rewrite Authorization header in s3_token.py like below:
diff --git a/keystone/middleware/s3_token.py b/keystone/middleware/s3_token.py
index 8cf3e0a..f8c6a14 100644
--- a/keystone/middleware/s3_token.py
+++ b/keystone/middleware/s3_token.py
@@ -122,6 +122,7 @@ class S3Token(object):
raise
req.headers['X-Auth-Token'] = token_id
+ req.headers['Authorization'] = 'AUTH_%s:dummy' % tenant[0]
environ['PATH_INFO'] = environ['PATH_INFO'].replace(
account, 'AUTH_%s' % tenant[0])
return self.app(environ, start_response)
p.s.
One more thing. Swift3.py returns illegal status for request to nonexistent
buckets, so euca-upload-bundle will fail when uploading some files to a new
bucket. I'm using euca-upload-bundle for keystoned swift with a patch below:
diff -u swift3.py ~/swift3.py
--- swift3.py 2012-02-23 21:40:10.000000000 +0900
+++ /root/swift3.py 2012-02-23 22:28:22.000000000 +0900
@@ -240,7 +240,7 @@
if status == 401:
return get_err_response('AccessDenied')
elif status == 404:
- return get_err_response('InvalidBucketName')
+ return get_err_response('NoSuchBucket')
else:
return get_err_response('InvalidURI')
@@ -311,7 +311,7 @@
if status == 401:
return get_err_response('AccessDenied')
elif status == 404:
- return get_err_response('InvalidBucketName')
+ return get_err_response('NoSuchBucket')
elif status == 409:
return get_err_response('BucketNotEmpty')
else:
Best regards,
Akira YOSHIYAMA <akirayoshiyama@xxxxxxxxx>
2012年2月19日10:20 Akira Yoshiyama <akirayoshiyama@xxxxxxxxx>:
> Hi all,
>
> I'm sorry for my previous post.
>
> Thank you Pete for your work. I think your s3token middleware have
> to modify the S3 Signature header
> from
> Signature: <EC2ACCESSKEY>:<signaturehash>
> to
> Signature: <USERID>:<anything>
>
> for swift3 middleware without my original patch for it.
>
> And I'm sorry about my late. Unfortunately, I'm not a programmer of OpenStack
> but an OSS system engineer, so I don't have enough time to develop
> OpenStack.
>
> Best regards,
> Akira Yoshiyama
>
> 2012/2/19 Akira Yoshiyama <akirayoshiyama@xxxxxxxxx>:
>> Hi,
>>
>> 2012/02/18 0:36 "Chmouel Boudjnah" <chmouel@xxxxxxxxxxx>:
>>>
>>> On 17 Feb 2012, at 06:12, Pete Zaitcev wrote:
>>>
>>> - A S3Token middleware which is based on Akira version with some fixes.
>>>
>>> Yeah, that looks beautiful... Unfortunately the back-end
>>> inherits the old problem: it authorizes against EC2 credentials
>>> instead of Swift credentials. The result is, if two applications
>>> A and B use different access methods, CF and S3, to the same account,
>>> they do not see each other's objects. It happens because the storage
>>> URL returned by Keystone differs for them, as far as I can discern.
>>>
>>>
>>> This is actually supported as mentioned in my temporary doc[1] see the
>>> transcript here :
>>>
>>> http://pastie.org/3401911
>>>
>>> this made of from a fresh devstack with a few tweaks to the
>>> configurations.
>>> I plan to add this to devstack but I am waiting first for some of my
>>> other review to get approved to push those changes and be able to get rid of
>>> swift-keystone2 for good.
>>>
>>> S3token middleware: https://review.openstack.org/#change,3910
>>>
>>> Swift token middleware: https://review.openstack.org/#change,3911
>>>
>>> Do you still want reviews on these, after the merge of redux?
>>>
>>>
>>> This has been merged to keystone master, feel free to review the one the
>>> add reseller admin support :
>>>
>>> https://review.openstack.org/#change,4234
>>>
>>> and the doc update :
>>>
>>> https://review.openstack.org/#change,4233
>>>
>>> The reseller admin will allow us ultimately to have swift acting as a
>>> nova-objectstore for nova.
>>>
>>> I have more plans for the middleware, I'd like to get the compressive
>>> tempauth testsuite running on swiftauth with almost no modifications and
>>> add along the way anonymous user object access via ACL.
>>>
>>> Let me know if you have questions.
>>>
>>> Cheers,
>>> Chmouel.
>>>
>>> PS: readding openstack@ as this may be useful for everyone.
>>>
>>> [1] http://p.chmouel.com/swift-keystonelight-s3.txt
>>>
>>>
>>> _______________________________________________
>>> Mailing list: https://launchpad.net/~openstack
>>> Post to : openstack@xxxxxxxxxxxxxxxxxxx
>>> Unsubscribe : https://launchpad.net/~openstack
>>> More help : https://help.launchpad.net/ListHelp
>>>
>>
>
>
>
> --
> 吉山あきら <akirayoshiyama@xxxxxxxxx>
--
吉山あきら <akirayoshiyama@xxxxxxxxx>
References