swift: Fix s3api/keystone interaction

For a long time, swift3 recommended a pipeline like

   ... swift3 s3token authtoken keystoneauth ...

This led to inefficiencies where the proxy would first contact Keystone
to validate the S3 signature and issue a token, then contact Keystone
*again* to validate the token ID that was just issued.

After s3token moved into the swift3 repo, it was improved to be able
to put all of the headers into the WSGI environment that Swift's
keystoneauth middleware expected and the recommended pipeline was
changed to something like

   ... authtoken s3api s3token keystoneauth ...

At the time, the old order would still work, it would just be less
efficient. When support was added for Keystone v3, however, the new
order became mandatory.

All of that happened before swift3 moved back into Swift as s3api, but
the pipeline placement problems are the same: Keystone users won't be
able to use the S3 api with the current order.

Change-Id: Id0659f109cc2fc12ddb371df0b26812ba8c442d9
Related-Change: I21e38884a2aefbb94b76c76deccd815f01db7362
Related-Change: Ic9af387b9192f285f0f486e7171eefb23968007e
This commit is contained in:
Tim Burke 2020-05-26 16:21:45 -07:00
parent 54edc7aeef
commit 5b48e362af
1 changed files with 2 additions and 1 deletions

View File

@ -428,10 +428,11 @@ function configure_swift {
swift_pipeline+=" s3api"
fi
if is_service_enabled keystone; then
swift_pipeline+=" authtoken"
if is_service_enabled s3api;then
swift_pipeline+=" s3token"
fi
swift_pipeline+=" authtoken keystoneauth"
swift_pipeline+=" keystoneauth"
fi
swift_pipeline+=" tempauth "