ec2 docs
This commit is contained in:
parent
269159f67d
commit
f94397743e
|
@ -1,6 +1,24 @@
|
||||||
# vim: tabstop=4 shiftwidth=4 softtabstop=4
|
# vim: tabstop=4 shiftwidth=4 softtabstop=4
|
||||||
|
|
||||||
"""Main entry point into the EC2 Credentials service."""
|
"""Main entry point into the EC2 Credentials service.
|
||||||
|
|
||||||
|
This service allows the creation of access/secret credentials used for
|
||||||
|
the ec2 interop layer of OpenStack.
|
||||||
|
|
||||||
|
A user can create as many access/secret pairs, each of which map to a
|
||||||
|
specific tenant. This is required because OpenStack supports a user
|
||||||
|
belonging to multiple tenants, whereas the signatures created on ec2-style
|
||||||
|
requests don't allow specification of which tenant the user wishs to act
|
||||||
|
upon.
|
||||||
|
|
||||||
|
To complete the cycle, we provide a method that OpenStack services can
|
||||||
|
use to validate a signature and get a corresponding openstack token. This
|
||||||
|
token allows method calls to other services within the context the
|
||||||
|
access/secret was created. As an example, nova requests keystone to validate
|
||||||
|
the signature of a request, receives a token, and then makes a request to glance
|
||||||
|
to list images needed to perform the requested task.
|
||||||
|
|
||||||
|
"""
|
||||||
|
|
||||||
import uuid
|
import uuid
|
||||||
|
|
||||||
|
@ -67,7 +85,28 @@ class Ec2Controller(wsgi.Application):
|
||||||
|
|
||||||
def authenticate_ec2(self, context, credentials=None,
|
def authenticate_ec2(self, context, credentials=None,
|
||||||
ec2Credentials=None):
|
ec2Credentials=None):
|
||||||
"""Validate a signed EC2 request and provide a token."""
|
"""Validate a signed EC2 request and provide a token.
|
||||||
|
|
||||||
|
Other services (such as Nova) use this **admin** call to determine
|
||||||
|
if a request they signed received is from a valid user.
|
||||||
|
|
||||||
|
If it is a valid signature, an openstack token that maps
|
||||||
|
to the user/tenant is returned to the caller, along with
|
||||||
|
all the other details returned from a normal token validation
|
||||||
|
call.
|
||||||
|
|
||||||
|
The returned token is useful for making calls to other
|
||||||
|
OpenStack services within the context of the request.
|
||||||
|
|
||||||
|
:param context: standard context
|
||||||
|
:param credentials: dict of ec2 signature
|
||||||
|
:param ec2Credentials: DEPRECATED dict of ec2 signature
|
||||||
|
:returns: token: openstack token equivalent to access key along
|
||||||
|
with the corresponding service catalog and roles
|
||||||
|
"""
|
||||||
|
|
||||||
|
# FIXME(ja): validate that a service token was used!
|
||||||
|
|
||||||
# NOTE(termie): backwards compat hack
|
# NOTE(termie): backwards compat hack
|
||||||
if not credentials and ec2Credentials:
|
if not credentials and ec2Credentials:
|
||||||
credentials = ec2Credentials
|
credentials = ec2Credentials
|
||||||
|
@ -127,7 +166,16 @@ class Ec2Controller(wsgi.Application):
|
||||||
self, token_ref, roles_ref, catalog_ref)
|
self, token_ref, roles_ref, catalog_ref)
|
||||||
|
|
||||||
def create_credential(self, context, user_id, tenant_id):
|
def create_credential(self, context, user_id, tenant_id):
|
||||||
"""Create a secret/access pair for a given user/tenant."""
|
"""Create a secret/access pair for use with ec2 style auth.
|
||||||
|
|
||||||
|
Generates a new set of credentials that map the the user/tenant
|
||||||
|
pair.
|
||||||
|
|
||||||
|
:param context: standard context
|
||||||
|
:param user_id: id of user
|
||||||
|
:param tenant_id: id of tenant
|
||||||
|
:returns: credential: dict of ec2 credential
|
||||||
|
"""
|
||||||
# TODO(termie): validate that this request is valid for given user
|
# TODO(termie): validate that this request is valid for given user
|
||||||
# tenant
|
# tenant
|
||||||
cred_ref = {'user_id': user_id,
|
cred_ref = {'user_id': user_id,
|
||||||
|
@ -138,20 +186,42 @@ class Ec2Controller(wsgi.Application):
|
||||||
return {'credential': cred_ref}
|
return {'credential': cred_ref}
|
||||||
|
|
||||||
def get_credentials(self, context, user_id):
|
def get_credentials(self, context, user_id):
|
||||||
"""List all credentials for a user."""
|
"""List all credentials for a user.
|
||||||
|
|
||||||
|
:param context: standard context
|
||||||
|
:param user_id: id of user
|
||||||
|
:returns: credentials: list of ec2 credential dicts
|
||||||
|
"""
|
||||||
|
|
||||||
# TODO(termie): validate that this request is valid for given user
|
# TODO(termie): validate that this request is valid for given user
|
||||||
# tenant
|
# tenant
|
||||||
return {'credentials': self.ec2_api.list_credentials(context, user_id)}
|
return {'credentials': self.ec2_api.list_credentials(context, user_id)}
|
||||||
|
|
||||||
def get_credential(self, context, user_id, credential_id):
|
def get_credential(self, context, user_id, credential_id):
|
||||||
"""Lookup and retreive access/secret pair by access."""
|
"""Retreive a user's access/secret pair by the access key.
|
||||||
|
|
||||||
|
Grab the full access/secret pair for a given access key.
|
||||||
|
|
||||||
|
:param context: standard context
|
||||||
|
:param user_id: id of user
|
||||||
|
:param credential_id: access key for credentials
|
||||||
|
:returns: credential: dict of ec2 credential
|
||||||
|
"""
|
||||||
# TODO(termie): validate that this request is valid for given user
|
# TODO(termie): validate that this request is valid for given user
|
||||||
# tenant
|
# tenant
|
||||||
return {'credential': self.ec2_api.get_credential(context,
|
return {'credential': self.ec2_api.get_credential(context,
|
||||||
credential_id)}
|
credential_id)}
|
||||||
|
|
||||||
def delete_credential(self, context, user_id, credential_id):
|
def delete_credential(self, context, user_id, credential_id):
|
||||||
"""Delete a user's access/secret pair."""
|
"""Delete a user's access/secret pair.
|
||||||
|
|
||||||
|
Used to revoke a user's access/secret pair
|
||||||
|
|
||||||
|
:param context: standard context
|
||||||
|
:param user_id: id of user
|
||||||
|
:param credential_id: access key for credentials
|
||||||
|
:returns: bool: success
|
||||||
|
"""
|
||||||
# TODO(termie): validate that this request is valid for given user
|
# TODO(termie): validate that this request is valid for given user
|
||||||
# tenant
|
# tenant
|
||||||
return self.ec2_api.delete_credential(context, credential_id)
|
return self.ec2_api.delete_credential(context, credential_id)
|
||||||
|
|
Loading…
Reference in New Issue