Add support for Swift S3 API

This feature is disabled by default, and can be enabled by setting 'enable_swift_s3api' to 'true' in globals.yml. Two middlewares are required for Swift S3 - s3api and s3token. Additionally, we need to configure the authtoken middleware to delay auth decisions to give s3token a chance to authorise requests using EC2 credentials. Change-Id: Ib8e8e3a1c2ab383100f3c60ec58066e588d3b4db
2019-08-13 12:46:17 +00:00 · 2019-08-13 12:46:17 +00:00 · d72b27f2d1
commit d72b27f2d1
parent 41e634e204
5 changed files with 30 additions and 5 deletions
--- a/ansible/group_vars/all.yml
+++ b/ansible/group_vars/all.yml
@ -617,6 +617,7 @@ enable_skydive: "no"
 enable_solum: "no"
 enable_storm: "{{ enable_monasca | bool }}"
 enable_swift: "no"
+enable_swift_s3api: "no"
 enable_tacker: "no"
 enable_telegraf: "no"
 enable_tempest: "no"
--- a/ansible/roles/swift/defaults/main.yml
+++ b/ansible/roles/swift/defaults/main.yml
@ -64,7 +64,9 @@ swift_admin_tenant_name: "admin"
 swift_devices_mount_point: "/srv/node"
 swift_devices_match_mode: "strict"
 swift_devices_name: "KOLLA_SWIFT_DATA"
-swift_delay_auth_decision: "False"
+# For S3 API we need to defer the auth decision to allow s3api and s3token
+# middlewares to process requests using EC2 credentials.
+swift_delay_auth_decision: "{{ enable_swift_s3api | bool }}"

 # Boolean, true if there is a dedicated replication network.
 swift_has_replication_network: "{{ swift_storage_interface != swift_replication_interface }}"
--- a/ansible/roles/swift/templates/proxy-server.conf.j2
+++ b/ansible/roles/swift/templates/proxy-server.conf.j2
@ -10,7 +10,7 @@ log_level = {{ swift_log_level }}
 workers = {{ openstack_service_workers }}

 [pipeline:main]
-pipeline = catch_errors gatekeeper healthcheck cache container_sync bulk tempurl ratelimit authtoken keystoneauth container_quotas account_quotas slo dlo {% if enable_ceilometer | bool %}ceilometer {% endif %}proxy-server
+pipeline = catch_errors gatekeeper healthcheck cache container_sync bulk tempurl ratelimit authtoken {% if enable_swift_s3api | bool %}s3api s3token {% endif %}keystoneauth container_quotas account_quotas slo dlo {% if enable_ceilometer | bool %}ceilometer {% endif %}proxy-server

 [app:proxy-server]
 use = egg:swift#proxy
@ -91,3 +91,12 @@ use = egg:swift#dlo
 [filter:versioned_writes]
 use = egg:swift#versioned_writes
 allow_versioned_writes = True
+
+{% if enable_swift_s3api | bool %}
+[filter:s3api]
+use = egg:swift#s3api
+
+[filter:s3token]
+use = egg:swift#s3token
+www_authenticate_uri = {{ keystone_internal_url }}/v3
+{% endif %}
--- a/doc/source/reference/storage/swift-guide.rst
+++ b/doc/source/reference/storage/swift-guide.rst
@ -1,8 +1,8 @@
 .. _swift-guide:

-=============================
-Swift- Object storage service
-=============================
+==============================
+Swift - Object storage service
+==============================

 Overview
 ~~~~~~~~
@ -266,3 +266,12 @@ A very basic smoke test:
   | Containers | 1                                     |
   | Objects    | 1                                     |
   +------------+---------------------------------------+
+
+S3 API
+~~~~~~
+
+The Swift S3 API can be enabled by setting ``enable_swift_s3api`` to ``true``
+in ``globals.yml``. It is disabled by default. In order to use this API it is
+necessary to obtain EC2 credentials from Keystone. See the `Swift documentation
+<https://docs.openstack.org/swift/latest/middleware.html#module-swift.common.middleware.s3api.s3api>`__
+for details.
--- a/releasenotes/notes/swift-s3api-2b51917b169fff78.yaml
+++ b/releasenotes/notes/swift-s3api-2b51917b169fff78.yaml
@ -0,0 +1,4 @@
+---
+features:
+  - |
+    Adds support for the Swift S3 API, enabled via the ``enable_swift_s3api`` flag.