s3token: Enable secret caching by default

Now that we need to pass the service creds to keystone, we might as well default secret caching by default now that they need to be provided. This patch also adds the required s3token configuration to CI so we can use the swift service creds to fetch s3api secrets. As well as also configuring keystone users for cross-compatibility tests. Change-Id: Ief0a29c4300edf2e0d52c041960d756ecc8a2677 Signed-off-by: Tim Burke <tburke@nvidia.com> (cherry picked from commit 5f89d14ebb)
2025-11-06 10:30:21 +11:00
parent 00d84e8c00
commit 1922c2da2a
4 changed files with 107 additions and 1 deletions
--- a/etc/proxy-server.conf-sample
+++ b/etc/proxy-server.conf-sample
@@ -769,6 +769,12 @@ http_timeout = 10.0
 # You can override the default log routing for this filter here:
 # log_name = s3token

+# Secrets may be cached to reduce latency for the client and load on Keystone.
+# This configures the duration that secrets may be cached; set to zero to
+# disable caching and prevent Swift from retrieving secrets from Keystone.
+# secret_cache_duration = 60
+# Note that caching is required to enable signed aws-chunked transfers.
+
 # Recent Keystone deployments require credentials similar to the authtoken
 # middleware; these credentials require access to the s3tokens endpoint.
 # Additionally, if secret caching is enabled, the credentials should have
--- a/roles/additional-keystone-users/tasks/main.yaml
+++ b/roles/additional-keystone-users/tasks/main.yaml
@@ -28,6 +28,20 @@
    option: s3_secret_key
    value: s3-secret1
  become: true
+- name: Add primary S3 user to test.conf for cross-compat tests
+  ini_file:
+    path: /etc/swift/test.conf
+    section: s3api_test
+    option: access_key1
+    value: s3-user1
+  become: true
+- name: Add primary S3 user secret to test.conf for cross-compat tests
+  ini_file:
+    path: /etc/swift/test.conf
+    section: s3api_test
+    option: secret_key1
+    value: s3-secret1
+  become: true

 - name: Clear secondary S3 user from test.conf
  ini_file:
@@ -36,6 +50,13 @@
    option: s3_access_key2
    value: ""
  become: true
+- name: Clear secondary S3 user from test.conf for cross-compat tests
+  ini_file:
+    path: /etc/swift/test.conf
+    section: s3api_test
+    option: access_key2
+    value: ""
+  become: true

 - name: Create restricted S3 user
  shell: >
@@ -59,6 +80,20 @@
    option: s3_secret_key3
    value: s3-secret3
  become: true
+- name: Add restricted S3 user to test.conf for cross-compat tests
+  ini_file:
+    path: /etc/swift/test.conf
+    section: s3api_test
+    option: access_key3
+    value: s3-user3
+  become: true
+- name: Add restricted S3 user secret to test.conf for cross-compat tests
+  ini_file:
+    path: /etc/swift/test.conf
+    section: s3api_test
+    option: secret_key3
+    value: s3-secret3
+  become: true

 - name: Create service role
  shell: >
--- a/roles/dsvm-additional-middlewares/tasks/main.yaml
+++ b/roles/dsvm-additional-middlewares/tasks/main.yaml
@@ -61,6 +61,70 @@
    value: true
  become: true

+- name: "Configure s3token: auth_url"
+  ini_file:
+    path: /etc/swift/proxy-server.conf
+    section: filter:s3token
+    option: auth_url
+    value: http://localhost/identity
+  become: true
+
+- name: "Configure s3token: project_domain_name"
+  ini_file:
+    path: /etc/swift/proxy-server.conf
+    section: filter:s3token
+    option: project_domain_name
+    value: Default
+  become: true
+
+- name: "Configure s3token: project_name"
+  ini_file:
+    path: /etc/swift/proxy-server.conf
+    section: filter:s3token
+    option: project_name
+    value: service
+  become: true
+
+- name: "Configure s3token: user_domain_name"
+  ini_file:
+    path: /etc/swift/proxy-server.conf
+    section: filter:s3token
+    option: user_domain_name
+    value: Default
+  become: true
+
+- name: "Configure s3token: username"
+  ini_file:
+    path: /etc/swift/proxy-server.conf
+    section: filter:s3token
+    option: username
+    value: swift
+  become: true
+
+- name: "Configure s3token: password"
+  ini_file:
+    path: /etc/swift/proxy-server.conf
+    section: filter:s3token
+    option: password
+    value: secretservice
+  become: true
+
+- name: "Configure s3token: auth_type"
+  ini_file:
+    path: /etc/swift/proxy-server.conf
+    section: filter:s3token
+    option: auth_type
+    value: password
+  become: true
+
+- name: "Configure s3token: interface"
+  ini_file:
+    path: /etc/swift/proxy-server.conf
+    section: filter:s3token
+    option: interface
+    value: public
+  become: true
+
 - name: Copy ring for Policy-1
  copy:
    remote_src: true
--- a/swift/common/middleware/s3api/s3token.py
+++ b/swift/common/middleware/s3api/s3token.py
@@ -177,7 +177,8 @@ class S3Token(object):
        else:
            self._verify = None

-        self._secret_cache_duration = int(conf.get('secret_cache_duration', 0))
+        self._secret_cache_duration = int(
+            conf.get('secret_cache_duration', 60))
        if self._secret_cache_duration < 0:
            raise ValueError('secret_cache_duration must be non-negative')