s3token: Pass service auth token to Keystone
Recent versions of Keystone require auth tokens when accessing the /v3/s3tokens endpoint to prevent exposure of a lot of information that a user who just has a presigned URL should not be able to see. UpgradeImpact ============= The s3token middleware now requires Keystone auth credentials to be configured. If secret_cache_duration is enabled, these credentials should already be configured. Without these credentials, Keystone users will no longer be able to make S3 API requests. Closes-Bug: #2119646 Change-Id: Ie80bc33d0d9de17ca6eaad3b43628724538001f6 Signed-off-by: Tim Burke <tim.burke@gmail.com>
This commit is contained in:
Tim Burke
committed by
Matthew Oliver
Matthew Oliver
parent
d87ebd7d05
commit
e7bb2a3855
@@ -785,17 +785,6 @@ auth_uri = http://keystonehost:5000/v3
|
||||
# Connect/read timeout (in seconds) to use when communicating with Keystone
|
||||
http_timeout = 10.0
|
||||
|
||||
# Number of seconds to cache the S3 secret. By setting this to a positive
|
||||
# number, the S3 authorization validation checks can happen locally.
|
||||
# secret_cache_duration = 0
|
||||
|
||||
# If S3 secret caching is enabled, Keystone auth credentials to be used to
|
||||
# validate S3 authorization must be provided here. The appropriate options
|
||||
# are the same as used in the authtoken middleware above. The values are
|
||||
# likely the same as used in the authtoken middleware.
|
||||
# Note that the Keystone auth credentials used by s3token will need to be
|
||||
# able to view all project credentials too.
|
||||
|
||||
# SSL-related options
|
||||
# insecure = False
|
||||
# certfile =
|
||||
@@ -804,12 +793,10 @@ http_timeout = 10.0
|
||||
# You can override the default log routing for this filter here:
|
||||
# log_name = s3token
|
||||
|
||||
# Secrets may be cached to reduce latency for the client and load on Keystone.
|
||||
# Set this to some number of seconds greater than zero to enable caching.
|
||||
# secret_cache_duration = 0
|
||||
|
||||
# Secret caching requires Keystone credentials similar to the authtoken middleware;
|
||||
# these credentials require access to view all project credentials.
|
||||
# Recent Keystone deployments require credentials similar to the authtoken
|
||||
# middleware; these credentials require access to the s3tokens endpoint.
|
||||
# Additionally, if secret caching is enabled, the credentials should have
|
||||
# access to view all project credentials.
|
||||
# auth_url = http://keystonehost:5000
|
||||
# auth_type = password
|
||||
# project_domain_id = default
|
||||
@@ -818,6 +805,11 @@ http_timeout = 10.0
|
||||
# username = swift
|
||||
# password = password
|
||||
|
||||
# Secrets may be cached to reduce latency for the client and load on Keystone.
|
||||
# Set this to some number of seconds greater than zero to enable caching and
|
||||
# allow some S3 authorization validation checks to happen entirely in the proxy.
|
||||
# secret_cache_duration = 0
|
||||
|
||||
[filter:healthcheck]
|
||||
use = egg:swift#healthcheck
|
||||
# An optional filesystem path, which if present, will cause the healthcheck
|
||||
|
||||
Reference in New Issue
Block a user