Ask Your Question
0

How does keystone token get to swift?

asked 2015-06-17 18:04:32 -0500

piousbox gravatar image

I'm looking to build a service that acts as Swift. So far it's going well. The current step in the process is figuring out authentication. I already implemented Swift's own tempauth, and now I'm looking into integration with keystone.

I see that keystone allows authorizing a user for a specific tenant:

curl -d '{"auth":{"passwordCredentials":{"username": "admin", "password": "s3cret"},"tenantName":"AUTH_f41efa5e1ae7405fa37dc0a0588bb312" } }' -H "Content-type: application/json" http://localhost:5000/v2.0/tokens

And then supposedly I can use the generated token and the storage service's publicurl to access that service:

curl -v -H 'X-Auth-Token: AUTH_tk35ba7939ea8540e9be0bd182b9bcabc2' http://127.0.0.1:8080/v1/AUTH_test

And I can verify that it indeed works on devstack.

My question is: how does swift become aware of the x-auth-token? Does keystone perform a PUT operation to swift's admin endpoint to let swift know of the token? (I don't see anything resembling this in my logs.) Or, on a request to swift with the x-auth-token header, swift issues a request to keystone to validate the token, and then caches the response? If so, how exactly is this being done?

In summary: I think I understand how using keystone works, with roles and tenants and users, however I do not understand what is the communication between keystone and swift in respect to the auth token that keystone generates, and swift validates.

edit retag flag offensive close merge delete

1 answer

Sort by ยป oldest newest most voted
1

answered 2015-06-18 09:48:56 -0500

     1. If a user wants to invoke a REST calll 'X' in swift, he gets  the token from keystone and then invoke the REST call by  passing user's token
    2) Now swift needs to validate the  user's token.
    3) Swift will  send the user's token to keystone to validate.  But for this to work, swift needs to validate itself.  If you look at swfit.conf, it will have  a servie account. Swift uses this account to identify itself to keystone.  (ie.) Using  the service account it gets a token ( caches it), and when it  needs to validate user's toket, it asks keystone to to validate user's token, by passing  both its  token and user's token
  5) Upon successful response, it proceeds
 

To answer your questions

1)  Keystone middeware uses the config setting to get service token and catches it. While trying to validate user's token, it passes swift's token in X-Auth-Header along with  user's token
edit flag offensive delete link more

Comments

I believe this answers my question, thank you.

piousbox gravatar imagepiousbox ( 2015-06-19 12:56:50 -0500 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2015-06-17 18:04:32 -0500

Seen: 653 times

Last updated: Jun 18 '15