Ask Your Question

How does keystone token get to swift?

asked 2015-06-17 18:04:32 -0500

piousbox gravatar image

I'm looking to build a service that acts as Swift. So far it's going well. The current step in the process is figuring out authentication. I already implemented Swift's own tempauth, and now I'm looking into integration with keystone.

I see that keystone allows authorizing a user for a specific tenant:

curl -d '{"auth":{"passwordCredentials":{"username": "admin", "password": "s3cret"},"tenantName":"AUTH_f41efa5e1ae7405fa37dc0a0588bb312" } }' -H "Content-type: application/json" http://localhost:5000/v2.0/tokens

And then supposedly I can use the generated token and the storage service's publicurl to access that service:

curl -v -H 'X-Auth-Token: AUTH_tk35ba7939ea8540e9be0bd182b9bcabc2'

And I can verify that it indeed works on devstack.

My question is: how does swift become aware of the x-auth-token? Does keystone perform a PUT operation to swift's admin endpoint to let swift know of the token? (I don't see anything resembling this in my logs.) Or, on a request to swift with the x-auth-token header, swift issues a request to keystone to validate the token, and then caches the response? If so, how exactly is this being done?

In summary: I think I understand how using keystone works, with roles and tenants and users, however I do not understand what is the communication between keystone and swift in respect to the auth token that keystone generates, and swift validates.

edit retag flag offensive close merge delete

1 answer

Sort by ยป oldest newest most voted

answered 2015-06-18 09:48:56 -0500

     1. If a user wants to invoke a REST calll 'X' in swift, he gets  the token from keystone and then invoke the REST call by  passing user's token
    2) Now swift needs to validate the  user's token.
    3) Swift will  send the user's token to keystone to validate.  But for this to work, swift needs to validate itself.  If you look at swfit.conf, it will have  a servie account. Swift uses this account to identify itself to keystone.  (ie.) Using  the service account it gets a token ( caches it), and when it  needs to validate user's toket, it asks keystone to to validate user's token, by passing  both its  token and user's token
  5) Upon successful response, it proceeds

To answer your questions

1)  Keystone middeware uses the config setting to get service token and catches it. While trying to validate user's token, it passes swift's token in X-Auth-Header along with  user's token
edit flag offensive delete link more


I believe this answers my question, thank you.

piousbox gravatar imagepiousbox ( 2015-06-19 12:56:50 -0500 )edit

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower


Asked: 2015-06-17 18:04:32 -0500

Seen: 755 times

Last updated: Jun 18 '15