一、介绍
swift至1.5版本,原来的swift.common.client 将被移到:https://github.com/openstack/python-swiftclient,S3 兼容层将移到:https://github.com/fujita/swift3,源于文档更新比较慢,并且并不是很详细,本文将分别介绍在tempauth和keystone认证系统下如何使用S3 API访问swift,抛砖引玉欢迎交流。
当前官方最新相关文档是1.4.8的,swift的最新版本是1.6.0,在openstack-object-storage 1.4.8 下的文档
http://docs.openstack.org/trunk/openstack-object-storage/admin/content/configuring-openstack-object-storage-with-s3_api.html
另外,在openstack-compute 1.4.8下的文档,(竟然比openstack-object-storage还详细)
http://docs.openstack.org/trunk/openstack-compute/admin/content/configuring-swift-with-s3-emulation-to-use-keystone.html
二、Tempauth配置s3服务及测试
1. 基于tempauth还是比简单,在proxy上安装swift3,
2. 修改/etc/swift/proxy-server.cof
[pipeline:main]
pipeline = catch_errors healthcheck cacheratelimit swift3 tempauth proxy-logging proxy-server
[filter:swift3]
use=egg:swift3#swift3
[filter:tempauth]
use = egg:swift#tempauth
user_admin_admin = admin .admin .reseller_admin
user_test_tester = testing .admin
3.测试:
可采用perl s3url或者python boto lib,以s3url为例,使用前确保安装了libdigest-hmac-perl,修改 s3curl.pl 中my @endpoints = ('172.20.8.129');
1)列出所有buckets(即所有container):./s3curl.pl --id ' test: tester' --key testing -get - -s -v http://127.0.0.1
2)或者通过添加.s3curl 文件:
%awsSecretAccessKeys = (
# personal account
personal => {
id => 'test:tester',
key => 'testing',
});访问通过:./s3curl.pl --id personal -get - -s -v http://127.0.0.1
三、Keystone配置s3服务及测试
基本请求验证过程:
swift3: 将转换s3 headers 至swift
s3token: 验证s3 token,并获得keystone token 和tenant/user.
authtoken: 生产keystone token和获得keystone groups.
keystone: 真正的验证、允许或拒绝ACL referer等。
1. 在proxy上安装swift3,keystone
2. 修改/etc/swift/proxy-server.cof
[pipeline:main]
pipeline = catch_errors healthcheck cache ratelimit swift3 s3tokenauthtoken keystone proxy-server
[filter:swift3]
use=egg:swift3#swift3
[filter:s3token]
paste.filter_factory = keystone.middleware.s3_token:filter_factory
auth_port = 35357
auth_host = 172.20.8.129
auth_protocol = http
admin_token=ADMIN
[filter:authtoken]
paste.filter_factory = keystone.middleware.auth_token:filter_factory
service_port = 5000
service_host = 172.20.8.129
auth_port = 35357
auth_host = 172.20.8.129
auth_protocol = http
auth_token = ADMIN
admin_token = ADMIN
[filter:keystone]
paste.filter_factory = keystone.middleware.swift_auth:filter_factory
operator_roles = admin,swiftoperator
3. 创建ec2 access key、secret:(注意关键步骤,这也是和tempauth最大的不同)
keystone ec2-credentials-create –user_id 6ed9a…14dad --tenant_id991bcffb…b6e1a7
4. 测试
同tempauth,不过id、key要改为:access和secret
四、S3开发包
官方有提供,这里推荐一个java的JetS3,相关使用可参照:
http://blog.csdn.net/hitmediaman/article/details/6636402
六、疑问
创建的 ec2 access key、secret存在到那里去了?在数据库ec2_credential表中没有任何记录,其实数据库token做什么用的?使用过程中一直都没有数据记录,难道是在配置文件中指定后使用的?
五、参考附录
http://www.buildcloudstorage.com/2011/11/s3-apis-on-openstack-swift.html
https://ac.seas.harvard.edu/display/CLOUD/Generate+EC2+credentials
http://p.chmouel.com/swift-keystonelight-s3.txt
https://bugs.launchpad.net/keystone/+bug/947011
http://docs.openstack.org/developer/keystone/configuringservices.html