keystonelight with swift3 the s3 middleware for OpenStack Swift.

We have now support of keystonelight with swift3 the s3 middleware for
OpenStack Swift.

You would need the latest version of keystonelight which integrate
s3_token and the latest swift_auth.

The pipeline authentication would go like this in your proxy-server.conf :

pipeline = catch_errors healthcheck cache swift3 s3token tokenauth keystone proxy-server

swift3:   translate the s3 headers to swift
s3token:  validate a s3 token to keystonelight to get the proper
          keystone token and tenant/user.
tokenauth: does the actual keystone token and get the keystone groups.
keystone: will do the actual validation and allow or not the ACL
          referer or other swifties.

Configuration is :

keystone.conf

[filter:s3_extension]
paste.filter_factory = keystone.contrib.s3:S3Extension.factory

[pipeline:admin_api]
pipeline = [..... other stuff until the ec2_extensions....] s3_extension [... other stuff ...... ]


/etc/swift/proxy-server.conf
================
[filter:swift3]
use = egg:swift#swift3

[filter:keystone]
paste.filter_factory = keystone.middleware.swift_auth:filter_factory

[filter:s3token]
paste.filter_factory = keystone.middleware.s3_token:filter_factory
service_port = 5000
service_host = 127.0.0.1
auth_port = 35357
auth_host = 127.0.0.1
auth_protocol = http
auth_token = ADMIN
admin_token = ADMIN

[filter:tokenauth]
paste.filter_factory = keystone.middleware.auth_token:filter_factory
service_port = 5000
service_host = 127.0.0.1
auth_port = 35357
auth_host = 127.0.0.1
auth_token = ADMIN
admin_token = ADMIN
========

On keystone you would need to add ec2token something like this :

keystone-manage ec2 create user_id=$USER_ID tenant_id=$TENANT_ID

and use the generated token to identify with for example boto, you can
get them like that :

keystone-manage ec2 list user_id=${USER_ID}
[
    {
        "access": "b27b96f9a70b4ae1b0e3c1d96be0d38d", 
        "secret": "35174a89a6e94ddf9b82cbb4fbb94e76", 
        "tenant_id": "dcbeb7f1271d4374b951954a4f1be15f", 
        "user_id": "c7e005003f49415b83d4564c80cc0128"
    }
]

and now for boto connection you would do :

connection = boto.connect_s3(
    aws_access_key_id='b27b96f9a70b4ae1b0e3c1d96be0d38d',
    aws_secret_access_key='35174a89a6e94ddf9b82cbb4fbb94e76',
    port=8080,
    host=proxy_server,
    is_secure=False,
    calling_format=boto.s3.connection.OrdinaryCallingFormat()
)

You can interact between the boto way and the non boto way, full example of uploading a file from boto :

==========
import boto
import boto.s3.connection
import boto.s3.key
import StringIO

connection = boto.connect_s3(
    aws_access_key_id='b27b96f9a70b4ae1b0e3c1d96be0d38d',
    aws_secret_access_key='35174a89a6e94ddf9b82cbb4fbb94e76',
    port=8080,
    host='proxy01',
    is_secure=False,
    calling_format=boto.s3.connection.OrdinaryCallingFormat())

bucket = connection.create_bucket("cont_s3")
key = boto.s3.key.Key(bucket, "uploaded_from_s3.txt")

fp = StringIO.StringIO()
fp.write('This was uploaded to swift from Boto.\n')
key.set_contents_from_file(fp)
fp.close()
==========

After the script was launched you can test with the swift command line if that was uploaded properly but not using boto just straight swift and keystone :

==========
swift@proxy01:~$ swift --auth-version 2 -A http://localhost:5000/v2.0/tokens -U admin:admin -K ADMIN list cont_s3                             
uploaded_from_s3.txt
swift@proxy01:~$ swift --auth-version 2 -A http://localhost:5000/v2.0/tokens -U admin:admin -K ADMIN download -o- cont_s3 uploaded_from_s3.txt
This was uploaded to swift from Boto.
==========