openstack train swift 对象存储s3接口实践总结
作者 伍增田 Tommy WU zxpns18@126.com
https://docs.openstack.org/swift/train/s3_compat.html#amazon-s3-operations
支持的Amazon S3 operations如下表:
s3api中间件,下面以tempauth为鉴权的例子
proxy-server.conf
[pipeline:main]
pipeline = proxy-logging cache ***s3api tempauth*** bulk slo proxy-logging proxy-server
[app:proxy-server]
account_autocreate = true
[filter:tempauth]
use = egg:swift#tempauth
*reseller_prefix = ''*
#s3 access key test
user_swift_swift = 74eHNNQa1oLBlvZfO2CC2hIU8cobSYxTgeRDtXtH .admin *http://127.0.0.1:8080/v1/swift*
[filter:s3api]
use = egg:swift#s3api
storage_domain = s3.meshare.com
tempauth默认会在account前加前缀AUTH_,如AUTH_swift
tempauth.py
def get_groups(self, env, token):
回调时S3API中的签名验证方法 class S3Request.check_signature(self, secret)
s3_auth_details = env.get('s3api.auth_details') or\
env.get('swift3.auth_details')
if s3_auth_details:
if 'check_signature' not in s3_auth_details:
self.logger.warning(
'Swift3 did not provide a check_signature function; '
'upgrade Swift3 if you want to use it with tempauth')
return None
account_user = s3_auth_details['access_key']
if account_user not in self.users:
return None
user = self.users[account_user]
account = account_user.split(':', 1)[0]
account_id = user['url'].rsplit('/', 1)[-1]
*if not s3_auth_details['check_signature'](user['key']):*
return None
env['PATH_INFO'] = env['PATH_INFO'].replace(
account_user, account_id, 1)
groups = self._get_user_groups(account, account_user, account_id)
s3cmd兼容性测试工具
[root@px-10-192-0-13 ~]# cat .s3cfg
[default]
access_key = swift:swift
secret_key = 74eHNNQa1oLBlvZfO2CC2hIU8cobSYxTgeRDtXtH
bucket_location = us-east-1
cloudfront_host = s3.meshare.com:8080
host_base = s3.meshare.com:8080
host_bucket = s3.meshare.com:8080
signature_v2 = true
use_https = False
website_endpoint = http://s3.meshare.com:8080/
改进方案
把key 保存到MySQL中更安全
import sqlalchemy
print(sqlalchemy.version)
import pymysql
print(pymysql.version)