keystone.contrib.ec2 package

keystone.contrib.ec2 package

Submodules

keystone.contrib.ec2.controllers module

Main entry point into the EC2 Credentials service.

This service allows the creation of access/secret credentials used for the ec2 interop layer of OpenStack.

A user can create as many access/secret pairs, each of which is mapped to a specific project. This is required because OpenStack supports a user belonging to multiple projects, whereas the signatures created on ec2-style requests don’t allow specification of which project the user wishes to act upon.

To complete the cycle, we provide a method that OpenStack services can use to validate a signature and get a corresponding OpenStack token. This token allows method calls to other services within the context the access/secret was created. As an example, Nova requests Keystone to validate the signature of a request, receives a token, and then makes a request to Glance to list images needed to perform the requested task.

class keystone.contrib.ec2.controllers.Ec2Controller[source]

Bases: keystone.contrib.ec2.controllers.Ec2ControllerCommon, keystone.common.controller.V2Controller

authenticate(*args, **kwargs)[source]
create_credential(*args, **kwargs)[source]
delete_credential(*args, **kwargs)[source]
get_credential(*args, **kwargs)[source]
get_credentials(*args, **kwargs)[source]
class keystone.contrib.ec2.controllers.Ec2ControllerCommon[source]

Bases: keystone.common.provider_api.ProviderAPIMixin, object

authenticate(context, credentials=None, ec2Credentials=None)[source]

Validate a signed EC2 request and provide a token.

Other services (such as Nova) use this admin call to determine if a request they signed received is from a valid user.

If it is a valid signature, an OpenStack token that maps to the user/tenant is returned to the caller, along with all the other details returned from a normal token validation call.

The returned token is useful for making calls to other OpenStack services within the context of the request.

Parameters:
  • context – standard context
  • credentials – dict of ec2 signature
  • ec2Credentials – DEPRECATED dict of ec2 signature
Returns:

token: OpenStack token equivalent to access key along with the corresponding service catalog and roles

check_signature(creds_ref, credentials)[source]
create_credential(request, user_id, tenant_id)[source]

Create a secret/access pair for use with ec2 style auth.

Generates a new set of credentials that map the user/tenant pair.

Parameters:
  • request – current request
  • user_id – id of user
  • tenant_id – id of tenant
Returns:

credential: dict of ec2 credential

delete_credential(user_id, credential_id)[source]

Delete a user’s access/secret pair.

Used to revoke a user’s access/secret pair

Parameters:
  • user_id – id of user
  • credential_id – access key for credentials
Returns:

bool: success

get_credential(user_id, credential_id)[source]

Retrieve a user’s access/secret pair by the access key.

Grab the full access/secret pair for a given access key.

Parameters:
  • user_id – id of user
  • credential_id – access key for credentials
Returns:

credential: dict of ec2 credential

get_credentials(user_id)[source]

List all credentials for a user.

Parameters:user_id – id of user
Returns:credentials: list of ec2 credential dicts
render_token_data_response(token_id, token_data)[source]

Render token data HTTP response.

Stash token ID into the X-Subject-Token header.

class keystone.contrib.ec2.controllers.Ec2ControllerV3[source]

Bases: keystone.contrib.ec2.controllers.Ec2ControllerCommon, keystone.common.controller.V3Controller

authenticate(context, credentials=None, ec2Credentials=None)[source]
collection_name = 'credentials'
ec2_create_credential(request, *args, **kwargs)[source]
ec2_delete_credential(request, *args, **kwargs)[source]
ec2_get_credential(request, *args, **kwargs)[source]
ec2_list_credentials(request, *args, **kwargs)[source]
member_name = 'credential'
class keystone.contrib.ec2.controllers.V2TokenDataHelper[source]

Bases: keystone.common.provider_api.ProviderAPIMixin, object

Create V2 token data.

classmethod format_catalog(catalog_ref)[source]

Munge catalogs from internal to output format.

Internal catalogs look like:

{$REGION: {
    {$SERVICE: {
        $key1: $value1,
        ...
        }
    }
}

The legacy api wants them to look like:

[{'name': $SERVICE[name],
  'type': $SERVICE,
  'endpoints': [{
      'tenantId': $tenant_id,
      ...
      'region': $REGION,
      }],
  'endpoints_links': [],
 }]
v3_to_v2_token(v3_token_data, token_id)[source]

Convert v3 token data into v2.0 token data.

This method expects a dictionary generated from V3TokenDataHelper.get_token_data() and converts it to look like a v2.0 token dictionary.

Parameters:
  • v3_token_data – dictionary formatted for v3 tokens
  • token_id – ID of the token being converted
Returns:

dictionary formatted for v2 tokens

Raises:

keystone.exception.Unauthorized – If a specific token type is not supported in v2.

keystone.contrib.ec2.core module

keystone.contrib.ec2.routers module

class keystone.contrib.ec2.routers.Ec2Extension(application, mapper=None)[source]

Bases: keystone.common.wsgi.ExtensionRouter

add_routes(mapper)[source]
class keystone.contrib.ec2.routers.Ec2ExtensionV3(application, mapper=None)[source]

Bases: keystone.common.wsgi.V3ExtensionRouter

add_routes(mapper)[source]

Module contents

Creative Commons Attribution 3.0 License

Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.