Main entry point into the EC2 Credentials service.
This service allows the creation of access/secret credentials used for the ec2 interop layer of OpenStack.
A user can create as many access/secret pairs, each of which is mapped to a specific project. This is required because OpenStack supports a user belonging to multiple projects, whereas the signatures created on ec2-style requests don’t allow specification of which project the user wishes to act upon.
To complete the cycle, we provide a method that OpenStack services can use to validate a signature and get a corresponding OpenStack token. This token allows method calls to other services within the context the access/secret was created. As an example, Nova requests Keystone to validate the signature of a request, receives a token, and then makes a request to Glance to list images needed to perform the requested task.
keystone.contrib.ec2.controllers.
Ec2Controller
[source]¶Bases: keystone.contrib.ec2.controllers.Ec2ControllerCommon
, keystone.common.controller.V2Controller
keystone.contrib.ec2.controllers.
Ec2ControllerCommon
[source]¶Bases: keystone.common.provider_api.ProviderAPIMixin
, object
authenticate
(context, credentials=None, ec2Credentials=None)[source]¶Validate a signed EC2 request and provide a token.
Other services (such as Nova) use this admin call to determine if a request they signed received is from a valid user.
If it is a valid signature, an OpenStack token that maps to the user/tenant is returned to the caller, along with all the other details returned from a normal token validation call.
The returned token is useful for making calls to other OpenStack services within the context of the request.
Parameters: |
|
---|---|
Returns: | token: OpenStack token equivalent to access key along with the corresponding service catalog and roles |
create_credential
(request, user_id, tenant_id)[source]¶Create a secret/access pair for use with ec2 style auth.
Generates a new set of credentials that map the user/tenant pair.
Parameters: |
|
---|---|
Returns: | credential: dict of ec2 credential |
delete_credential
(user_id, credential_id)[source]¶Delete a user’s access/secret pair.
Used to revoke a user’s access/secret pair
Parameters: |
|
---|---|
Returns: | bool: success |
get_credential
(user_id, credential_id)[source]¶Retrieve a user’s access/secret pair by the access key.
Grab the full access/secret pair for a given access key.
Parameters: |
|
---|---|
Returns: | credential: dict of ec2 credential |
keystone.contrib.ec2.controllers.
Ec2ControllerV3
[source]¶Bases: keystone.contrib.ec2.controllers.Ec2ControllerCommon
, keystone.common.controller.V3Controller
collection_name
= 'credentials'¶member_name
= 'credential'¶keystone.contrib.ec2.controllers.
V2TokenDataHelper
[source]¶Bases: keystone.common.provider_api.ProviderAPIMixin
, object
Create V2 token data.
format_catalog
(catalog_ref)[source]¶Munge catalogs from internal to output format.
Internal catalogs look like:
{$REGION: {
{$SERVICE: {
$key1: $value1,
...
}
}
}
The legacy api wants them to look like:
[{'name': $SERVICE[name],
'type': $SERVICE,
'endpoints': [{
'tenantId': $tenant_id,
...
'region': $REGION,
}],
'endpoints_links': [],
}]
v3_to_v2_token
(v3_token_data, token_id)[source]¶Convert v3 token data into v2.0 token data.
This method expects a dictionary generated from V3TokenDataHelper.get_token_data() and converts it to look like a v2.0 token dictionary.
Parameters: |
|
---|---|
Returns: | dictionary formatted for v2 tokens |
Raises: | keystone.exception.Unauthorized – If a specific token type is not supported in v2. |
Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.