From 5f89d14ebb6e6fed3b2ef507f8084fe7f05fc951 Mon Sep 17 00:00:00 2001 From: Tim Burke Date: Thu, 6 Nov 2025 10:30:21 +1100 Subject: [PATCH] s3token: Enable secret caching by default Now that we need to pass the service creds to keystone, we might as well default secret caching by default now that they need to be provided. This patch also adds the required s3token configuration to CI so we can use the swift service creds to fetch s3api secrets. As well as also configuring keystone users for cross-compatibility tests. Change-Id: Ief0a29c4300edf2e0d52c041960d756ecc8a2677 Signed-off-by: Tim Burke --- etc/proxy-server.conf-sample | 6 ++ .../additional-keystone-users/tasks/main.yaml | 35 ++++++++++ .../tasks/main.yaml | 64 +++++++++++++++++++ swift/common/middleware/s3api/s3token.py | 3 +- 4 files changed, 107 insertions(+), 1 deletion(-) diff --git a/etc/proxy-server.conf-sample b/etc/proxy-server.conf-sample index 60571a5da0..e52c99c62a 100644 --- a/etc/proxy-server.conf-sample +++ b/etc/proxy-server.conf-sample @@ -793,6 +793,12 @@ http_timeout = 10.0 # You can override the default log routing for this filter here: # log_name = s3token +# Secrets may be cached to reduce latency for the client and load on Keystone. +# This configures the duration that secrets may be cached; set to zero to +# disable caching and prevent Swift from retrieving secrets from Keystone. +# secret_cache_duration = 60 +# Note that caching is required to enable signed aws-chunked transfers. + # Recent Keystone deployments require credentials similar to the authtoken # middleware; these credentials require access to the s3tokens endpoint. # Additionally, if secret caching is enabled, the credentials should have diff --git a/roles/additional-keystone-users/tasks/main.yaml b/roles/additional-keystone-users/tasks/main.yaml index 958127b7e4..e2b9879853 100644 --- a/roles/additional-keystone-users/tasks/main.yaml +++ b/roles/additional-keystone-users/tasks/main.yaml @@ -28,6 +28,20 @@ option: s3_secret_key value: s3-secret1 become: true +- name: Add primary S3 user to test.conf for cross-compat tests + ini_file: + path: /etc/swift/test.conf + section: s3api_test + option: access_key1 + value: s3-user1 + become: true +- name: Add primary S3 user secret to test.conf for cross-compat tests + ini_file: + path: /etc/swift/test.conf + section: s3api_test + option: secret_key1 + value: s3-secret1 + become: true - name: Clear secondary S3 user from test.conf ini_file: @@ -36,6 +50,13 @@ option: s3_access_key2 value: "" become: true +- name: Clear secondary S3 user from test.conf for cross-compat tests + ini_file: + path: /etc/swift/test.conf + section: s3api_test + option: access_key2 + value: "" + become: true - name: Create restricted S3 user shell:> @@ -59,6 +80,20 @@ option: s3_secret_key3 value: s3-secret3 become: true +- name: Add restricted S3 user to test.conf for cross-compat tests + ini_file: + path: /etc/swift/test.conf + section: s3api_test + option: access_key3 + value: s3-user3 + become: true +- name: Add restricted S3 user secret to test.conf for cross-compat tests + ini_file: + path: /etc/swift/test.conf + section: s3api_test + option: secret_key3 + value: s3-secret3 + become: true - name: Create service role shell:> diff --git a/roles/dsvm-additional-middlewares/tasks/main.yaml b/roles/dsvm-additional-middlewares/tasks/main.yaml index 3e811054b4..ed30b12435 100644 --- a/roles/dsvm-additional-middlewares/tasks/main.yaml +++ b/roles/dsvm-additional-middlewares/tasks/main.yaml @@ -61,6 +61,70 @@ value: true become: true +- name: "Configure s3token: auth_url" + ini_file: + path: /etc/swift/proxy-server.conf + section: filter:s3token + option: auth_url + value: http://localhost/identity + become: true + +- name: "Configure s3token: project_domain_name" + ini_file: + path: /etc/swift/proxy-server.conf + section: filter:s3token + option: project_domain_name + value: Default + become: true + +- name: "Configure s3token: project_name" + ini_file: + path: /etc/swift/proxy-server.conf + section: filter:s3token + option: project_name + value: service + become: true + +- name: "Configure s3token: user_domain_name" + ini_file: + path: /etc/swift/proxy-server.conf + section: filter:s3token + option: user_domain_name + value: Default + become: true + +- name: "Configure s3token: username" + ini_file: + path: /etc/swift/proxy-server.conf + section: filter:s3token + option: username + value: swift + become: true + +- name: "Configure s3token: password" + ini_file: + path: /etc/swift/proxy-server.conf + section: filter:s3token + option: password + value: secretservice + become: true + +- name: "Configure s3token: auth_type" + ini_file: + path: /etc/swift/proxy-server.conf + section: filter:s3token + option: auth_type + value: password + become: true + +- name: "Configure s3token: interface" + ini_file: + path: /etc/swift/proxy-server.conf + section: filter:s3token + option: interface + value: public + become: true + - name: Copy ring for Policy-1 copy: remote_src: true diff --git a/swift/common/middleware/s3api/s3token.py b/swift/common/middleware/s3api/s3token.py index b1a3ca476c..41f87cb375 100644 --- a/swift/common/middleware/s3api/s3token.py +++ b/swift/common/middleware/s3api/s3token.py @@ -177,7 +177,8 @@ class S3Token(object): else: self._verify = None - self._secret_cache_duration = int(conf.get('secret_cache_duration', 0)) + self._secret_cache_duration = int( + conf.get('secret_cache_duration', 60)) if self._secret_cache_duration < 0: raise ValueError('secret_cache_duration must be non-negative')

AltStyle によって変換されたページ (->オリジナル) /