s3token: Pass service auth token to Keystone 

Recent versions of Keystone require auth tokens when accessing the
/v3/s3tokens endpoint to prevent exposure of a lot of information that
a user who just has a presigned URL should not be able to see.
UpgradeImpact
=============
The s3token middleware now requires Keystone auth credentials to be
configured. If secret_cache_duration is enabled, these credentials
should already be configured. Without these credentials, Keystone users
will no longer be able to make S3 API requests.
Closes-Bug: #2119646
Change-Id: Ie80bc33d0d9de17ca6eaad3b43628724538001f6
Signed-off-by: Tim Burke <tim.burke@gmail.com>
This commit is contained in:
Tim Burke
2025年10月31日 09:11:39 -07:00
committed by Matthew Oliver
parent d87ebd7d05
commit e7bb2a3855

View File

@@ -785,17 +785,6 @@ auth_uri = http://keystonehost:5000/v3
# Connect/read timeout (in seconds) to use when communicating with Keystone
http_timeout = 10.0
# Number of seconds to cache the S3 secret. By setting this to a positive
# number, the S3 authorization validation checks can happen locally.
# secret_cache_duration = 0
# If S3 secret caching is enabled, Keystone auth credentials to be used to
# validate S3 authorization must be provided here. The appropriate options
# are the same as used in the authtoken middleware above. The values are
# likely the same as used in the authtoken middleware.
# Note that the Keystone auth credentials used by s3token will need to be
# able to view all project credentials too.
# SSL-related options
# insecure = False
# certfile =
@@ -804,12 +793,10 @@ http_timeout = 10.0
# You can override the default log routing for this filter here:
# log_name = s3token
# Secrets may be cached to reduce latency for the client and load on Keystone.
# Set this to some number of seconds greater than zero toenable caching.
# secret_cache_duration = 0
# Secret caching requires Keystone credentials similar to the authtoken middleware;
# these credentials require access to view all project credentials.
# Recent Keystone deployments require credentials similar to the authtoken
# middleware; these credentials require access to the s3tokens endpoint.
# Additionally, if secretcaching is enabled, the credentials should have
# access to view all project credentials.
# auth_url = http://keystonehost:5000
# auth_type = password
# project_domain_id = default
@@ -818,6 +805,11 @@ http_timeout = 10.0
# username = swift
# password = password
# Secrets may be cached to reduce latency for the client and load on Keystone.
# Set this to some number of seconds greater than zero to enable caching and
# allow some S3 authorization validation checks to happen entirely in the proxy.
# secret_cache_duration = 0
[filter:healthcheck]
use = egg:swift#healthcheck
# An optional filesystem path, which if present, will cause the healthcheck
Reference in New Issue
openstack/swift
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.

The note is not visible to the blocked user.