keystone.contrib.ec2.controllers module

keystone.contrib.ec2.controllers module

Main entry point into the EC2 Credentials service.

This service allows the creation of access/secret credentials used for the ec2 interop layer of OpenStack.

A user can create as many access/secret pairs, each of which is mapped to a specific project. This is required because OpenStack supports a user belonging to multiple projects, whereas the signatures created on ec2-style requests don’t allow specification of which project the user wishes to act upon.

To complete the cycle, we provide a method that OpenStack services can use to validate a signature and get a corresponding OpenStack token. This token allows method calls to other services within the context the access/secret was created. As an example, Nova requests Keystone to validate the signature of a request, receives a token, and then makes a request to Glance to list images needed to perform the requested task.

class keystone.contrib.ec2.controllers.Ec2ControllerCommon[source]

Bases: keystone.common.provider_api.ProviderAPIMixin, object

authenticate(context, credentials=None, ec2Credentials=None)[source]

Validate a signed EC2 request and provide a token.

Other services (such as Nova) use this admin call to determine if a request they signed received is from a valid user.

If it is a valid signature, an OpenStack token that maps to the user/tenant is returned to the caller, along with all the other details returned from a normal token validation call.

The returned token is useful for making calls to other OpenStack services within the context of the request.

Parameters:
  • context – standard context
  • credentials – dict of ec2 signature
  • ec2Credentials – DEPRECATED dict of ec2 signature
Returns:

token: OpenStack token equivalent to access key along with the corresponding service catalog and roles

check_signature(creds_ref, credentials)[source]
create_credential(request, user_id, tenant_id)[source]

Create a secret/access pair for use with ec2 style auth.

Generates a new set of credentials that map the user/tenant pair.

Parameters:
  • request – current request
  • user_id – id of user
  • tenant_id – id of tenant
Returns:

credential: dict of ec2 credential

delete_credential(user_id, credential_id)[source]

Delete a user’s access/secret pair.

Used to revoke a user’s access/secret pair

Parameters:
  • user_id – id of user
  • credential_id – access key for credentials
Returns:

bool: success

get_credential(user_id, credential_id)[source]

Retrieve a user’s access/secret pair by the access key.

Grab the full access/secret pair for a given access key.

Parameters:
  • user_id – id of user
  • credential_id – access key for credentials
Returns:

credential: dict of ec2 credential

get_credentials(user_id)[source]

List all credentials for a user.

Parameters:user_id – id of user
Returns:credentials: list of ec2 credential dicts
render_token_data_response(token_id, token_data)[source]

Render token data HTTP response.

Stash token ID into the X-Subject-Token header.

class keystone.contrib.ec2.controllers.Ec2ControllerV3[source]

Bases: keystone.contrib.ec2.controllers.Ec2ControllerCommon, keystone.common.controller.V3Controller

authenticate(context, credentials=None, ec2Credentials=None)[source]

Validate a signed EC2 request and provide a token.

Other services (such as Nova) use this admin call to determine if a request they signed received is from a valid user.

If it is a valid signature, an OpenStack token that maps to the user/tenant is returned to the caller, along with all the other details returned from a normal token validation call.

The returned token is useful for making calls to other OpenStack services within the context of the request.

Parameters:
  • context – standard context
  • credentials – dict of ec2 signature
  • ec2Credentials – DEPRECATED dict of ec2 signature
Returns:

token: OpenStack token equivalent to access key along with the corresponding service catalog and roles

collection_name = 'credentials'
ec2_create_credential(request, *args, **kwargs)[source]
ec2_delete_credential(request, *args, **kwargs)[source]
ec2_get_credential(request, *args, **kwargs)[source]
ec2_list_credentials(request, *args, **kwargs)[source]
member_name = 'credential'
Creative Commons Attribution 3.0 License

Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.