Main entry point into the EC2 Credentials service.
This service allows the creation of access/secret credentials used for the ec2 interop layer of OpenStack.
A user can create as many access/secret pairs, each of which is mapped to a specific project. This is required because OpenStack supports a user belonging to multiple projects, whereas the signatures created on ec2-style requests don’t allow specification of which project the user wishes to act upon.
To complete the cycle, we provide a method that OpenStack services can use to validate a signature and get a corresponding OpenStack token. This token allows method calls to other services within the context the access/secret was created. As an example, Nova requests Keystone to validate the signature of a request, receives a token, and then makes a request to Glance to list images needed to perform the requested task.
keystone.contrib.ec2.controllers.
Ec2ControllerCommon
[source]¶Bases: keystone.common.provider_api.ProviderAPIMixin
, object
authenticate
(context, credentials=None, ec2Credentials=None)[source]¶Validate a signed EC2 request and provide a token.
Other services (such as Nova) use this admin call to determine if a request they signed received is from a valid user.
If it is a valid signature, an OpenStack token that maps to the user/tenant is returned to the caller, along with all the other details returned from a normal token validation call.
The returned token is useful for making calls to other OpenStack services within the context of the request.
Parameters: |
|
---|---|
Returns: | token: OpenStack token equivalent to access key along with the corresponding service catalog and roles |
create_credential
(request, user_id, tenant_id)[source]¶Create a secret/access pair for use with ec2 style auth.
Generates a new set of credentials that map the user/tenant pair.
Parameters: |
|
---|---|
Returns: | credential: dict of ec2 credential |
delete_credential
(user_id, credential_id)[source]¶Delete a user’s access/secret pair.
Used to revoke a user’s access/secret pair
Parameters: |
|
---|---|
Returns: | bool: success |
get_credential
(user_id, credential_id)[source]¶Retrieve a user’s access/secret pair by the access key.
Grab the full access/secret pair for a given access key.
Parameters: |
|
---|---|
Returns: | credential: dict of ec2 credential |
keystone.contrib.ec2.controllers.
Ec2ControllerV3
[source]¶Bases: keystone.contrib.ec2.controllers.Ec2ControllerCommon
, keystone.common.controller.V3Controller
authenticate
(context, credentials=None, ec2Credentials=None)[source]¶Validate a signed EC2 request and provide a token.
Other services (such as Nova) use this admin call to determine if a request they signed received is from a valid user.
If it is a valid signature, an OpenStack token that maps to the user/tenant is returned to the caller, along with all the other details returned from a normal token validation call.
The returned token is useful for making calls to other OpenStack services within the context of the request.
Parameters: |
|
---|---|
Returns: | token: OpenStack token equivalent to access key along with the corresponding service catalog and roles |
collection_name
= 'credentials'¶member_name
= 'credential'¶Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.