v3/ec2tokens validation results in v2 token

Eek, I'm thinking we should remove the v2 middleware from the v3 pipeline as a first step to addressing this?

> Eek, I'm thinking we should remove the v2 middleware from the v3 pipeline as a first step to addressing this?

Please don't until we have a v3 capable replacement, or heat will break! :)

I see https://review.openstack.org/#/c/70631/ proposes a v3 compatible replacement, so lets use that instead :)

Actually, sorry that's wrong (-ENOCOFFEE), we've moved to v3/credentials for creating the access/secret keys used for signing, but the ec2token middleware which uses the authenticate from ec2tokens is still using v2.0 atm.

I lightly tested the patch referenced above, and it seems to work, so when that's in we can migrate our ec2token middleware to v3 and Heat will be a v2.0-free zone! :)

Reviewed: https://review.openstack.org/70631
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=9d5f33af07119b81a2038b3c95aab7c592cad1f5
Submitter: Jenkins
Branch: master

commit 9d5f33af07119b81a2038b3c95aab7c592cad1f5
Author: Morgan Fainberg <email address hidden>
Date: Sun Feb 2 14:02:20 2014 -0800

    Implement V3 Specific Version of EC2 Contrib

    Implement an EC2 Controller that returns a V3 token when invoked
    via the V3 pipeline. Moved all code except the `authenticate` method
    into a common base class mixin. `authenticate()` has become an
    abstract method. Shared code from `authenticate()` was moved into
    `_authenticate()`.

    V3 specific router definition added that makes use of the new V3
    specific controller.

    For upgrade purposes:
    * The paste.ini for keystone will need to be modified to include
      the new V3 ec2credentials in the pipeline as is documented in
      the updated sample paste.ini.
    * Policy.json updated to provide rules for the new V3 EC2credential
      CRUD as show in the updated sample policy.json and
      policy.v3cloudsample.json

    For authentication that occurs via the V3 ec2credential system,
    the response auth_method (encoded in the token) will be
    "ec2credential". This should have no impact on using
    or consuming the token itself but can be used to identify if
    the token was issued via the Ec2ControllerV3.authenticate
    method.

    The V2 version of ec2credential controller has been marked
    as deprecated to keep in line with the rest of the V2 API
    being deprecated (slated for removal in K).

    DocImpact
    UpgradeImpact

    Change-Id: Iaf1e05a1beef481385c6eb19d7f54cdc84b5b5df
    Closes-Bug: #1269947
    bp: deprecated-as-of-icehouse