OpenStack Identity (keystone)

ec2tokens should be on admin endpoint (?)

Bug #904523 reported by justinsb on 2011-12-14

6

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Fix Released	Undecided	Ziad Sawalha	OpenStack Identity (keystone) 2012.1 "essex"

Bug Description

ec2tokens is on the "user" endpoint (port 5000).

Shouldn't it be on the "system" endpoint (port 35357)?

Revision history for this message

Ziad Sawalha (ziad-sawalha) wrote on 2011-12-17:

#1

Admin API (35357) should include all Service API (5000) calls.

ec2Tokens is an 'out of contract' call and should be supported as POST /tokens {"auth": {"OS-EC2-ec2Crednetials": "...data..."}}

It should therefore be available both on 35357 and 5000.

Changed in keystone:
status:	New → Confirmed

Revision history for this message

Ziad Sawalha (ziad-sawalha) wrote on 2011-12-17:

#2

... unless the client is going to be passing in EC2 credentials to the service only and not interacting with Keystone?

Which of these is correct/appropriate:
1 - client uses EC2 credentials to talk to Keystone, gets a token, and sends the token to the service
2 - client sends EC2 credentials such each call to the service and does not talk to Keystone.

Revision history for this message

justinsb (justin-fathomdb) wrote on 2011-12-17:

#3

This could be my misunderstanding then... I thought there was an end-user-facing port (5000) and a service/operations port (35357). 35357 would be firewalled & on the "private" network, 5000 would be publicly exposed.

The services would use the private port, so nobody on the public internet can try password-guessing the "service" credentials.

Am I off base here?

Revision history for this message

justinsb (justin-fathomdb) wrote on 2011-12-17:

#4

In answer to the direct question though about the two alternatives, I believe the goal of the EC2 API is to be compatible with EC2 clients, so they wouldn't talk to Keystone. If the client is aware of Keystone they should be using the OpenStack API.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2012-01-20: Fix merged to keystone (master)

#5

Reviewed: https://review.openstack.org/3220
Committed: http://github.com/openstack/keystone/commit/63628575417514f980af52f1e99d54a66d97276a
Submitter: Jenkins
Branch: master

commit 63628575417514f980af52f1e99d54a66d97276a
Author: Ziad Sawalha <email address hidden>
Date: Fri Jan 20 04:12:10 2012 -0600

Handle EC2 Credentials on /tokens

    - EC2 credentials are just another type of credential
      that can be passed in to /tokens. This patch now
      handles those credentials correctly.
    - POST /tokens {'auth': {'OS-EC2-ec2Credentials...}
      now works correctly.
    - Multiple credential handling is improved. There is
      a detect_credentials call in utils now to detect
      the different types.

    Addresses:
    - bug 843058
    - bug 904523
    Prepares for:
    - bp s3token
    - bp keystone-client

Change-Id: I43931fdc7b8a9b76eac351e11394cfa507911578

Changed in keystone:
status:	Confirmed → Fix Committed

Thierry Carrez (ttx) on 2012-01-25

Changed in keystone:
status:	Fix Committed → Fix Released

Thierry Carrez (ttx) on 2012-01-25

Changed in keystone:
milestone:	none → essex-3

Mark McLoughlin (markmc) on 2012-04-03

Changed in keystone:
assignee:	nobody → Ziad Sawalha (ziad-sawalha)

Thierry Carrez (ttx) on 2012-04-05

Changed in keystone:
milestone:	essex-3 → 2012.1

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.