6ffcc294e3
Previously, s3token would make one request to Keystone to validate the request signature provided by the user, then use the response to add an X-Auth-Token header to the request environment. This would get picked up by the authtoken middleware which would make *another* request to validate the token *we just got*. Now, we'll populate the request environment with the following headers: * X-Identity-Status * X-Roles * X-User-Id * X-User-Name * X-Tenant-Id * X-Tenant-Name * X-Project-Id * X-Project-Name This allows Swift's keystoneauth middleware to function without needing the authtoken middleware at all. UpgradeImpact ------------- The recommended pipeline ordering has changed. Whereas authoken previously had to be between s3token and keystoneauth like ... swift3 s3token authtoken keystoneauth ... it should now be placed before swift3, as in ... authtoken swift3 s3token keystoneauth ... Alternatively, if Keystone users should only ever access Swift through the S3 API, the authtoken middleware may be removed entirely. Note that the old pipeline ordering will continue to work, but still requires two Keystone requests per client request as before. To upgrade an existing cluster to take advantage of this change operators should, for each proxy server: 1. Upgrade swift3 2. Optionally, restart proxy-server 3. Update proxy-server.conf with the new pipeline 4. Restart proxy-server Updating proxy-server.conf *before* upgrading swift3 will prevent the proxy from starting if there is an unexpected reboot before the upgrade. Closes-Bug: #1653017 Change-Id: I21e38884a2aefbb94b76c76deccd815f01db7362
13 lines
209 B
Plaintext
13 lines
209 B
Plaintext
hacking>=0.11.0,<0.12 # Apache-2.0
|
|
sphinx
|
|
nose
|
|
openstack.nose_plugin
|
|
coverage
|
|
mock
|
|
pylint
|
|
python-openstackclient
|
|
boto
|
|
requests-mock>=0.7.0 # Apache-2.0
|
|
fixtures<2.0,>=1.3.1 # Apache-2.0/BSD
|
|
keystonemiddleware
|