swift-s3auth is a lightweight auth middleware which stores credentials inside
OpenStack Swift itself (inspired by swauth).
The middleware can be used with your already deployed auth middleware in use.
This is useful, if your current auth middleware does not support s3
(e.g. because passwords are not stored in plaintext).
-
Install s3auth with
sudo python setup.py installorsudo python setup.py develop. -
Alter your proxy-server.conf pipeline and place s3auth between swift3 and your auth middleware in use:
[pipeline:main] pipeline = catch_errors cache swift3 s3auth myauth proxy-server -
Add to your proxy-server.conf the section for the Swauth WSGI filter:
[filter:s3auth] use = egg:s3auth#s3auth prep_key = prepkey #Following are optional. Default values are displayed on the right side. #auth_prefix = s3auth #reseller_prefix = AUTH_ #memcache_time= 600 -
Restart your proxy server.
-
Initialize the Swift3 backing store in Swift:
s3auth-prep -P myprepkey -H myhash -K admkey -
After successful initialization, remove the prep_key from the proxy-server.conf for better security.
-
Add an access key. You need to specify the secret key for the access key and the swift storage account which the key should map to:
s3auth-add-key -K admkey -S skey akey AUTH_acct -
Ensure it works with your favourite s3client. E.g. s3curl:
s3curl.pl --key skey --id akey http:https://cluster:8080/
You can use the tools s3auth-add-key, s3auth-delete-key and s3auth-list
for managing access keys. If you desire to use the API directly (e.g. with curl),
then please consult the docs.
This is especially recommended if your users should be able to change their s3 secret
keys on their own, as there is no tool for this purpose available.