Table Of Contents

Previous topic

admin_crud Package

Next topic

backends Package

This Page

ec2 Package

ec2 Package

core Module

Main entry point into the EC2 Credentials service.

This service allows the creation of access/secret credentials used for the ec2 interop layer of OpenStack.

A user can create as many access/secret pairs, each of which map to a specific tenant. This is required because OpenStack supports a user belonging to multiple tenants, whereas the signatures created on ec2-style requests don’t allow specification of which tenant the user wishs to act upon.

To complete the cycle, we provide a method that OpenStack services can use to validate a signature and get a corresponding openstack token. This token allows method calls to other services within the context the access/secret was created. As an example, nova requests keystone to validate the signature of a request, receives a token, and then makes a request to glance to list images needed to perform the requested task.

class keystone.contrib.ec2.core.Ec2Controller

Bases: keystone.common.wsgi.Application

authenticate(context, credentials=None, ec2Credentials=None)

Validate a signed EC2 request and provide a token.

Other services (such as Nova) use this admin call to determine if a request they signed received is from a valid user.

If it is a valid signature, an openstack token that maps to the user/tenant is returned to the caller, along with all the other details returned from a normal token validation call.

The returned token is useful for making calls to other OpenStack services within the context of the request.

Parameters:
  • context – standard context
  • credentials – dict of ec2 signature
  • ec2Credentials – DEPRECATED dict of ec2 signature
Returns:

token: openstack token equivalent to access key along with the corresponding service catalog and roles

check_signature(creds_ref, credentials)
create_credential(context, user_id, tenant_id)

Create a secret/access pair for use with ec2 style auth.

Generates a new set of credentials that map the the user/tenant pair.

Parameters:
  • context – standard context
  • user_id – id of user
  • tenant_id – id of tenant
Returns:

credential: dict of ec2 credential

delete_credential(context, user_id, credential_id)

Delete a user’s access/secret pair.

Used to revoke a user’s access/secret pair

Parameters:
  • context – standard context
  • user_id – id of user
  • credential_id – access key for credentials
Returns:

bool: success

get_credential(context, user_id, credential_id)

Retreive a user’s access/secret pair by the access key.

Grab the full access/secret pair for a given access key.

Parameters:
  • context – standard context
  • user_id – id of user
  • credential_id – access key for credentials
Returns:

credential: dict of ec2 credential

get_credentials(context, user_id)

List all credentials for a user.

Parameters:
  • context – standard context
  • user_id – id of user
Returns:

credentials: list of ec2 credential dicts

class keystone.contrib.ec2.core.Ec2Extension(application, mapper=None)

Bases: keystone.common.wsgi.ExtensionRouter

add_routes(mapper)
class keystone.contrib.ec2.core.Manager

Bases: keystone.common.manager.Manager

Default pivot point for the EC2 Credentials backend.

See keystone.common.manager.Manager for more details on how this dynamically calls the backend.