From 5b48e362af72bfc960d64c2a69b005856af47863 Mon Sep 17 00:00:00 2001 From: Tim Burke Date: Tue, 26 May 2020 16:21:45 -0700 Subject: [PATCH] swift: Fix s3api/keystone interaction For a long time, swift3 recommended a pipeline like ... swift3 s3token authtoken keystoneauth ... This led to inefficiencies where the proxy would first contact Keystone to validate the S3 signature and issue a token, then contact Keystone *again* to validate the token ID that was just issued. After s3token moved into the swift3 repo, it was improved to be able to put all of the headers into the WSGI environment that Swift's keystoneauth middleware expected and the recommended pipeline was changed to something like ... authtoken s3api s3token keystoneauth ... At the time, the old order would still work, it would just be less efficient. When support was added for Keystone v3, however, the new order became mandatory. All of that happened before swift3 moved back into Swift as s3api, but the pipeline placement problems are the same: Keystone users won't be able to use the S3 api with the current order. Change-Id: Id0659f109cc2fc12ddb371df0b26812ba8c442d9 Related-Change: I21e38884a2aefbb94b76c76deccd815f01db7362 Related-Change: Ic9af387b9192f285f0f486e7171eefb23968007e --- lib/swift | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/lib/swift b/lib/swift index 5be9e3575e..b6c06c57bd 100644 --- a/lib/swift +++ b/lib/swift @@ -428,10 +428,11 @@ function configure_swift { swift_pipeline+=" s3api" fi if is_service_enabled keystone; then + swift_pipeline+=" authtoken" if is_service_enabled s3api;then swift_pipeline+=" s3token" fi - swift_pipeline+=" authtoken keystoneauth" + swift_pipeline+=" keystoneauth" fi swift_pipeline+=" tempauth "