swift: Fix s3api/keystone interaction

For a long time, swift3 recommended a pipeline like ... swift3 s3token authtoken keystoneauth ... This led to inefficiencies where the proxy would first contact Keystone to validate the S3 signature and issue a token, then contact Keystone *again* to validate the token ID that was just issued. After s3token moved into the swift3 repo, it was improved to be able to put all of the headers into the WSGI environment that Swift's keystoneauth middleware expected and the recommended pipeline was changed to something like ... authtoken s3api s3token keystoneauth ... At the time, the old order would still work, it would just be less efficient. When support was added for Keystone v3, however, the new order became mandatory. All of that happened before swift3 moved back into Swift as s3api, but the pipeline placement problems are the same: Keystone users won't be able to use the S3 api with the current order. Change-Id: Id0659f109cc2fc12ddb371df0b26812ba8c442d9 Related-Change: I21e38884a2aefbb94b76c76deccd815f01db7362 Related-Change: Ic9af387b9192f285f0f486e7171eefb23968007e
2020-05-26 16:21:45 -07:00 · 2020-05-26 16:21:45 -07:00 · 5b48e362af
commit 5b48e362af
parent 54edc7aeef
1 changed files with 2 additions and 1 deletions
--- a/lib/swift
+++ b/lib/swift
@ -428,10 +428,11 @@ function configure_swift {
        swift_pipeline+=" s3api"
    fi
    if is_service_enabled keystone; then
+        swift_pipeline+=" authtoken"
        if is_service_enabled s3api;then
            swift_pipeline+=" s3token"
        fi
-        swift_pipeline+=" authtoken keystoneauth"
+        swift_pipeline+=" keystoneauth"
    fi

    swift_pipeline+=" tempauth "