Merge pull request 2156 from kayrus/swift-app-cred

Swift: introduce application credential auth support
This commit is contained in:
Alexander Neumann 2019-03-16 12:17:17 +01:00
commit 95434cff16
5 changed files with 50 additions and 13 deletions

View file

@ -0,0 +1,8 @@
Enhancement: add Openstack application credential auth for Swift
Since Openstack Queens Identity (auth V3) service supports an application
credential auth method. It allows to create a technical account with the
limited roles. This commit adds an application credential authentication
method for the Swift backend.
https://github.com/restic/restic/issues/2155

View file

@ -268,6 +268,18 @@ the naming convention of those variables follows the official Python Swift clien
$ export OS_PROJECT_NAME=<MY_PROJECT_NAME> $ export OS_PROJECT_NAME=<MY_PROJECT_NAME>
$ export OS_PROJECT_DOMAIN_NAME=<MY_PROJECT_DOMAIN_NAME> $ export OS_PROJECT_DOMAIN_NAME=<MY_PROJECT_DOMAIN_NAME>
# For keystone v3 application credential authentication (application credential id)
$ export OS_AUTH_URL=<MY_AUTH_URL>
$ export OS_APPLICATION_CREDENTIAL_ID=<MY_APPLICATION_CREDENTIAL_ID>
$ export OS_APPLICATION_CREDENTIAL_SECRET=<MY_APPLICATION_CREDENTIAL_SECRET>
# For keystone v3 application credential authentication (application credential name)
$ export OS_AUTH_URL=<MY_AUTH_URL>
$ export OS_USERNAME=<MY_USERNAME>
$ export OS_USER_DOMAIN_NAME=<MY_DOMAIN_NAME>
$ export OS_APPLICATION_CREDENTIAL_NAME=<MY_APPLICATION_CREDENTIAL_NAME>
$ export OS_APPLICATION_CREDENTIAL_SECRET=<MY_APPLICATION_CREDENTIAL_SECRET>
# For authentication based on tokens # For authentication based on tokens
$ export OS_STORAGE_URL=<MY_STORAGE_URL> $ export OS_STORAGE_URL=<MY_STORAGE_URL>
$ export OS_AUTH_TOKEN=<MY_AUTH_TOKEN> $ export OS_AUTH_TOKEN=<MY_AUTH_TOKEN>

View file

@ -374,6 +374,10 @@ environment variables. The following list of environment variables:
OS_PROJECT_NAME Project name for keystone authentication OS_PROJECT_NAME Project name for keystone authentication
OS_PROJECT_DOMAIN_NAME Project domain name for keystone authentication OS_PROJECT_DOMAIN_NAME Project domain name for keystone authentication
OS_APPLICATION_CREDENTIAL_ID Application Credential ID (keystone v3)
OS_APPLICATION_CREDENTIAL_NAME Application Credential Name (keystone v3)
OS_APPLICATION_CREDENTIAL_SECRET Application Credential Secret (keystone v3)
OS_STORAGE_URL Storage URL for token authentication OS_STORAGE_URL Storage URL for token authentication
OS_AUTH_TOKEN Auth token for token authentication OS_AUTH_TOKEN Auth token for token authentication

View file

@ -23,6 +23,11 @@ type Config struct {
StorageURL string StorageURL string
AuthToken string AuthToken string
// auth v3 only
ApplicationCredentialID string
ApplicationCredentialName string
ApplicationCredentialSecret string
Container string Container string
Prefix string Prefix string
DefaultContainerPolicy string DefaultContainerPolicy string
@ -96,6 +101,11 @@ func ApplyEnvironment(prefix string, cfg interface{}) error {
{&c.UserName, prefix + "ST_USER"}, {&c.UserName, prefix + "ST_USER"},
{&c.APIKey, prefix + "ST_KEY"}, {&c.APIKey, prefix + "ST_KEY"},
// Application Credential auth
{&c.ApplicationCredentialID, prefix + "OS_APPLICATION_CREDENTIAL_ID"},
{&c.ApplicationCredentialName, prefix + "OS_APPLICATION_CREDENTIAL_NAME"},
{&c.ApplicationCredentialSecret, prefix + "OS_APPLICATION_CREDENTIAL_SECRET"},
// Manual authentication // Manual authentication
{&c.StorageURL, prefix + "OS_STORAGE_URL"}, {&c.StorageURL, prefix + "OS_STORAGE_URL"},
{&c.AuthToken, prefix + "OS_AUTH_TOKEN"}, {&c.AuthToken, prefix + "OS_AUTH_TOKEN"},

View file

@ -43,19 +43,22 @@ func Open(cfg Config, rt http.RoundTripper) (restic.Backend, error) {
be := &beSwift{ be := &beSwift{
conn: &swift.Connection{ conn: &swift.Connection{
UserName: cfg.UserName, UserName: cfg.UserName,
Domain: cfg.Domain, Domain: cfg.Domain,
ApiKey: cfg.APIKey, ApiKey: cfg.APIKey,
AuthUrl: cfg.AuthURL, AuthUrl: cfg.AuthURL,
Region: cfg.Region, Region: cfg.Region,
Tenant: cfg.Tenant, Tenant: cfg.Tenant,
TenantId: cfg.TenantID, TenantId: cfg.TenantID,
TenantDomain: cfg.TenantDomain, TenantDomain: cfg.TenantDomain,
TrustId: cfg.TrustID, TrustId: cfg.TrustID,
StorageUrl: cfg.StorageURL, StorageUrl: cfg.StorageURL,
AuthToken: cfg.AuthToken, AuthToken: cfg.AuthToken,
ConnectTimeout: time.Minute, ApplicationCredentialId: cfg.ApplicationCredentialID,
Timeout: time.Minute, ApplicationCredentialName: cfg.ApplicationCredentialName,
ApplicationCredentialSecret: cfg.ApplicationCredentialSecret,
ConnectTimeout: time.Minute,
Timeout: time.Minute,
Transport: rt, Transport: rt,
}, },