/* Token structure doesn't follow Identity API v2, so the token
* must be in v3. Otherwise we can assume it's wrongly formatted. */
JSONDecoder::decode_json("token", *this, &parser, true);
+ token.id = token_str;
}
- } else if (version == KeystoneApiVersion::VER_2) {
+ } else if (version == KeystoneApiVersion::VER_3) {
if (!JSONDecoder::decode_json("token", *this, &parser)) {
- /* If the token cannot be parsed according to V2, try V3. */
+ /* If the token cannot be parsed according to V3, try V2. */
JSONDecoder::decode_json("access", *this, &parser, true);
+ } else {
+ /* v3 suceeded. We have to fill token.id from external input as it
+ * isn't a part of the JSON response anymore. It has been moved
+ * to X-Subject-Token HTTP header instead. */
+ token.id = token_str;
}
} else {
return -ENOTSUP;
return -EPERM;
}
+ /* if the supplied signature is wrong, we will get 401 from Keystone */
+ if (get_http_status() == HTTP_STATUS_UNAUTHORIZED) {
+ return -ERR_SIGNATURE_NO_MATCH;
+ }
+
/* now parse response */
- if (response.parse(cct, rx_buffer) < 0) {
+ if (response.parse(cct, string(), rx_buffer) < 0) {
dout(2) << "s3 keystone: token parsing failed" << dendl;
return -EPERM;
}
token = cct->_conf->rgw_keystone_admin_token;
return 0;
}
+
+ KeystoneToken t;
+
+ /* Try cache first. */
+ if (keystone_token_cache->find_admin(t)) {
+ ldout(cct, 20) << "found cached admin token" << dendl;
+ token = t.token.id;
+ return 0;
+ }
+
bufferlist token_bl;
- RGWGetKeystoneAdminToken token_req(cct, &token_bl);
+ RGWGetKeystoneAdminToken token_req(cct, &token_bl, cct->_conf->rgw_keystone_verify_ssl);
token_req.append_header("Content-Type", "application/json");
JSONFormatter jf;
projects / ceph.git / commitdiff