© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
35a32c5
(Get the code!)
++ for the proposed solution to have the s3token API protected by a service token.
Come to think of it, both ec2 and s3 are more like "token validation" APIs from Keystone's perspective. The "token" is the authorization header.
In a production environment, where both Swift and Keystone are expected to be running behind a private network with controlled access, the risk of being able to capture/snoop the headers is similar to that of token validation. But otherwise, the header can only be reproducible if attacker have the user's signing key. If that's the case, its game over for that particular account.