Merge pull request 2156 from kayrus/swift-app-cred

Swift: introduce application credential auth support
2024-11-15 17:47:21 +00:00 · 2019-03-16 12:17:17 +01:00 · 2019-03-16 12:17:17 +01:00 · 95434cff16
commit 95434cff16
parent 1b94ae1c00 6ebcfe7c18
5 changed files with 50 additions and 13 deletions
--- a/changelog/unreleased/issue-2155
+++ b/changelog/unreleased/issue-2155
@ -0,0 +1,8 @@
+Enhancement: add Openstack application credential auth for Swift
+
+Since Openstack Queens Identity (auth V3) service supports an application
+credential auth method.  It allows to create a technical account with the
+limited roles. This commit adds an application credential authentication
+method for the Swift backend.
+
+https://github.com/restic/restic/issues/2155
--- a/doc/030_preparing_a_new_repo.rst
+++ b/doc/030_preparing_a_new_repo.rst
@ -268,6 +268,18 @@ the naming convention of those variables follows the official Python Swift clien
   $ export OS_PROJECT_NAME=<MY_PROJECT_NAME>
   $ export OS_PROJECT_DOMAIN_NAME=<MY_PROJECT_DOMAIN_NAME>

+   # For keystone v3 application credential authentication (application credential id)
+   $ export OS_AUTH_URL=<MY_AUTH_URL>
+   $ export OS_APPLICATION_CREDENTIAL_ID=<MY_APPLICATION_CREDENTIAL_ID>
+   $ export OS_APPLICATION_CREDENTIAL_SECRET=<MY_APPLICATION_CREDENTIAL_SECRET>
+
+   # For keystone v3 application credential authentication (application credential name)
+   $ export OS_AUTH_URL=<MY_AUTH_URL>
+   $ export OS_USERNAME=<MY_USERNAME>
+   $ export OS_USER_DOMAIN_NAME=<MY_DOMAIN_NAME>
+   $ export OS_APPLICATION_CREDENTIAL_NAME=<MY_APPLICATION_CREDENTIAL_NAME>
+   $ export OS_APPLICATION_CREDENTIAL_SECRET=<MY_APPLICATION_CREDENTIAL_SECRET>
+
   # For authentication based on tokens
   $ export OS_STORAGE_URL=<MY_STORAGE_URL>
   $ export OS_AUTH_TOKEN=<MY_AUTH_TOKEN>
--- a/doc/040_backup.rst
+++ b/doc/040_backup.rst
@ -374,6 +374,10 @@ environment variables. The following list of environment variables:
    OS_PROJECT_NAME                     Project name for keystone authentication
    OS_PROJECT_DOMAIN_NAME              Project domain name for keystone authentication

+    OS_APPLICATION_CREDENTIAL_ID        Application Credential ID (keystone v3)
+    OS_APPLICATION_CREDENTIAL_NAME      Application Credential Name (keystone v3)
+    OS_APPLICATION_CREDENTIAL_SECRET    Application Credential Secret (keystone v3)
+
    OS_STORAGE_URL                      Storage URL for token authentication
    OS_AUTH_TOKEN                       Auth token for token authentication

--- a/internal/backend/swift/config.go
+++ b/internal/backend/swift/config.go
@ -23,6 +23,11 @@ type Config struct {
 	StorageURL string
 	AuthToken  string

+	// auth v3 only
+	ApplicationCredentialID     string
+	ApplicationCredentialName   string
+	ApplicationCredentialSecret string
+
 	Container              string
 	Prefix                 string
 	DefaultContainerPolicy string
@ -96,6 +101,11 @@ func ApplyEnvironment(prefix string, cfg interface{}) error {
 		{&c.UserName, prefix + "ST_USER"},
 		{&c.APIKey, prefix + "ST_KEY"},

+		// Application Credential auth
+		{&c.ApplicationCredentialID, prefix + "OS_APPLICATION_CREDENTIAL_ID"},
+		{&c.ApplicationCredentialName, prefix + "OS_APPLICATION_CREDENTIAL_NAME"},
+		{&c.ApplicationCredentialSecret, prefix + "OS_APPLICATION_CREDENTIAL_SECRET"},
+
 		// Manual authentication
 		{&c.StorageURL, prefix + "OS_STORAGE_URL"},
 		{&c.AuthToken, prefix + "OS_AUTH_TOKEN"},
--- a/internal/backend/swift/swift.go
+++ b/internal/backend/swift/swift.go
@ -54,6 +54,9 @@ func Open(cfg Config, rt http.RoundTripper) (restic.Backend, error) {
 			TrustId:                     cfg.TrustID,
 			StorageUrl:                  cfg.StorageURL,
 			AuthToken:                   cfg.AuthToken,
+			ApplicationCredentialId:     cfg.ApplicationCredentialID,
+			ApplicationCredentialName:   cfg.ApplicationCredentialName,
+			ApplicationCredentialSecret: cfg.ApplicationCredentialSecret,
 			ConnectTimeout:              time.Minute,
 			Timeout:                     time.Minute,