libcloud-notifications mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From gertjanol <...@git.apache.org>
Subject [GitHub] libcloud pull request: RFC for AWS SignatureVersion 4 for EC2
Date Mon, 02 Feb 2015 14:48:18 GMT
GitHub user gertjanol opened a pull request:

    https://github.com/apache/libcloud/pull/444

    RFC for AWS SignatureVersion 4 for EC2 

    As shortly discussed with @Kami in #407, this patch adds support for Signature Version
4 to the `SignedAWSConnection` class. v4 will be used when a Driver-class selects `EC2V4Connection`
as its `connectionCls`. In this patch this is only enabled for the the new Frankfurt region,
represented by a new `EC2EUCentralNodeDriver` class. 
    Haven't created any tests yet, since this is just the PoC. If this has any chance of getting
merged in, I'll do the tests.
    
    I would like some feedback and thoughts on this work.
    Some questions:
    * Is this the way to go, with the Connection-classes specifying a version, and the Driver
classes specifying the Connection class to use?
    * I've chosen the `pre_connect_hook` to do the work, because we need both the headers
and the parameters to calculate the signature. Hope that's ok?
    * I’ve tested all regions for EC2 and all seem to work fine with the v4 authentication.
I haven’t tested the only other part that uses the `SignedAWSConnection`, the `ELBConnection`,
but I’m guessing that that also supports V4. It would reduce complexity if we could drop
support for V2 in the SignedAWSConnection altogether. 
    * The credential scope, as explained [here](http://docs.aws.amazon.com/general/latest/gr/sigv4-create-string-to-sign.html)
needs the service we are requesting. This should be just ‘ec2’ for compute service. I
found no existing way to retrieve this, so I introduced a [new class variable](https://github.com/gertjanol/libcloud/blob/74f5b2f9d50ff60e19fb427a515d2a44a2754346/libcloud/compute/drivers/ec2.py#L1707)
in the `EC2Connection`. I don’t like this, so maybe there is a better way?
    * This patch now only works for GET-requests, but the EC2-driver doesn't use anything
else. I think S3 uses other methods, but seems to have its own authentication routines. Why
is that? Should I take other methods into consideration here?
    * Performance of calculating this signature sucks :(. Haven't done any measuring, but
v2 seems way faster.

You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/gertjanol/libcloud aws-signature-v4

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/libcloud/pull/444.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #444
    
----
commit 653126a5b09365b5ae2204171f5dbf519c742cb4
Author: Gertjan Oude Lohuis <gertjan@byte.nl>
Date:   2015-02-02T14:00:57Z

    Working example of SignatureVersion 4 for AWS EC2

commit 74f5b2f9d50ff60e19fb427a515d2a44a2754346
Author: Gertjan Oude Lohuis <gertjan@byte.nl>
Date:   2015-02-02T14:03:47Z

    Make supported nodes for EC2EUCentralNodeDriver available

----


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

Mime
View raw message