GitHub user gertjanol opened a pull request:
https://github.com/apache/libcloud/pull/444
RFC for AWS SignatureVersion 4 for EC2
As shortly discussed with @Kami in #407, this patch adds support for
Signature Version 4 to the `SignedAWSConnection` class. v4 will be used when a
Driver-class selects `EC2V4Connection` as its `connectionCls`. In this patch
this is only enabled for the the new Frankfurt region, represented by a new
`EC2EUCentralNodeDriver` class.
Haven't created any tests yet, since this is just the PoC. If this has any
chance of getting merged in, I'll do the tests.
I would like some feedback and thoughts on this work.
Some questions:
* Is this the way to go, with the Connection-classes specifying a version,
and the Driver classes specifying the Connection class to use?
* I've chosen the `pre_connect_hook` to do the work, because we need both
the headers and the parameters to calculate the signature. Hope that's ok?
* Iâve tested all regions for EC2 and all seem to work fine with the v4
authentication. I havenât tested the only other part that uses the
`SignedAWSConnection`, the `ELBConnection`, but Iâm guessing that that also
supports V4. It would reduce complexity if we could drop support for V2 in the
SignedAWSConnection altogether.
* The credential scope, as explained
[here](http://docs.aws.amazon.com/general/latest/gr/sigv4-create-string-to-sign.html)
needs the service we are requesting. This should be just âec2â for compute
service. I found no existing way to retrieve this, so I introduced a [new class
variable](https://github.com/gertjanol/libcloud/blob/74f5b2f9d50ff60e19fb427a515d2a44a2754346/libcloud/compute/drivers/ec2.py#L1707)
in the `EC2Connection`. I donât like this, so maybe there is a better way?
* This patch now only works for GET-requests, but the EC2-driver doesn't
use anything else. I think S3 uses other methods, but seems to have its own
authentication routines. Why is that? Should I take other methods into
consideration here?
* Performance of calculating this signature sucks :(. Haven't done any
measuring, but v2 seems way faster.
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/gertjanol/libcloud aws-signature-v4
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/libcloud/pull/444.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #444
----
commit 653126a5b09365b5ae2204171f5dbf519c742cb4
Author: Gertjan Oude Lohuis <[email protected]>
Date: 2015-02-02T14:00:57Z
Working example of SignatureVersion 4 for AWS EC2
commit 74f5b2f9d50ff60e19fb427a515d2a44a2754346
Author: Gertjan Oude Lohuis <[email protected]>
Date: 2015-02-02T14:03:47Z
Make supported nodes for EC2EUCentralNodeDriver available
----
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at [email protected] or file a JIRA ticket
with INFRA.
---
