Skip to content

feat(services/swift): add Keystone v3 authentication#7216

Open
benroeder wants to merge 1 commit intoapache:mainfrom
benroeder:swift/keystone-auth
Open

feat(services/swift): add Keystone v3 authentication#7216
benroeder wants to merge 1 commit intoapache:mainfrom
benroeder:swift/keystone-auth

Conversation

@benroeder
Copy link
Contributor

@benroeder benroeder commented Feb 23, 2026

Summary

  • Fixes feat: Swift service should support Keystone v3 authentication #7215
  • Add native Keystone v3 password authentication with automatic token acquisition and refresh
  • Tokens are refreshed with a 2-minute grace period before expiry
  • Swift storage URL can be discovered from the Keystone service catalog or provided explicitly
  • Two auth modes: static token (existing, backward compatible) or Keystone v3 (new)
  • New config fields: auth_url, username, password, project_name, user_domain_name, project_domain_name
  • Adds mea dependency for async mutex (same as other OpenDAL services)
  • Includes 9 unit tests for catalog extraction, response parsing, and signer lifecycle

Reference: https://docs.openstack.org/keystone/latest/api_curl_examples.html

Test plan

  • All 93 behavior tests pass with Keystone v3 auth against a real OpenStack Swift cluster
  • All 93 behavior tests pass with static token against local SAIO (backward compatibility)
  • Unit tests cover: catalog extraction (normal, missing, trailing slash, prefers public), Keystone response parsing (full and minimal), timestamp parsing, static signer never-expire, Keystone signer starts-expired

@benroeder
feat(services/swift): add Keystone v3 authentication
d8176b0 
Add native Keystone v3 password authentication with automatic token
acquisition and refresh. Tokens are refreshed with a 2-minute grace
period before expiry. The Swift storage URL can be discovered from
the Keystone service catalog or provided explicitly.

Two authentication modes:
- Static token (existing behavior): provide token and endpoint directly
- Keystone v3 (new): provide auth_url, username, password, project_name

Backward compatible — existing token-based configs continue to work.

Reference: https://docs.openstack.org/keystone/latest/api_curl_examples.html
@benroeder benroeder requested a review from Xuanwo as a code owner February 23, 2026 00:59
@dosubot dosubot bot added the size:XL This PR changes 500-999 lines, ignoring generated files. label Feb 23, 2026
@dosubot
Copy link

dosubot bot commented Feb 23, 2026

Related Documentation

Checked 0 published document(s) in 1 knowledge base(s). No updates required.

How did I do? Any feedback?  Join Discord

@dosubot dosubot bot added the releases-note/feat The PR implements a new feature or has a title that begins with "feat" label Feb 23, 2026
Xuanwo
Xuanwo reviewed Feb 23, 2026
View reviewed changes
core/services/swift/src/core.rs
use std::sync::OnceLock;

/// Authentication mode for Swift.
pub enum SwiftAuth {
Copy link
Member

@Xuanwo Xuanwo Feb 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I suggest we implement that logic within reqsign: https://github.com/apache/opendal-reqsign. This way, OpenDAL can focus more on storage-side logic.

Copy link
Contributor Author

@benroeder benroeder Feb 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok will look into it

Copy link
Contributor Author

@benroeder benroeder Feb 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see that opendal uses v0.16.x branch and main is v0.19.0 should I add it to both ? @Xuanwo

@benroeder benroeder mentioned this pull request Feb 23, 2026
Open
5 tasks
@benroeder
Copy link
Contributor Author

benroeder commented Feb 23, 2026

Update: I've submitted both PRs to opendal-reqsign:

Both add services-openstack with Keystone v3 password auth, token
caching, service catalog parsing, and request signing. Tested against
a real Keystone cluster.

Once the v0.16.x PR is merged and released, I'll update this PR to
use reqsign for the auth instead of the inline implementation.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Xuanwo Xuanwo Xuanwo left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

releases-note/feat The PR implements a new feature or has a title that begins with "feat" size:XL This PR changes 500-999 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

feat: Swift service should support Keystone v3 authentication

2 participants

@benroeder @Xuanwo