Ceph » rgw

First the version to use must be determined, quickest and easiest is to add a configurable. Other clients use the unversioned endpoint to get a list of available versions; this is probably too complicated for the initial implementation.
i.e.
rgw use keystone version = 3

Based on the value of that configurable the token_url would need to be changed from “v2.0/tokens” to “/v3/auth/tokens”. The auth section needs an Identity object that contains a methods section listing password as the method and a password object with the credentials including the domain (domains are new). These changes should be made to get_keystone_admin_token The revoked token list is an undocumented api feature for v2 and doesn’t seem to exist for v3. When validating a token the “/v3/auth/tokens” endpoint is used but unlike v2 the token to be validated is in “X-Subject-Token” instead of appended to the url.

The users now need a domain designation because testuser with domain1 isn’t the same user as testuser with domain2. Backwards compatibility with V2 is done by assigning them all to the default domain of “default” although this may need to be a configurable.

The copy of the token json returned when validating has a top level “token” instead of “access”: {“token”: …} and that key has “project”, “roles”, and “user” objects. This will need some slightly different parsing vs a v2 token.

Some details of moving from v2 to v3:
http://docs.openstack.org/developer/keystone/http-api.html

API definitions for v2 and v3:
http://developer.openstack.org/api-ref-identity-v3.html
http://developer.openstack.org/api-ref-identity-admin-v2.html