After setting up radosgw federated configuration last week and integrating with openstack keystone auth, I have a question regarding the configuration. In the Keystone setup instructions for Kilo, the admin token auth method is disabled: http://docs.openstack.org/kilo/install-guide/install/apt/content/keystone-verify.html "For security reasons, disable the temporary authentication token mechanism: Edit the /etc/keystone/keystone-paste.ini file and remove admin_token_auth from the [pipeline:public_api], [pipeline:admin_api], and [pipeline:api_v3] sections." So after using this setup guide for kilo, the environment is not compatible with radosgw because apparently radosgw requires admin token auth. This is not documented at http://ceph.com/docs/master/radosgw/keystone/ and resulted in a really frustrating day of troubleshooting why keystone was rejecting radosgw's attempts to load the token revocation list. So first, I think this requirement should be listed on the radosgw/keystone integration setup instructions. Long term, I am curious if ceph intends to continue using this "temporary authentication mechanism" that is recommended to be disabled after bootstrapping Keystone's setup by openstack. For reference, these are the kinds of errors seen when the admin token auth is disabled as recommended: ceph rgw node: T 10.13.32.6:42533 -> controller:5000 [AP] GET /v2.0/tokens/revoked HTTP/1.1..Host: controller:5000..Accept: */*..Transfer-Encoding: chunked..X-Auth-Token: <removed>..Expect: 100-continue.... ## T controller:5000 -> 10.13.32.6:42533 [AP] HTTP/1.1 100 Continue.... ## T 10.13.32.6:42533 -> controller:5000 [AP] 0.... # T controller:5000 -> 10.13.32.6:42533 [AP] HTTP/1.1 403 Forbidden..Date: Sat, 15 Aug 2015 00:46:58 GMT..Server: Apache/2.4.7 (Ubuntu)..Vary: X-Auth-Token..X-Distribution: Ubuntu..x-openstack-request-id: req-869523c8-12bb-46d4-9d5b -89e0efd1dc38..Content-Length: 141..Content-Type: application/json....{"error": {"message": "You are not authorized to perform the requested action: identity:revocation_list", "code": 403 , "title": "Forbidden"}} root@radosgw-template:~# radosgw --id radosgw.us-dfw-1 -d 2015-08-15 00:51:17.992497 7ff2281e0840 0 ceph version 0.94.2 (5fb85614ca8f354284c713a2f9c610860720bbf3), process radosgw, pid 15381 2015-08-15 00:51:18.515909 7ff2281e0840 0 framework: fastcgi 2015-08-15 00:51:18.515927 7ff2281e0840 0 framework: civetweb 2015-08-15 00:51:18.515946 7ff2281e0840 0 framework conf key: port, val: 7480 2015-08-15 00:51:18.515958 7ff2281e0840 0 starting handler: civetweb 2015-08-15 00:51:18.529113 7ff2281e0840 0 starting handler: fastcgi 2015-08-15 00:51:18.541553 7ff1a67fc700 0 revoked tokens response is missing signed section 2015-08-15 00:51:18.541573 7ff1a67fc700 0 ERROR: keystone revocation processing returned error r=-22 2015-08-15 00:51:21.222619 7ff1a6ffd700 0 ERROR: can't read user header: ret=-2 2015-08-15 00:51:21.222648 7ff1a6ffd700 0 ERROR: sync_user() failed, user=us-dfw ret=-2 keystone error log: 2015-08-14 19:46:58.582172 2015-08-14 19:46:58.582 8782 WARNING keystone.common.wsgi [-] You are not authorized to perform the requested action: identity:revocation_list _______________________________________________ ceph-users mailing list ceph-users@xxxxxxxxxxxxxx http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
 |