RGW Keystone interaction (was Ceph.conf)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, Sep 10, 2015 at 3:27 PM, Shinobu Kinjo <skinjo@xxxxxxxxxx> wrote:
> Thank you for letting me know your thought, Abhishek!!
>
>
>     > The Ceph Object Gateway will query Keystone periodically
>     > for a list of revoked tokens. These requests are encoded
>     > and signed. Also, Keystone may be configured to provide
>     > self-signed tokens, which are also encoded and signed.
>

Looked a bit more into this, swift apis seem to support the use
of an admin tenant, user & token for validating the bearer token,
similar to other openstack service which use a service tenant
credentials for authenticating.
 Though it needs documentation, the configurables `rgw keystone admin
tenant`, `rgw keystone admin user` and `rgw keystone admin password`
make this possible, so as to avoid configuring the keystone shared
admin password compoletely.

S3 APIs with keystone seem to be a bit more different, apparently
s3tokens interface does seem to allow authenticating without an
`X-Auth-Token` in the headers and validates based on the access key,
secret key provided to it. So basically not configuring
`rgw_keystone_admin_password` seem to work, can you also see if this
is the case for you.

> This is completely absolutely out of scope of my original
> question.
>
> But I would like to ask you if above implementation that
> **periodically** talks to keystone with tokens is really
> secure or not.
>
> I'm just asking you. Because I'm just thinking of keysto-
> ne federation.
> But you can ignore me anyhow or point out anything to me -;
> Shinobu
>
> ----- Original Message -----
> From: "Abhishek L" <abhishek.lekshmanan@xxxxxxxxx>
> To: "Shinobu Kinjo" <skinjo@xxxxxxxxxx>
> Cc: "Gregory Farnum" <gfarnum@xxxxxxxxxx>, "ceph-users" <ceph-users@xxxxxxxxxxxxxx>, "ceph-devel" <ceph-devel@xxxxxxxxxxxxxxx>
> Sent: Thursday, September 10, 2015 6:35:31 PM
> Subject: Re:  Ceph.conf
>
> On Thu, Sep 10, 2015 at 2:51 PM, Shinobu Kinjo <skinjo@xxxxxxxxxx> wrote:
>> Thank you for your really really quick reply, Greg.
>>
>>  > Yes. A bunch shouldn't ever be set by users.
>>
>>  Anyhow, this is one of my biggest concern right now -;
>>
>>     rgw_keystone_admin_password =
>>                        ^^^^^^^^
>>
>> MUST not be there.
>
>
> I know the dangers of this (ie keystone admin password being visible);
> but isn't this already visible in ceph/radosgw configuration file as
> well if you configure keystone.[1]
>
> [1]: http://ceph.com/docs/master/radosgw/keystone/#integrating-with-openstack-keystone
>
>> Shinobu
>>
>> ----- Original Message -----
>> From: "Gregory Farnum" <gfarnum@xxxxxxxxxx>
>> To: "Shinobu Kinjo" <skinjo@xxxxxxxxxx>
>> Cc: "ceph-users" <ceph-users@xxxxxxxxxxxxxx>, "ceph-devel" <ceph-devel@xxxxxxxxxxxxxxx>
>> Sent: Thursday, September 10, 2015 5:57:52 PM
>> Subject: Re:  Ceph.conf
>>
>> On Thu, Sep 10, 2015 at 9:44 AM, Shinobu Kinjo <skinjo@xxxxxxxxxx> wrote:
>>> Hello,
>>>
>>> I'm seeing 859 parameters in the output of:
>>>
>>>     $ ./ceph --show-config | wc -l
>>>     *** DEVELOPER MODE: setting PATH, PYTHONPATH and LD_LIBRARY_PATH ***
>>>     859
>>>
>>> In:
>>>
>>>     $ ./ceph --version
>>>     *** DEVELOPER MODE: setting PATH, PYTHONPATH and LD_LIBRARY_PATH ***
>>>     ceph version 9.0.2-1454-g050e1c5 (050e1c5c7471f8f237d9fa119af98c1efa9a8479)
>>>
>>> Since I'm quite new to Ceph, so my question is:
>>>
>>>     Where can I know what each parameter exactly mean?
>>>
>>> I am probably right. Some parameters are just for tes-
>>> ting purpose.
>>
>> Yes. A bunch shouldn't ever be set by users. A lot of the ones that
>> should be are described as part of various operations in
>> ceph.com/docs, but I don't know which ones of interest are missing
>> from there. It's not very discoverable right now, unfortunately.
>> -Greg
>>
>>>
>>> Thank you for your help in advance.
>>>
>>> Shinobu
>>> _______________________________________________
>>> ceph-users mailing list
>>> ceph-users@xxxxxxxxxxxxxx
>>> http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
>> _______________________________________________
>> ceph-users mailing list
>> ceph-users@xxxxxxxxxxxxxx
>> http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
_______________________________________________
ceph-users mailing list
ceph-users@xxxxxxxxxxxxxx
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com



[Index of Archives]     [Information on CEPH]     [Linux Filesystem Development]     [Ceph Development]     [Ceph Large]     [Ceph Dev]     [Linux USB Development]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [xfs]


  Powered by Linux