On Thu, Sep 10, 2015 at 3:27 PM, Shinobu Kinjo <skinjo@xxxxxxxxxx> wrote: > Thank you for letting me know your thought, Abhishek!! > > > > The Ceph Object Gateway will query Keystone periodically > > for a list of revoked tokens. These requests are encoded > > and signed. Also, Keystone may be configured to provide > > self-signed tokens, which are also encoded and signed. > Looked a bit more into this, swift apis seem to support the use of an admin tenant, user & token for validating the bearer token, similar to other openstack service which use a service tenant credentials for authenticating. Though it needs documentation, the configurables `rgw keystone admin tenant`, `rgw keystone admin user` and `rgw keystone admin password` make this possible, so as to avoid configuring the keystone shared admin password compoletely. S3 APIs with keystone seem to be a bit more different, apparently s3tokens interface does seem to allow authenticating without an `X-Auth-Token` in the headers and validates based on the access key, secret key provided to it. So basically not configuring `rgw_keystone_admin_password` seem to work, can you also see if this is the case for you. > This is completely absolutely out of scope of my original > question. > > But I would like to ask you if above implementation that > **periodically** talks to keystone with tokens is really > secure or not. > > I'm just asking you. Because I'm just thinking of keysto- > ne federation. > But you can ignore me anyhow or point out anything to me -; > Shinobu > > ----- Original Message ----- > From: "Abhishek L" <abhishek.lekshmanan@xxxxxxxxx> > To: "Shinobu Kinjo" <skinjo@xxxxxxxxxx> > Cc: "Gregory Farnum" <gfarnum@xxxxxxxxxx>, "ceph-users" <ceph-users@xxxxxxxxxxxxxx>, "ceph-devel" <ceph-devel@xxxxxxxxxxxxxxx> > Sent: Thursday, September 10, 2015 6:35:31 PM > Subject: Re: Ceph.conf > > On Thu, Sep 10, 2015 at 2:51 PM, Shinobu Kinjo <skinjo@xxxxxxxxxx> wrote: >> Thank you for your really really quick reply, Greg. >> >> > Yes. A bunch shouldn't ever be set by users. >> >> Anyhow, this is one of my biggest concern right now -; >> >> rgw_keystone_admin_password = >> ^^^^^^^^ >> >> MUST not be there. > > > I know the dangers of this (ie keystone admin password being visible); > but isn't this already visible in ceph/radosgw configuration file as > well if you configure keystone.[1] > > [1]: http://ceph.com/docs/master/radosgw/keystone/#integrating-with-openstack-keystone > >> Shinobu >> >> ----- Original Message ----- >> From: "Gregory Farnum" <gfarnum@xxxxxxxxxx> >> To: "Shinobu Kinjo" <skinjo@xxxxxxxxxx> >> Cc: "ceph-users" <ceph-users@xxxxxxxxxxxxxx>, "ceph-devel" <ceph-devel@xxxxxxxxxxxxxxx> >> Sent: Thursday, September 10, 2015 5:57:52 PM >> Subject: Re: Ceph.conf >> >> On Thu, Sep 10, 2015 at 9:44 AM, Shinobu Kinjo <skinjo@xxxxxxxxxx> wrote: >>> Hello, >>> >>> I'm seeing 859 parameters in the output of: >>> >>> $ ./ceph --show-config | wc -l >>> *** DEVELOPER MODE: setting PATH, PYTHONPATH and LD_LIBRARY_PATH *** >>> 859 >>> >>> In: >>> >>> $ ./ceph --version >>> *** DEVELOPER MODE: setting PATH, PYTHONPATH and LD_LIBRARY_PATH *** >>> ceph version 9.0.2-1454-g050e1c5 (050e1c5c7471f8f237d9fa119af98c1efa9a8479) >>> >>> Since I'm quite new to Ceph, so my question is: >>> >>> Where can I know what each parameter exactly mean? >>> >>> I am probably right. Some parameters are just for tes- >>> ting purpose. >> >> Yes. A bunch shouldn't ever be set by users. A lot of the ones that >> should be are described as part of various operations in >> ceph.com/docs, but I don't know which ones of interest are missing >> from there. It's not very discoverable right now, unfortunately. >> -Greg >> >>> >>> Thank you for your help in advance. >>> >>> Shinobu >>> _______________________________________________ >>> ceph-users mailing list >>> ceph-users@xxxxxxxxxxxxxx >>> http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com >> _______________________________________________ >> ceph-users mailing list >> ceph-users@xxxxxxxxxxxxxx >> http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com _______________________________________________ ceph-users mailing list ceph-users@xxxxxxxxxxxxxx http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
 |