radowsg keystone integration in mitaka

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi All,

Recently upgraded from Kilo->Mitaka on my OpenStack deploy and now
radowsgw nodes (jewel) are unable to validate keystone tokens.


Initially I though it was because radowsgw relies on admin_token
(which is a a bad idea, but ...) and that's now deperecated.  I
verified the token was still in keystone.conf and fixed it when I foun
it had been commented out of  keystone-paste.ini but even after fixing
that and resarting my keystone I get:


-- grep req-a5030a83-f265-4b25-b6e5-1918c978f824 /var/log/keystone/keystone.log
2016-10-14 15:12:47.631 35977 WARNING keystone.middleware.auth [req-a5030a83-f265-4b25-b6e5-1918c978f824 - - - - -] Deprecated: build_auth_context middleware checking for the admin token is deprecated as of the Mitaka release and will be removed in the O release. If your deployment requires use of the admin token, update keystone-paste.ini so that admin_token_auth is before build_auth_context in the paste pipelines, otherwise remove the admin_token_auth middleware from the paste pipelines.
2016-10-14 15:12:47.671 35977 INFO keystone.common.wsgi [req-a5030a83-f265-4b25-b6e5-1918c978f824 - - - - -] GET https://nimbus-1.csail.mit.edu:35358/v2.0/tokens/<secret>
2016-10-14 15:12:47.672 35977 WARNING oslo_log.versionutils [req-a5030a83-f265-4b25-b6e5-1918c978f824 - - - - -] Deprecated: validate_token of the v2 API is deprecated as of Mitaka in favor of a similar function in the v3 API and may be removed in Q.
2016-10-14 15:12:47.684 35977 WARNING keystone.common.wsgi [req-a5030a83-f265-4b25-b6e5-1918c978f824 - - - - -] You are not authorized to perform the requested action: identity:validate_token

I've dug through keystone/policy.json and identity:validate_token is
authorized to "role:admin or is_admin:1" which I *think* should cover
the token use case...but not 100% sure.

Can radosgw use a propper keystone user so I can avoid the admin_token
mess (http://docs.ceph.com/docs/jewel/radosgw/keystone/ seems to
indicate no)?

Or anyone see where in my keystone chain I might have dropped a link?

Thanks,
-Jon
_______________________________________________
ceph-users mailing list
ceph-users@xxxxxxxxxxxxxx
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
[Index of Archives]     [Information on CEPH]     [Linux Filesystem Development]     [Ceph Development]     [Ceph Large]     [Linux USB Development]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [xfs]

  Powered by Linux