Re: radowsg keystone integration in mitaka

["Logan V." <logan@xxxxxxxxxxxxx>]

The ability to use Keystone v3 and authtokens in lieu of admin token was added in jewel. The release notes state it but unfortunately the Jewel docs don't reflect it, so you'll need to visit http://docs.ceph.com/docs/master/radosgw/keystone/ to find the configuration information.

When I tested this out, I had something like:

[client.rgw.radosgw-1]

rgw keystone admin user = radosgw

rgw keystone admin password = <clipped>

rgw keystone token cache size = 10000

keyring = /var/lib/ceph/radosgw/ceph-rgw.radosgw-1/keyring

rgw keystone url = "" href="http://keystone-admin-endpoint:35357">http://keystone-admin-endpoint:35357

rgw data = "">

rgw keystone admin tenant = service

rgw keystone admin domain = default

rgw keystone api version = 3

host = radosgw-1

rgw s3 auth use keystone = true

rgw socket path = /tmp/radosgw-radosgw-1.sock

log file = /var/log/ceph/ceph-rgw-radosgw-1.log

rgw keystone accepted roles = Member, _member_, admin

rgw frontends = civetweb port=10.13.32.15:8080 num_threads=50

rgw keystone revocation interval = 900

Logan

On Friday, October 14, 2016, Jonathan Proulx <jon@xxxxxxxxxxxxx> wrote:

Hi All,

Recently upgraded from Kilo->Mitaka on my OpenStack deploy and now
radowsgw nodes (jewel) are unable to validate keystone tokens.


Initially I though it was because radowsgw relies on admin_token
(which is a a bad idea, but ...) and that's now deperecated.  I
verified the token was still in keystone.conf and fixed it when I foun
it had been commented out of  keystone-paste.ini but even after fixing
that and resarting my keystone I get:


-- grep req-a5030a83-f265-4b25-b6e5-1918c978f824 /var/log/keystone/keystone.log
2016-10-14 15:12:47.631 35977 WARNING keystone.middleware.auth [req-a5030a83-f265-4b25-b6e5-1918c978f824 - - - - -] Deprecated: build_auth_context middleware checking for the admin token is deprecated as of the Mitaka release and will be removed in the O release. If your deployment requires use of the admin token, update keystone-paste.ini so that admin_token_auth is before build_auth_context in the paste pipelines, otherwise remove the admin_token_auth middleware from the paste pipelines.
2016-10-14 15:12:47.671 35977 INFO keystone.common.wsgi [req-a5030a83-f265-4b25-b6e5-1918c978f824 - - - - -] GET https://nimbus-1.csail.mit.edu:35358/v2.0/tokens/<secret>
2016-10-14 15:12:47.672 35977 WARNING oslo_log.versionutils [req-a5030a83-f265-4b25-b6e5-1918c978f824 - - - - -] Deprecated: validate_token of the v2 API is deprecated as of Mitaka in favor of a similar function in the v3 API and may be removed in Q.
2016-10-14 15:12:47.684 35977 WARNING keystone.common.wsgi [req-a5030a83-f265-4b25-b6e5-1918c978f824 - - - - -] You are not authorized to perform the requested action: identity:validate_token

I've dug through keystone/policy.json and identity:validate_token is
authorized to "role:admin or is_admin:1" which I *think* should cover
the token use case...but not 100% sure.

Can radosgw use a propper keystone user so I can avoid the admin_token
mess (http://docs.ceph.com/docs/jewel/radosgw/keystone/ seems to
indicate no)?

Or anyone see where in my keystone chain I might have dropped a link?

Thanks,
-Jon
_______________________________________________
ceph-users mailing list
ceph-users@xxxxxxxxxxxxxx
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com

_______________________________________________
ceph-users mailing list
ceph-users@xxxxxxxxxxxxxx
http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com