Hi All, Recently upgraded from Kilo->Mitaka on my OpenStack deploy and now radowsgw nodes (jewel) are unable to validate keystone tokens.
Initially I though it was because radowsgw relies on admin_token (which is a a bad idea, but ...) and that's now deperecated. I verified the token was still in keystone.conf and fixed it when I foun it had been commented out of keystone-paste.ini but even after fixing that and resarting my keystone I get: -- grep req-a5030a83-f265-4b25-b6e5-1918c978f824 /var/log/keystone/keystone.log 2016-10-14 15:12:47.631 35977 WARNING keystone.middleware.auth [req-a5030a83-f265-4b25-b6e5-1918c978f824 - - - - -] Deprecated: build_auth_context middleware checking for the admin token is deprecated as of the Mitaka release and will be removed in the O release. If your deployment requires use of the admin token, update keystone-paste.ini so that admin_token_auth is before build_auth_context in the paste pipelines, otherwise remove the admin_token_auth middleware from the paste pipelines. 2016-10-14 15:12:47.671 35977 INFO keystone.common.wsgi [req-a5030a83-f265-4b25-b6e5-1918c978f824 - - - - -] GET https://nimbus-1.csail.mit.edu:35358/v2.0/tokens/<secret> 2016-10-14 15:12:47.672 35977 WARNING oslo_log.versionutils [req-a5030a83-f265-4b25-b6e5-1918c978f824 - - - - -] Deprecated: validate_token of the v2 API is deprecated as of Mitaka in favor of a similar function in the v3 API and may be removed in Q. 2016-10-14 15:12:47.684 35977 WARNING keystone.common.wsgi [req-a5030a83-f265-4b25-b6e5-1918c978f824 - - - - -] You are not authorized to perform the requested action: identity:validate_token I've dug through keystone/policy.json and identity:validate_token is authorized to "role:admin or is_admin:1" which I *think* should cover the token use case...but not 100% sure. Can radosgw use a propper keystone user so I can avoid the admin_token mess (http://docs.ceph.com/docs/jewel/radosgw/keystone/ seems to indicate no)? Or anyone see where in my keystone chain I might have dropped a link? Thanks, -Jon _______________________________________________ ceph-users mailing list ceph-users@lists.ceph.com http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
