Recently upgraded from Kilo->Mitaka on my OpenStack deploy and now
radowsgw nodes (jewel) are unable to validate keystone tokens.
Initially I though it was because radowsgw relies on admin_token
(which is a a bad idea, but ...) and that's now deperecated. I
verified the token was still in keystone.conf and fixed it when I foun
it had been commented out of keystone-paste.ini but even after fixing
that and resarting my keystone I get:
-- grep req-a5030a83-f265-4b25-b6e5-1918c978f824 /var/log/keystone/keystone.log
2016-10-14 15:12:47.631 35977 WARNING keystone.middleware.auth
[req-a5030a83-f265-4b25-b6e5-1918c978f824 - - - - -] Deprecated:
build_auth_context middleware checking for the admin token is deprecated as of
the Mitaka release and will be removed in the O release. If your deployment
requires use of the admin token, update keystone-paste.ini so that
admin_token_auth is before build_auth_context in the paste pipelines, otherwise
remove the admin_token_auth middleware from the paste pipelines.
2016-10-14 15:12:47.671 35977 INFO keystone.common.wsgi
[req-a5030a83-f265-4b25-b6e5-1918c978f824 - - - - -] GET
2016-10-14 15:12:47.672 35977 WARNING oslo_log.versionutils
[req-a5030a83-f265-4b25-b6e5-1918c978f824 - - - - -] Deprecated: validate_token
of the v2 API is deprecated as of Mitaka in favor of a similar function in the
v3 API and may be removed in Q.
2016-10-14 15:12:47.684 35977 WARNING keystone.common.wsgi
[req-a5030a83-f265-4b25-b6e5-1918c978f824 - - - - -] You are not authorized to
perform the requested action: identity:validate_token
I've dug through keystone/policy.json and identity:validate_token is
authorized to "role:admin or is_admin:1" which I *think* should cover
the token use case...but not 100% sure.
Can radosgw use a propper keystone user so I can avoid the admin_token
mess (http://docs.ceph.com/docs/jewel/radosgw/keystone/ seems to
Or anyone see where in my keystone chain I might have dropped a link?
ceph-users mailing list