Hi All,

Recently upgraded from Kilo->Mitaka on my OpenStack deploy and now
radowsgw nodes (jewel) are unable to validate keystone tokens.

Initially I though it was because radowsgw relies on admin_token
(which is a a bad idea, but ...) and that's now deperecated.  I
verified the token was still in keystone.conf and fixed it when I foun
it had been commented out of  keystone-paste.ini but even after fixing
that and resarting my keystone I get:

-- grep req-a5030a83-f265-4b25-b6e5-1918c978f824 /var/log/keystone/keystone.log
2016-10-14 15:12:47.631 35977 WARNING keystone.middleware.auth 
[req-a5030a83-f265-4b25-b6e5-1918c978f824 - - - - -] Deprecated: 
build_auth_context middleware checking for the admin token is deprecated as of 
the Mitaka release and will be removed in the O release. If your deployment 
requires use of the admin token, update keystone-paste.ini so that 
admin_token_auth is before build_auth_context in the paste pipelines, otherwise 
remove the admin_token_auth middleware from the paste pipelines.
2016-10-14 15:12:47.671 35977 INFO keystone.common.wsgi 
[req-a5030a83-f265-4b25-b6e5-1918c978f824 - - - - -] GET 
2016-10-14 15:12:47.672 35977 WARNING oslo_log.versionutils 
[req-a5030a83-f265-4b25-b6e5-1918c978f824 - - - - -] Deprecated: validate_token 
of the v2 API is deprecated as of Mitaka in favor of a similar function in the 
v3 API and may be removed in Q.
2016-10-14 15:12:47.684 35977 WARNING keystone.common.wsgi 
[req-a5030a83-f265-4b25-b6e5-1918c978f824 - - - - -] You are not authorized to 
perform the requested action: identity:validate_token

I've dug through keystone/policy.json and identity:validate_token is
authorized to "role:admin or is_admin:1" which I *think* should cover
the token use case...but not 100% sure.

Can radosgw use a propper keystone user so I can avoid the admin_token
mess (http://docs.ceph.com/docs/jewel/radosgw/keystone/ seems to
indicate no)?

Or anyone see where in my keystone chain I might have dropped a link?

ceph-users mailing list

Reply via email to