The ability to use Keystone v3 and authtokens in lieu of admin token was added in jewel. The release notes state it but unfortunately the Jewel docs don't reflect it, so you'll need to visit http://docs.ceph.com/ docs/master/radosgw/keystone/ to find the configuration information.
When I tested this out, I had something like: [client.rgw.radosgw-1] rgw keystone admin user = radosgw rgw keystone admin password = <clipped> rgw keystone token cache size = 10000 keyring = /var/lib/ceph/radosgw/ceph-rgw.radosgw-1/keyring rgw keystone url = http://keystone-admin-endpoint:35357 rgw data = /var/lib/ceph/radosgw/ceph-rgw.radosgw-1 rgw keystone admin tenant = service rgw keystone admin domain = default rgw keystone api version = 3 host = radosgw-1 rgw s3 auth use keystone = true rgw socket path = /tmp/radosgw-radosgw-1.sock log file = /var/log/ceph/ceph-rgw-radosgw-1.log rgw keystone accepted roles = Member, _member_, admin rgw frontends = civetweb port=10.13.32.15:8080 num_threads=50 rgw keystone revocation interval = 900 Logan On Friday, October 14, 2016, Jonathan Proulx <[email protected]> wrote: > Hi All, > > Recently upgraded from Kilo->Mitaka on my OpenStack deploy and now > radowsgw nodes (jewel) are unable to validate keystone tokens. > > > Initially I though it was because radowsgw relies on admin_token > (which is a a bad idea, but ...) and that's now deperecated. I > verified the token was still in keystone.conf and fixed it when I foun > it had been commented out of keystone-paste.ini but even after fixing > that and resarting my keystone I get: > > > -- grep req-a5030a83-f265-4b25-b6e5-1918c978f824 > /var/log/keystone/keystone.log > 2016-10-14 15:12:47.631 35977 WARNING keystone.middleware.auth > [req-a5030a83-f265-4b25-b6e5-1918c978f824 - - - - -] Deprecated: > build_auth_context middleware checking for the admin token is deprecated as > of the Mitaka release and will be removed in the O release. If your > deployment requires use of the admin token, update keystone-paste.ini so > that admin_token_auth is before build_auth_context in the paste pipelines, > otherwise remove the admin_token_auth middleware from the paste pipelines. > 2016-10-14 15:12:47.671 35977 INFO keystone.common.wsgi > [req-a5030a83-f265-4b25-b6e5-1918c978f824 - - - - -] GET > https://nimbus-1.csail.mit.edu:35358/v2.0/tokens/<secret> > 2016-10-14 15:12:47.672 35977 WARNING oslo_log.versionutils > [req-a5030a83-f265-4b25-b6e5-1918c978f824 - - - - -] Deprecated: > validate_token of the v2 API is deprecated as of Mitaka in favor of a > similar function in the v3 API and may be removed in Q. > 2016-10-14 15:12:47.684 35977 WARNING keystone.common.wsgi > [req-a5030a83-f265-4b25-b6e5-1918c978f824 - - - - -] You are not > authorized to perform the requested action: identity:validate_token > > I've dug through keystone/policy.json and identity:validate_token is > authorized to "role:admin or is_admin:1" which I *think* should cover > the token use case...but not 100% sure. > > Can radosgw use a propper keystone user so I can avoid the admin_token > mess (http://docs.ceph.com/docs/jewel/radosgw/keystone/ seems to > indicate no)? > > Or anyone see where in my keystone chain I might have dropped a link? > > Thanks, > -Jon > _______________________________________________ > ceph-users mailing list > [email protected] > http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com >
_______________________________________________ ceph-users mailing list [email protected] http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
