[openstack-dev] [fuel] OS_SERVICE_TOKEN usage in Fuel

Sergii Golovatiuk sgolovatiuk at mirantis.com
Tue Jul 28 16:28:49 UTC 2015


Hi Oleksiy,

Good catch. Also OSTF should get endpoints from hiera as some plugins may
override the initial deployment settings. There may be cases when keystone
is detached by plugin.

--
Best regards,
Sergii Golovatiuk,
Skype #golserge
IRC #holser

On Tue, Jul 28, 2015 at 5:26 PM, Oleksiy Molchanov <omolchanov at mirantis.com>
wrote:

> Hello all,
>
> We need to discuss removal of OS_SERVICE_TOKEN usage in Fuel after
> deployment. This came from https://bugs.launchpad.net/fuel/+bug/1430619.
> I guess not all of us have an access to this bug, so to be short:
>
> # A "shared secret" that can be used to bootstrap Keystone.
> # This "token" does not represent a user, and carries no
> # explicit authorization. To disable in production (highly
> # recommended), remove AdminTokenAuthMiddleware from your
> # paste application pipelines (for example, in keystone-
> # paste.ini). (string value)
>
> After removing this and testing we found out that OSTF fails because it
> uses admin token.
>
> What do you think if we create ostf user like for workloads, but with
> wider permissions?
>
> BR,
> Oleksiy.
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150728/25554294/attachment.html>


More information about the OpenStack-dev mailing list