[openstack-dev] [fuel] OS_SERVICE_TOKEN usage in Fuel

Andrew Woodward xarses at gmail.com
Tue Jul 28 20:21:41 UTC 2015


Keystone authtoken is also used by radosgw to validate users

On Tue, Jul 28, 2015 at 10:31 AM Andrew Woodward <awoodward at mirantis.com>
wrote:

> IIRC the puppet modules, and even the heat domain create script make use
> of the token straight from the config file. It not being present could
> cause problems for some of the manifests. We would need to ensure that
> their usage is minimized or removed.
>
> On Tue, Jul 28, 2015 at 9:29 AM Sergii Golovatiuk <
> sgolovatiuk at mirantis.com> wrote:
>
>> Hi Oleksiy,
>>
>> Good catch. Also OSTF should get endpoints from hiera as some plugins may
>> override the initial deployment settings. There may be cases when keystone
>> is detached by plugin.
>>
>> --
>> Best regards,
>> Sergii Golovatiuk,
>> Skype #golserge
>> IRC #holser
>>
>> On Tue, Jul 28, 2015 at 5:26 PM, Oleksiy Molchanov <
>> omolchanov at mirantis.com> wrote:
>>
>>> Hello all,
>>>
>>> We need to discuss removal of OS_SERVICE_TOKEN usage in Fuel after
>>> deployment. This came from https://bugs.launchpad.net/fuel/+bug/1430619.
>>> I guess not all of us have an access to this bug, so to be short:
>>>
>>> # A "shared secret" that can be used to bootstrap Keystone.
>>> # This "token" does not represent a user, and carries no
>>> # explicit authorization. To disable in production (highly
>>> # recommended), remove AdminTokenAuthMiddleware from your
>>> # paste application pipelines (for example, in keystone-
>>> # paste.ini). (string value)
>>>
>>> After removing this and testing we found out that OSTF fails because it
>>> uses admin token.
>>>
>>> What do you think if we create ostf user like for workloads, but with
>>> wider permissions?
>>>
>>> BR,
>>> Oleksiy.
>>>
>>>
>>> __________________________________________________________________________
>>> OpenStack Development Mailing List (not for usage questions)
>>> Unsubscribe:
>>> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>>
>>>
>> __________________________________________________________________________
>> OpenStack Development Mailing List (not for usage questions)
>> Unsubscribe:
>> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
> --
> --
> Andrew Woodward
> Mirantis
> Fuel Community Ambassador
> Ceph Community
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
-- 

--

Andrew Woodward

Mirantis

Fuel Community Ambassador

Ceph Community
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150728/05dcd0f3/attachment.html>


More information about the OpenStack-dev mailing list