[openstack-dev] [fuel] OS_SERVICE_TOKEN usage in Fuel

Andrew Woodward awoodward at mirantis.com
Tue Jul 28 21:21:40 UTC 2015


It's literally how radosgw goes about verifying users, it has no scheme of
using a user or working with auth-tokens. It would have to fixed in the
ceph-radosgw codebase. PKI tokens (which we don't use) rely on this less,
but its still used.

On Tue, Jul 28, 2015 at 2:16 PM Sergii Golovatiuk <sgolovatiuk at mirantis.com>
wrote:

> Why can't radosgw use own own credentials? If it's technical debt we need
> to put it on plate to address in next release.
>
>
> --
> Best regards,
> Sergii Golovatiuk,
> Skype #golserge
> IRC #holser
>
> On Tue, Jul 28, 2015 at 10:21 PM, Andrew Woodward <xarses at gmail.com>
> wrote:
>
>> Keystone authtoken is also used by radosgw to validate users
>>
>> On Tue, Jul 28, 2015 at 10:31 AM Andrew Woodward <awoodward at mirantis.com>
>> wrote:
>>
>>> IIRC the puppet modules, and even the heat domain create script make use
>>> of the token straight from the config file. It not being present could
>>> cause problems for some of the manifests. We would need to ensure that
>>> their usage is minimized or removed.
>>>
>>> On Tue, Jul 28, 2015 at 9:29 AM Sergii Golovatiuk <
>>> sgolovatiuk at mirantis.com> wrote:
>>>
>>>> Hi Oleksiy,
>>>>
>>>> Good catch. Also OSTF should get endpoints from hiera as some plugins
>>>> may override the initial deployment settings. There may be cases when
>>>> keystone is detached by plugin.
>>>>
>>>> --
>>>> Best regards,
>>>> Sergii Golovatiuk,
>>>> Skype #golserge
>>>> IRC #holser
>>>>
>>>> On Tue, Jul 28, 2015 at 5:26 PM, Oleksiy Molchanov <
>>>> omolchanov at mirantis.com> wrote:
>>>>
>>>>> Hello all,
>>>>>
>>>>> We need to discuss removal of OS_SERVICE_TOKEN usage in Fuel after
>>>>> deployment. This came from
>>>>> https://bugs.launchpad.net/fuel/+bug/1430619. I guess not all of us
>>>>> have an access to this bug, so to be short:
>>>>>
>>>>> # A "shared secret" that can be used to bootstrap Keystone.
>>>>> # This "token" does not represent a user, and carries no
>>>>> # explicit authorization. To disable in production (highly
>>>>> # recommended), remove AdminTokenAuthMiddleware from your
>>>>> # paste application pipelines (for example, in keystone-
>>>>> # paste.ini). (string value)
>>>>>
>>>>> After removing this and testing we found out that OSTF fails because
>>>>> it uses admin token.
>>>>>
>>>>> What do you think if we create ostf user like for workloads, but with
>>>>> wider permissions?
>>>>>
>>>>> BR,
>>>>> Oleksiy.
>>>>>
>>>>>
>>>>> __________________________________________________________________________
>>>>> OpenStack Development Mailing List (not for usage questions)
>>>>> Unsubscribe:
>>>>> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>>>>
>>>>>
>>>>
>>>> __________________________________________________________________________
>>>> OpenStack Development Mailing List (not for usage questions)
>>>> Unsubscribe:
>>>> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>>>
>>> --
>>> --
>>> Andrew Woodward
>>> Mirantis
>>> Fuel Community Ambassador
>>> Ceph Community
>>>
>>> __________________________________________________________________________
>>> OpenStack Development Mailing List (not for usage questions)
>>> Unsubscribe:
>>> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>>
>> --
>>
>> --
>>
>> Andrew Woodward
>>
>> Mirantis
>>
>> Fuel Community Ambassador
>>
>> Ceph Community
>>
>> __________________________________________________________________________
>> OpenStack Development Mailing List (not for usage questions)
>> Unsubscribe:
>> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
-- 
--
Andrew Woodward
Mirantis
Fuel Community Ambassador
Ceph Community
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150728/ab640fa9/attachment.html>


More information about the OpenStack-dev mailing list