<div dir="ltr">Keystone authtoken is also used by radosgw to validate users</div><br><div class="gmail_quote"><div dir="ltr">On Tue, Jul 28, 2015 at 10:31 AM Andrew Woodward <<a href="mailto:awoodward@mirantis.com">awoodward@mirantis.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">IIRC the puppet modules, and even the heat domain create script make use of the token straight from the config file. It not being present could cause problems for some of the manifests. We would need to ensure that their usage is minimized or removed.</div><br><div class="gmail_quote"><div dir="ltr">On Tue, Jul 28, 2015 at 9:29 AM Sergii Golovatiuk <<a href="mailto:sgolovatiuk@mirantis.com" target="_blank">sgolovatiuk@mirantis.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div>Hi Oleksiy,<br><br></div>Good catch. Also OSTF should get endpoints from hiera as some plugins may override the initial deployment settings. There may be cases when keystone is detached by plugin.<br></div><div class="gmail_extra"><br clear="all"><div><div><div dir="ltr">--<br>
Best regards,<br>
Sergii Golovatiuk,<br>
Skype #golserge<br>
IRC #holser<br></div></div></div></div><div class="gmail_extra">
<br><div class="gmail_quote">On Tue, Jul 28, 2015 at 5:26 PM, Oleksiy Molchanov <span dir="ltr"><<a href="mailto:omolchanov@mirantis.com" target="_blank">omolchanov@mirantis.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><span style="font-size:12.8000001907349px">Hello all,</span><br style="font-size:12.8000001907349px"><br style="font-size:12.8000001907349px"><span style="font-size:12.8000001907349px">We need to discuss removal of OS_SERVICE_TOKEN usage in Fuel after deployment. This came from </span><a href="https://bugs.launchpad.net/fuel/+bug/1430619" style="font-size:12.8000001907349px" target="_blank">https://bugs.launchpad.net/fuel/+bug/1430619</a><span style="font-size:12.8000001907349px">. I guess not all of us have an access to this bug, so to be short:</span><br style="font-size:12.8000001907349px"><br style="font-size:12.8000001907349px"><span style="font-size:12.8000001907349px"># A "shared secret" that can be used to bootstrap Keystone.</span><br style="font-size:12.8000001907349px"><span style="font-size:12.8000001907349px"># This "token" does not represent a user, and carries no</span><br style="font-size:12.8000001907349px"><span style="font-size:12.8000001907349px"># explicit authorization. To disable in production (highly</span><br style="font-size:12.8000001907349px"><span style="font-size:12.8000001907349px"># recommended), remove AdminTokenAuthMiddleware from your</span><br style="font-size:12.8000001907349px"><span style="font-size:12.8000001907349px"># paste application pipelines (for example, in keystone-</span><br style="font-size:12.8000001907349px"><span style="font-size:12.8000001907349px"># paste.ini). (string value)</span><br style="font-size:12.8000001907349px"><br style="font-size:12.8000001907349px"><span style="font-size:12.8000001907349px">After removing this and testing we found out that OSTF fails because it uses admin token. </span><br style="font-size:12.8000001907349px"><br style="font-size:12.8000001907349px"><span style="font-size:12.8000001907349px">What do you think if we create ostf user like for workloads, but with wider permissions?</span><br style="font-size:12.8000001907349px"><br style="font-size:12.8000001907349px"><span style="font-size:12.8000001907349px">BR,</span><br style="font-size:12.8000001907349px"><span style="font-size:12.8000001907349px">Oleksiy.</span><br></div>
<br>__________________________________________________________________________<br>
OpenStack Development Mailing List (not for usage questions)<br>
Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" rel="noreferrer" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" rel="noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br></blockquote></div><br></div>
__________________________________________________________________________<br>
OpenStack Development Mailing List (not for usage questions)<br>
Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" rel="noreferrer" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" rel="noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
</blockquote></div><div dir="ltr">-- <br></div><div dir="ltr">--<div>Andrew Woodward</div><div>Mirantis</div><div>Fuel Community Ambassador</div><div>Ceph Community </div></div>
__________________________________________________________________________<br>
OpenStack Development Mailing List (not for usage questions)<br>
Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" rel="noreferrer" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" rel="noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
</blockquote></div><div dir="ltr">-- <br></div><div dir="ltr"><p dir="ltr">--</p><p dir="ltr"><span style="font-size:13.1999998092651px">Andrew Woodward</span></p><p dir="ltr"><span style="font-size:13.1999998092651px">Mirantis</span></p><p dir="ltr"><span style="font-size:13.1999998092651px">Fuel Community Ambassador</span></p><p dir="ltr"><span style="font-size:13.1999998092651px">Ceph Community</span></p>
</div>