<div dir="ltr"><div><span style="font-size:12.8000001907349px">Update from </span><span style="font-size:12.8000001907349px">Radoslaw Zarzynski</span></div><div><span style="font-size:12.8000001907349px">-------</span></div><span style="font-size:12.8000001907349px"><div><span style="font-size:12.8000001907349px"><br></span></div>Hi,</span><br style="font-size:12.8000001907349px"><br style="font-size:12.8000001907349px"><span style="font-size:12.8000001907349px">I'm afraid that eradication of OS_SERVICE_TOKEN won't be quick</span><br style="font-size:12.8000001907349px"><span style="font-size:12.8000001907349px">nor painless process due to dependencies. We would need to identify</span><br style="font-size:12.8000001907349px"><span style="font-size:12.8000001907349px">and fix all applications that requires this auth method.</span><br style="font-size:12.8000001907349px"><br style="font-size:12.8000001907349px"><span style="font-size:12.8000001907349px">For example, Ceph RADOS Gateway (radosgw) currently requires [1]</span><br style="font-size:12.8000001907349px"><span style="font-size:12.8000001907349px">it in order to provide Keystone integration in its S3 API implementation.</span><br style="font-size:12.8000001907349px"><span style="font-size:12.8000001907349px">We have customers using that in production.</span><br style="font-size:12.8000001907349px"><br style="font-size:12.8000001907349px"><span style="font-size:12.8000001907349px">Best regards,</span><br style="font-size:12.8000001907349px"><span style="font-size:12.8000001907349px">Radoslaw Zarzynski</span><br style="font-size:12.8000001907349px"><br style="font-size:12.8000001907349px"><span style="font-size:12.8000001907349px">[1] </span><a href="https://github.com/ceph/ceph/blob/master/src/rgw/rgw_rest_s3.cc#L2222" rel="noreferrer" target="_blank" style="font-size:12.8000001907349px">https://github.com/ceph/ceph/blob/master/src/rgw/rgw_rest_s3.cc#L2222</a><br></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Jul 29, 2015 at 6:38 PM, Konstantin Danilov <span dir="ltr"><<a href="mailto:kdanilov@mirantis.com" target="_blank">kdanilov@mirantis.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Would send ceph estimation tomorrow.<br>
Yet estimation != ETTA<br>
<span class=""><br>
On Wed, Jul 29, 2015 at 12:27 AM, Sergii Golovatiuk<br>
<<a href="mailto:sgolovatiuk@mirantis.com">sgolovatiuk@mirantis.com</a>> wrote:<br>
> Hi,<br>
><br>
> Let's ask our Ceph developers how much time/resources they need to implement<br>
> such functionality.<br>
><br>
> --<br>
> Best regards,<br>
> Sergii Golovatiuk,<br>
> Skype #golserge<br>
> IRC #holser<br>
><br>
</span>> On Tue, Jul 28, 2015 at 11:21 PM, Andrew Woodward <<a href="mailto:awoodward@mirantis.com">awoodward@mirantis.com</a>><br>
<span class="">> wrote:<br>
>><br>
>> It's literally how radosgw goes about verifying users, it has no scheme of<br>
>> using a user or working with auth-tokens. It would have to fixed in the<br>
>> ceph-radosgw codebase. PKI tokens (which we don't use) rely on this less,<br>
>> but its still used.<br>
>><br>
>> On Tue, Jul 28, 2015 at 2:16 PM Sergii Golovatiuk<br>
</span><span class="">>> <<a href="mailto:sgolovatiuk@mirantis.com">sgolovatiuk@mirantis.com</a>> wrote:<br>
>>><br>
>>> Why can't radosgw use own own credentials? If it's technical debt we need<br>
>>> to put it on plate to address in next release.<br>
>>><br>
>>><br>
>>> --<br>
>>> Best regards,<br>
>>> Sergii Golovatiuk,<br>
>>> Skype #golserge<br>
>>> IRC #holser<br>
>>><br>
</span>>>> On Tue, Jul 28, 2015 at 10:21 PM, Andrew Woodward <<a href="mailto:xarses@gmail.com">xarses@gmail.com</a>><br>
<span class="">>>> wrote:<br>
>>>><br>
>>>> Keystone authtoken is also used by radosgw to validate users<br>
>>>><br>
>>>> On Tue, Jul 28, 2015 at 10:31 AM Andrew Woodward<br>
</span><span class="">>>>> <<a href="mailto:awoodward@mirantis.com">awoodward@mirantis.com</a>> wrote:<br>
>>>>><br>
>>>>> IIRC the puppet modules, and even the heat domain create script make<br>
>>>>> use of the token straight from the config file. It not being present could<br>
>>>>> cause problems for some of the manifests. We would need to ensure that their<br>
>>>>> usage is minimized or removed.<br>
>>>>><br>
>>>>> On Tue, Jul 28, 2015 at 9:29 AM Sergii Golovatiuk<br>
</span><span class="">>>>>> <<a href="mailto:sgolovatiuk@mirantis.com">sgolovatiuk@mirantis.com</a>> wrote:<br>
>>>>>><br>
>>>>>> Hi Oleksiy,<br>
>>>>>><br>
>>>>>> Good catch. Also OSTF should get endpoints from hiera as some plugins<br>
>>>>>> may override the initial deployment settings. There may be cases when<br>
>>>>>> keystone is detached by plugin.<br>
>>>>>><br>
>>>>>> --<br>
>>>>>> Best regards,<br>
>>>>>> Sergii Golovatiuk,<br>
>>>>>> Skype #golserge<br>
>>>>>> IRC #holser<br>
>>>>>><br>
>>>>>> On Tue, Jul 28, 2015 at 5:26 PM, Oleksiy Molchanov<br>
</span><span class="">>>>>>> <<a href="mailto:omolchanov@mirantis.com">omolchanov@mirantis.com</a>> wrote:<br>
>>>>>>><br>
>>>>>>> Hello all,<br>
>>>>>>><br>
>>>>>>> We need to discuss removal of OS_SERVICE_TOKEN usage in Fuel after<br>
</span>>>>>>>> deployment. This came from <a href="https://bugs.launchpad.net/fuel/+bug/1430619" rel="noreferrer" target="_blank">https://bugs.launchpad.net/fuel/+bug/1430619</a>. I<br>
<span class="">>>>>>>> guess not all of us have an access to this bug, so to be short:<br>
>>>>>>><br>
>>>>>>> # A "shared secret" that can be used to bootstrap Keystone.<br>
>>>>>>> # This "token" does not represent a user, and carries no<br>
>>>>>>> # explicit authorization. To disable in production (highly<br>
>>>>>>> # recommended), remove AdminTokenAuthMiddleware from your<br>
>>>>>>> # paste application pipelines (for example, in keystone-<br>
>>>>>>> # paste.ini). (string value)<br>
>>>>>>><br>
>>>>>>> After removing this and testing we found out that OSTF fails because<br>
>>>>>>> it uses admin token.<br>
>>>>>>><br>
>>>>>>> What do you think if we create ostf user like for workloads, but with<br>
>>>>>>> wider permissions?<br>
>>>>>>><br>
>>>>>>> BR,<br>
>>>>>>> Oleksiy.<br>
>>>>>>><br>
>>>>>>><br>
>>>>>>> __________________________________________________________________________<br>
>>>>>>> OpenStack Development Mailing List (not for usage questions)<br>
>>>>>>> Unsubscribe:<br>
</span>>>>>>>> <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" rel="noreferrer" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br>
<span class="">>>>>>>> <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" rel="noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
>>>>>>><br>
>>>>>><br>
>>>>>><br>
>>>>>> __________________________________________________________________________<br>
>>>>>> OpenStack Development Mailing List (not for usage questions)<br>
>>>>>> Unsubscribe:<br>
</span>>>>>>> <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" rel="noreferrer" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br>
<span class="">>>>>>> <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" rel="noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
>>>>><br>
>>>>> --<br>
>>>>> --<br>
>>>>> Andrew Woodward<br>
>>>>> Mirantis<br>
>>>>> Fuel Community Ambassador<br>
>>>>> Ceph Community<br>
>>>>><br>
>>>>> __________________________________________________________________________<br>
>>>>> OpenStack Development Mailing List (not for usage questions)<br>
>>>>> Unsubscribe:<br>
</span>>>>>> <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" rel="noreferrer" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br>
<span class="">>>>>> <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" rel="noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
>>>><br>
>>>> --<br>
>>>><br>
>>>> --<br>
>>>><br>
>>>> Andrew Woodward<br>
>>>><br>
>>>> Mirantis<br>
>>>><br>
>>>> Fuel Community Ambassador<br>
>>>><br>
>>>> Ceph Community<br>
>>>><br>
>>>><br>
>>>><br>
>>>> __________________________________________________________________________<br>
>>>> OpenStack Development Mailing List (not for usage questions)<br>
>>>> Unsubscribe:<br>
</span>>>>> <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" rel="noreferrer" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br>
<span class="">>>>> <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" rel="noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
>>>><br>
>>><br>
>>><br>
>>> __________________________________________________________________________<br>
>>> OpenStack Development Mailing List (not for usage questions)<br>
>>> Unsubscribe:<br>
</span>>>> <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" rel="noreferrer" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br>
<span class="">>>> <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" rel="noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
>><br>
>> --<br>
>> --<br>
>> Andrew Woodward<br>
>> Mirantis<br>
>> Fuel Community Ambassador<br>
>> Ceph Community<br>
>><br>
>> __________________________________________________________________________<br>
>> OpenStack Development Mailing List (not for usage questions)<br>
</span>>> Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" rel="noreferrer" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br>
<span class="">>> <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" rel="noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
>><br>
><br>
><br>
> __________________________________________________________________________<br>
> OpenStack Development Mailing List (not for usage questions)<br>
</span>> Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" rel="noreferrer" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br>
> <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" rel="noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
><br>
<br>
<br>
<br>
--<br>
Kostiantyn Danilov aka <a href="http://koder.ua" rel="noreferrer" target="_blank">koder.ua</a><br>
Principal software engineer, Mirantis<br>
<br>
skype:<a href="http://koder.ua" rel="noreferrer" target="_blank">koder.ua</a><br>
<a href="http://koder-ua.blogspot.com/" rel="noreferrer" target="_blank">http://koder-ua.blogspot.com/</a><br>
<a href="http://mirantis.com" rel="noreferrer" target="_blank">http://mirantis.com</a><br>
<span class=""><br>
__________________________________________________________________________<br>
OpenStack Development Mailing List (not for usage questions)<br>
</span>Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" rel="noreferrer" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" rel="noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
</blockquote></div><br></div>