<div dir="ltr">Agree that SERVICE_TOKEN usage eradication will be probably long standing process, but IMO radosgw should follow usual way of managing Openstack service interactions. Usually when service wants to integrate with OpenStack, an appropriate user with role "admin" is created. I believe that for radosgw probably  user "radosgw" should be created or something similar.<div>Of course requirement of its "adminess" and role assignment is a different topic.</div><div><br></div><div>Regards,</div><div><br></div><div>Adam<br><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Jul 30, 2015 at 4:33 PM, Oleksiy Molchanov <span dir="ltr"><<a href="mailto:omolchanov@mirantis.com" target="_blank">omolchanov@mirantis.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><span style="font-size:12.8000001907349px">Update from </span><span style="font-size:12.8000001907349px">Radoslaw Zarzynski</span></div><div><span style="font-size:12.8000001907349px">-------</span></div><span style="font-size:12.8000001907349px"><div><span style="font-size:12.8000001907349px"><br></span></div>Hi,</span><br style="font-size:12.8000001907349px"><br style="font-size:12.8000001907349px"><span style="font-size:12.8000001907349px">I'm afraid that eradication of OS_SERVICE_TOKEN won't be quick</span><br style="font-size:12.8000001907349px"><span style="font-size:12.8000001907349px">nor painless process due to dependencies. We would need to identify</span><br style="font-size:12.8000001907349px"><span style="font-size:12.8000001907349px">and fix all applications that requires this auth method.</span><br style="font-size:12.8000001907349px"><br style="font-size:12.8000001907349px"><span style="font-size:12.8000001907349px">For example, Ceph RADOS Gateway (radosgw) currently requires [1]</span><br style="font-size:12.8000001907349px"><span style="font-size:12.8000001907349px">it in order to provide Keystone integration in its S3 API implementation.</span><br style="font-size:12.8000001907349px"><span style="font-size:12.8000001907349px">We have customers using that in production.</span><br style="font-size:12.8000001907349px"><br style="font-size:12.8000001907349px"><span style="font-size:12.8000001907349px">Best regards,</span><br style="font-size:12.8000001907349px"><span style="font-size:12.8000001907349px">Radoslaw Zarzynski</span><br style="font-size:12.8000001907349px"><br style="font-size:12.8000001907349px"><span style="font-size:12.8000001907349px">[1] </span><a href="https://github.com/ceph/ceph/blob/master/src/rgw/rgw_rest_s3.cc#L2222" rel="noreferrer" style="font-size:12.8000001907349px" target="_blank">https://github.com/ceph/ceph/blob/master/src/rgw/rgw_rest_s3.cc#L2222</a><br></div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Jul 29, 2015 at 6:38 PM, Konstantin Danilov <span dir="ltr"><<a href="mailto:kdanilov@mirantis.com" target="_blank">kdanilov@mirantis.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Would send ceph estimation tomorrow.<br>
Yet estimation != ETTA<br>
<span><br>
On Wed, Jul 29, 2015 at 12:27 AM, Sergii Golovatiuk<br>
<<a href="mailto:sgolovatiuk@mirantis.com" target="_blank">sgolovatiuk@mirantis.com</a>> wrote:<br>
> Hi,<br>
><br>
> Let's ask our Ceph developers how much time/resources they need to implement<br>
> such functionality.<br>
><br>
> --<br>
> Best regards,<br>
> Sergii Golovatiuk,<br>
> Skype #golserge<br>
> IRC #holser<br>
><br>
</span>> On Tue, Jul 28, 2015 at 11:21 PM, Andrew Woodward <<a href="mailto:awoodward@mirantis.com" target="_blank">awoodward@mirantis.com</a>><br>
<span>> wrote:<br>
>><br>
>> It's literally how radosgw goes about verifying users, it has no scheme of<br>
>> using a user or working with auth-tokens. It would have to fixed in the<br>
>> ceph-radosgw codebase. PKI tokens (which we don't use) rely on this less,<br>
>> but its still used.<br>
>><br>
>> On Tue, Jul 28, 2015 at 2:16 PM Sergii Golovatiuk<br>
</span><span>>> <<a href="mailto:sgolovatiuk@mirantis.com" target="_blank">sgolovatiuk@mirantis.com</a>> wrote:<br>
>>><br>
>>> Why can't radosgw use own own credentials? If it's technical debt we need<br>
>>> to put it on plate to address in next release.<br>
>>><br>
>>><br>
>>> --<br>
>>> Best regards,<br>
>>> Sergii Golovatiuk,<br>
>>> Skype #golserge<br>
>>> IRC #holser<br>
>>><br>
</span>>>> On Tue, Jul 28, 2015 at 10:21 PM, Andrew Woodward <<a href="mailto:xarses@gmail.com" target="_blank">xarses@gmail.com</a>><br>
<span>>>> wrote:<br>
>>>><br>
>>>> Keystone authtoken is also used by radosgw to validate users<br>
>>>><br>
>>>> On Tue, Jul 28, 2015 at 10:31 AM Andrew Woodward<br>
</span><span>>>>> <<a href="mailto:awoodward@mirantis.com" target="_blank">awoodward@mirantis.com</a>> wrote:<br>
>>>>><br>
>>>>> IIRC the puppet modules, and even the heat domain create script make<br>
>>>>> use of the token straight from the config file. It not being present could<br>
>>>>> cause problems for some of the manifests. We would need to ensure that their<br>
>>>>> usage is minimized or removed.<br>
>>>>><br>
>>>>> On Tue, Jul 28, 2015 at 9:29 AM Sergii Golovatiuk<br>
</span><span>>>>>> <<a href="mailto:sgolovatiuk@mirantis.com" target="_blank">sgolovatiuk@mirantis.com</a>> wrote:<br>
>>>>>><br>
>>>>>> Hi Oleksiy,<br>
>>>>>><br>
>>>>>> Good catch. Also OSTF should get endpoints from hiera as some plugins<br>
>>>>>> may override the initial deployment settings. There may be cases when<br>
>>>>>> keystone is detached by plugin.<br>
>>>>>><br>
>>>>>> --<br>
>>>>>> Best regards,<br>
>>>>>> Sergii Golovatiuk,<br>
>>>>>> Skype #golserge<br>
>>>>>> IRC #holser<br>
>>>>>><br>
>>>>>> On Tue, Jul 28, 2015 at 5:26 PM, Oleksiy Molchanov<br>
</span><span>>>>>>> <<a href="mailto:omolchanov@mirantis.com" target="_blank">omolchanov@mirantis.com</a>> wrote:<br>
>>>>>>><br>
>>>>>>> Hello all,<br>
>>>>>>><br>
>>>>>>> We need to discuss removal of OS_SERVICE_TOKEN usage in Fuel after<br>
</span>>>>>>>> deployment. This came from <a href="https://bugs.launchpad.net/fuel/+bug/1430619" rel="noreferrer" target="_blank">https://bugs.launchpad.net/fuel/+bug/1430619</a>. I<br>
<span>>>>>>>> guess not all of us have an access to this bug, so to be short:<br>
>>>>>>><br>
>>>>>>> # A "shared secret" that can be used to bootstrap Keystone.<br>
>>>>>>> # This "token" does not represent a user, and carries no<br>
>>>>>>> # explicit authorization. To disable in production (highly<br>
>>>>>>> # recommended), remove AdminTokenAuthMiddleware from your<br>
>>>>>>> # paste application pipelines (for example, in keystone-<br>
>>>>>>> # paste.ini). (string value)<br>
>>>>>>><br>
>>>>>>> After removing this and testing we found out that OSTF fails because<br>
>>>>>>> it uses admin token.<br>
>>>>>>><br>
>>>>>>> What do you think if we create ostf user like for workloads, but with<br>
>>>>>>> wider permissions?<br>
>>>>>>><br>
>>>>>>> BR,<br>
>>>>>>> Oleksiy.<br>
>>>>>>><br>
>>>>>>><br>
>>>>>>> __________________________________________________________________________<br>
>>>>>>> OpenStack Development Mailing List (not for usage questions)<br>
>>>>>>> Unsubscribe:<br>
</span>>>>>>>> <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" rel="noreferrer" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br>
<span>>>>>>>> <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" rel="noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
>>>>>>><br>
>>>>>><br>
>>>>>><br>
>>>>>> __________________________________________________________________________<br>
>>>>>> OpenStack Development Mailing List (not for usage questions)<br>
>>>>>> Unsubscribe:<br>
</span>>>>>>> <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" rel="noreferrer" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br>
<span>>>>>>> <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" rel="noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
>>>>><br>
>>>>> --<br>
>>>>> --<br>
>>>>> Andrew Woodward<br>
>>>>> Mirantis<br>
>>>>> Fuel Community Ambassador<br>
>>>>> Ceph Community<br>
>>>>><br>
>>>>> __________________________________________________________________________<br>
>>>>> OpenStack Development Mailing List (not for usage questions)<br>
>>>>> Unsubscribe:<br>
</span>>>>>> <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" rel="noreferrer" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br>
<span>>>>>> <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" rel="noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
>>>><br>
>>>> --<br>
>>>><br>
>>>> --<br>
>>>><br>
>>>> Andrew Woodward<br>
>>>><br>
>>>> Mirantis<br>
>>>><br>
>>>> Fuel Community Ambassador<br>
>>>><br>
>>>> Ceph Community<br>
>>>><br>
>>>><br>
>>>><br>
>>>> __________________________________________________________________________<br>
>>>> OpenStack Development Mailing List (not for usage questions)<br>
>>>> Unsubscribe:<br>
</span>>>>> <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" rel="noreferrer" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br>
<span>>>>> <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" rel="noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
>>>><br>
>>><br>
>>><br>
>>> __________________________________________________________________________<br>
>>> OpenStack Development Mailing List (not for usage questions)<br>
>>> Unsubscribe:<br>
</span>>>> <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" rel="noreferrer" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br>
<span>>>> <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" rel="noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
>><br>
>> --<br>
>> --<br>
>> Andrew Woodward<br>
>> Mirantis<br>
>> Fuel Community Ambassador<br>
>> Ceph Community<br>
>><br>
>> __________________________________________________________________________<br>
>> OpenStack Development Mailing List (not for usage questions)<br>
</span>>> Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" rel="noreferrer" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br>
<span>>> <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" rel="noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
>><br>
><br>
><br>
> __________________________________________________________________________<br>
> OpenStack Development Mailing List (not for usage questions)<br>
</span>> Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" rel="noreferrer" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br>
> <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" rel="noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
><br>
<br>
<br>
<br>
--<br>
Kostiantyn Danilov aka <a href="http://koder.ua" rel="noreferrer" target="_blank">koder.ua</a><br>
Principal software engineer, Mirantis<br>
<br>
skype:<a href="http://koder.ua" rel="noreferrer" target="_blank">koder.ua</a><br>
<a href="http://koder-ua.blogspot.com/" rel="noreferrer" target="_blank">http://koder-ua.blogspot.com/</a><br>
<a href="http://mirantis.com" rel="noreferrer" target="_blank">http://mirantis.com</a><br>
<span><br>
__________________________________________________________________________<br>
OpenStack Development Mailing List (not for usage questions)<br>
</span>Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" rel="noreferrer" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" rel="noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
</blockquote></div><br></div>
</div></div><br>__________________________________________________________________________<br>
OpenStack Development Mailing List (not for usage questions)<br>
Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" rel="noreferrer" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" rel="noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature"><div dir="ltr"><div style="color:rgb(136,136,136);font-size:12.8000001907349px">Adam Heczko</div><div style="color:rgb(136,136,136);font-size:12.8000001907349px">Security Engineer @ Mirantis Inc.</div></div></div>
</div></div></div>