[openstack-dev] [fuel] OS_SERVICE_TOKEN usage in Fuel

Andrew Woodward awoodward at mirantis.com
Tue Jul 28 17:28:21 UTC 2015


IIRC the puppet modules, and even the heat domain create script make use of
the token straight from the config file. It not being present could cause
problems for some of the manifests. We would need to ensure that their
usage is minimized or removed.

On Tue, Jul 28, 2015 at 9:29 AM Sergii Golovatiuk <sgolovatiuk at mirantis.com>
wrote:

> Hi Oleksiy,
>
> Good catch. Also OSTF should get endpoints from hiera as some plugins may
> override the initial deployment settings. There may be cases when keystone
> is detached by plugin.
>
> --
> Best regards,
> Sergii Golovatiuk,
> Skype #golserge
> IRC #holser
>
> On Tue, Jul 28, 2015 at 5:26 PM, Oleksiy Molchanov <
> omolchanov at mirantis.com> wrote:
>
>> Hello all,
>>
>> We need to discuss removal of OS_SERVICE_TOKEN usage in Fuel after
>> deployment. This came from https://bugs.launchpad.net/fuel/+bug/1430619.
>> I guess not all of us have an access to this bug, so to be short:
>>
>> # A "shared secret" that can be used to bootstrap Keystone.
>> # This "token" does not represent a user, and carries no
>> # explicit authorization. To disable in production (highly
>> # recommended), remove AdminTokenAuthMiddleware from your
>> # paste application pipelines (for example, in keystone-
>> # paste.ini). (string value)
>>
>> After removing this and testing we found out that OSTF fails because it
>> uses admin token.
>>
>> What do you think if we create ostf user like for workloads, but with
>> wider permissions?
>>
>> BR,
>> Oleksiy.
>>
>> __________________________________________________________________________
>> OpenStack Development Mailing List (not for usage questions)
>> Unsubscribe:
>> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
-- 
--
Andrew Woodward
Mirantis
Fuel Community Ambassador
Ceph Community
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150728/af29f82a/attachment.html>


More information about the OpenStack-dev mailing list