[openstack-dev] [fuel] OS_SERVICE_TOKEN usage in Fuel
Sergii Golovatiuk
sgolovatiuk at mirantis.com
Tue Jul 28 21:16:39 UTC 2015
Why can't radosgw use own own credentials? If it's technical debt we need
to put it on plate to address in next release.
--
Best regards,
Sergii Golovatiuk,
Skype #golserge
IRC #holser
On Tue, Jul 28, 2015 at 10:21 PM, Andrew Woodward <xarses at gmail.com> wrote:
> Keystone authtoken is also used by radosgw to validate users
>
> On Tue, Jul 28, 2015 at 10:31 AM Andrew Woodward <awoodward at mirantis.com>
> wrote:
>
>> IIRC the puppet modules, and even the heat domain create script make use
>> of the token straight from the config file. It not being present could
>> cause problems for some of the manifests. We would need to ensure that
>> their usage is minimized or removed.
>>
>> On Tue, Jul 28, 2015 at 9:29 AM Sergii Golovatiuk <
>> sgolovatiuk at mirantis.com> wrote:
>>
>>> Hi Oleksiy,
>>>
>>> Good catch. Also OSTF should get endpoints from hiera as some plugins
>>> may override the initial deployment settings. There may be cases when
>>> keystone is detached by plugin.
>>>
>>> --
>>> Best regards,
>>> Sergii Golovatiuk,
>>> Skype #golserge
>>> IRC #holser
>>>
>>> On Tue, Jul 28, 2015 at 5:26 PM, Oleksiy Molchanov <
>>> omolchanov at mirantis.com> wrote:
>>>
>>>> Hello all,
>>>>
>>>> We need to discuss removal of OS_SERVICE_TOKEN usage in Fuel after
>>>> deployment. This came from https://bugs.launchpad.net/fuel/+bug/1430619.
>>>> I guess not all of us have an access to this bug, so to be short:
>>>>
>>>> # A "shared secret" that can be used to bootstrap Keystone.
>>>> # This "token" does not represent a user, and carries no
>>>> # explicit authorization. To disable in production (highly
>>>> # recommended), remove AdminTokenAuthMiddleware from your
>>>> # paste application pipelines (for example, in keystone-
>>>> # paste.ini). (string value)
>>>>
>>>> After removing this and testing we found out that OSTF fails because it
>>>> uses admin token.
>>>>
>>>> What do you think if we create ostf user like for workloads, but with
>>>> wider permissions?
>>>>
>>>> BR,
>>>> Oleksiy.
>>>>
>>>>
>>>> __________________________________________________________________________
>>>> OpenStack Development Mailing List (not for usage questions)
>>>> Unsubscribe:
>>>> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>>>
>>>>
>>>
>>> __________________________________________________________________________
>>> OpenStack Development Mailing List (not for usage questions)
>>> Unsubscribe:
>>> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>>
>> --
>> --
>> Andrew Woodward
>> Mirantis
>> Fuel Community Ambassador
>> Ceph Community
>> __________________________________________________________________________
>> OpenStack Development Mailing List (not for usage questions)
>> Unsubscribe:
>> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
> --
>
> --
>
> Andrew Woodward
>
> Mirantis
>
> Fuel Community Ambassador
>
> Ceph Community
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150728/52780e14/attachment.html>
More information about the OpenStack-dev
mailing list