> I would have thought it was something like: > 1. Authenticate with the keystone with a special set of credentials > (rgw_keystone_admin_user) > 2. Fetch the EC2 credentials for the provided access key > 3. Save those credentials for the time that keystone told with the token > lifetime > 4. Do the normal s3 authentication with the cached credentials > > I would have thought that these tokens live in the memory of the radosgw > daemon and every rgw daemon keeps track on it's own. > But as I am writing this down I think "what happens to the cached > credentials if the ec2 credentials will be invalidated by the end user?"
I guess they will keep on working for up to the before-mentioned lifetime, then as the rgw(s) reconnect to the keystone to ask for the entry which now no longer exist in the cache, they will learn it no longer exists and reply in a suitable manner. This is where you set the lifetime of this token cache (when it works as expected) to the largest amount of time you think is acceptable for a deleted account to keep working. If there is a panic, you can still invalidate the user and restart the rgws to clear the caches to have an immediate effect. -- May the most significant bit of your life be positive. _______________________________________________ ceph-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
