Some config hints here, if you convert your config, you have to unset the admin_token and change the api version to 3, then you can specify the keystone user, password, domain, tenant, etc.
You can see what we do for puppet-ceph [1] if you need a refrence [1] https://github.com/openstack/puppet-ceph/blob/master/manifests/rgw/keystone.pp On Sat, Oct 15, 2016 at 9:22 AM Logan V. <lo...@protiumit.com> wrote: > The ability to use Keystone v3 and authtokens in lieu of admin token was > added in jewel. The release notes state it but unfortunately the Jewel docs > don't reflect it, so you'll need to visit > http://docs.ceph.com/docs/master/radosgw/keystone/ to find the > configuration information. > > When I tested this out, I had something like: > > [client.rgw.radosgw-1] > rgw keystone admin user = radosgw > rgw keystone admin password = <clipped> > rgw keystone token cache size = 10000 > keyring = /var/lib/ceph/radosgw/ceph-rgw.radosgw-1/keyring > rgw keystone url = http://keystone-admin-endpoint:35357 > rgw data = /var/lib/ceph/radosgw/ceph-rgw.radosgw-1 > rgw keystone admin tenant = service > rgw keystone admin domain = default > rgw keystone api version = 3 > host = radosgw-1 > rgw s3 auth use keystone = true > rgw socket path = /tmp/radosgw-radosgw-1.sock > log file = /var/log/ceph/ceph-rgw-radosgw-1.log > rgw keystone accepted roles = Member, _member_, admin > rgw frontends = civetweb port=10.13.32.15:8080 num_threads=50 > rgw keystone revocation interval = 900 > > Logan > > > On Friday, October 14, 2016, Jonathan Proulx <j...@csail.mit.edu> wrote: > > Hi All, > > Recently upgraded from Kilo->Mitaka on my OpenStack deploy and now > radowsgw nodes (jewel) are unable to validate keystone tokens. > > > Initially I though it was because radowsgw relies on admin_token > (which is a a bad idea, but ...) and that's now deperecated. I > verified the token was still in keystone.conf and fixed it when I foun > it had been commented out of keystone-paste.ini but even after fixing > that and resarting my keystone I get: > > > -- grep req-a5030a83-f265-4b25-b6e5-1918c978f824 > /var/log/keystone/keystone.log > 2016-10-14 15:12:47.631 35977 WARNING keystone.middleware.auth > [req-a5030a83-f265-4b25-b6e5-1918c978f824 - - - - -] Deprecated: > build_auth_context middleware checking for the admin token is deprecated as > of the Mitaka release and will be removed in the O release. If your > deployment requires use of the admin token, update keystone-paste.ini so > that admin_token_auth is before build_auth_context in the paste pipelines, > otherwise remove the admin_token_auth middleware from the paste pipelines. > 2016-10-14 15:12:47.671 35977 INFO keystone.common.wsgi > [req-a5030a83-f265-4b25-b6e5-1918c978f824 - - - - -] GET > https://nimbus-1.csail.mit.edu:35358/v2.0/tokens/<secret> > 2016-10-14 15:12:47.672 35977 WARNING oslo_log.versionutils > [req-a5030a83-f265-4b25-b6e5-1918c978f824 - - - - -] Deprecated: > validate_token of the v2 API is deprecated as of Mitaka in favor of a > similar function in the v3 API and may be removed in Q. > 2016-10-14 15:12:47.684 35977 WARNING keystone.common.wsgi > [req-a5030a83-f265-4b25-b6e5-1918c978f824 - - - - -] You are not authorized > to perform the requested action: identity:validate_token > > I've dug through keystone/policy.json and identity:validate_token is > authorized to "role:admin or is_admin:1" which I *think* should cover > the token use case...but not 100% sure. > > Can radosgw use a propper keystone user so I can avoid the admin_token > mess (http://docs.ceph.com/docs/jewel/radosgw/keystone/ seems to > indicate no)? > > Or anyone see where in my keystone chain I might have dropped a link? > > Thanks, > -Jon > _______________________________________________ > ceph-users mailing list > ceph-users@lists.ceph.com > http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com > > _______________________________________________ > ceph-users mailing list > ceph-users@lists.ceph.com > http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com > -- Andrew Woodward
_______________________________________________ ceph-users mailing list ceph-users@lists.ceph.com http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
