Keystone authtoken is also used by radosgw to validate users On Tue, Jul 28, 2015 at 10:31 AM Andrew Woodward <awoodw...@mirantis.com> wrote:
> IIRC the puppet modules, and even the heat domain create script make use > of the token straight from the config file. It not being present could > cause problems for some of the manifests. We would need to ensure that > their usage is minimized or removed. > > On Tue, Jul 28, 2015 at 9:29 AM Sergii Golovatiuk < > sgolovat...@mirantis.com> wrote: > >> Hi Oleksiy, >> >> Good catch. Also OSTF should get endpoints from hiera as some plugins may >> override the initial deployment settings. There may be cases when keystone >> is detached by plugin. >> >> -- >> Best regards, >> Sergii Golovatiuk, >> Skype #golserge >> IRC #holser >> >> On Tue, Jul 28, 2015 at 5:26 PM, Oleksiy Molchanov < >> omolcha...@mirantis.com> wrote: >> >>> Hello all, >>> >>> We need to discuss removal of OS_SERVICE_TOKEN usage in Fuel after >>> deployment. This came from https://bugs.launchpad.net/fuel/+bug/1430619. >>> I guess not all of us have an access to this bug, so to be short: >>> >>> # A "shared secret" that can be used to bootstrap Keystone. >>> # This "token" does not represent a user, and carries no >>> # explicit authorization. To disable in production (highly >>> # recommended), remove AdminTokenAuthMiddleware from your >>> # paste application pipelines (for example, in keystone- >>> # paste.ini). (string value) >>> >>> After removing this and testing we found out that OSTF fails because it >>> uses admin token. >>> >>> What do you think if we create ostf user like for workloads, but with >>> wider permissions? >>> >>> BR, >>> Oleksiy. >>> >>> >>> __________________________________________________________________________ >>> OpenStack Development Mailing List (not for usage questions) >>> Unsubscribe: >>> openstack-dev-requ...@lists.openstack.org?subject:unsubscribe >>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >>> >>> >> __________________________________________________________________________ >> OpenStack Development Mailing List (not for usage questions) >> Unsubscribe: >> openstack-dev-requ...@lists.openstack.org?subject:unsubscribe >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >> > -- > -- > Andrew Woodward > Mirantis > Fuel Community Ambassador > Ceph Community > __________________________________________________________________________ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > -- -- Andrew Woodward Mirantis Fuel Community Ambassador Ceph Community
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
