It's literally how radosgw goes about verifying users, it has no scheme of using a user or working with auth-tokens. It would have to fixed in the ceph-radosgw codebase. PKI tokens (which we don't use) rely on this less, but its still used.
On Tue, Jul 28, 2015 at 2:16 PM Sergii Golovatiuk <sgolovat...@mirantis.com> wrote: > Why can't radosgw use own own credentials? If it's technical debt we need > to put it on plate to address in next release. > > > -- > Best regards, > Sergii Golovatiuk, > Skype #golserge > IRC #holser > > On Tue, Jul 28, 2015 at 10:21 PM, Andrew Woodward <xar...@gmail.com> > wrote: > >> Keystone authtoken is also used by radosgw to validate users >> >> On Tue, Jul 28, 2015 at 10:31 AM Andrew Woodward <awoodw...@mirantis.com> >> wrote: >> >>> IIRC the puppet modules, and even the heat domain create script make use >>> of the token straight from the config file. It not being present could >>> cause problems for some of the manifests. We would need to ensure that >>> their usage is minimized or removed. >>> >>> On Tue, Jul 28, 2015 at 9:29 AM Sergii Golovatiuk < >>> sgolovat...@mirantis.com> wrote: >>> >>>> Hi Oleksiy, >>>> >>>> Good catch. Also OSTF should get endpoints from hiera as some plugins >>>> may override the initial deployment settings. There may be cases when >>>> keystone is detached by plugin. >>>> >>>> -- >>>> Best regards, >>>> Sergii Golovatiuk, >>>> Skype #golserge >>>> IRC #holser >>>> >>>> On Tue, Jul 28, 2015 at 5:26 PM, Oleksiy Molchanov < >>>> omolcha...@mirantis.com> wrote: >>>> >>>>> Hello all, >>>>> >>>>> We need to discuss removal of OS_SERVICE_TOKEN usage in Fuel after >>>>> deployment. This came from >>>>> https://bugs.launchpad.net/fuel/+bug/1430619. I guess not all of us >>>>> have an access to this bug, so to be short: >>>>> >>>>> # A "shared secret" that can be used to bootstrap Keystone. >>>>> # This "token" does not represent a user, and carries no >>>>> # explicit authorization. To disable in production (highly >>>>> # recommended), remove AdminTokenAuthMiddleware from your >>>>> # paste application pipelines (for example, in keystone- >>>>> # paste.ini). (string value) >>>>> >>>>> After removing this and testing we found out that OSTF fails because >>>>> it uses admin token. >>>>> >>>>> What do you think if we create ostf user like for workloads, but with >>>>> wider permissions? >>>>> >>>>> BR, >>>>> Oleksiy. >>>>> >>>>> >>>>> __________________________________________________________________________ >>>>> OpenStack Development Mailing List (not for usage questions) >>>>> Unsubscribe: >>>>> openstack-dev-requ...@lists.openstack.org?subject:unsubscribe >>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >>>>> >>>>> >>>> >>>> __________________________________________________________________________ >>>> OpenStack Development Mailing List (not for usage questions) >>>> Unsubscribe: >>>> openstack-dev-requ...@lists.openstack.org?subject:unsubscribe >>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >>>> >>> -- >>> -- >>> Andrew Woodward >>> Mirantis >>> Fuel Community Ambassador >>> Ceph Community >>> >>> __________________________________________________________________________ >>> OpenStack Development Mailing List (not for usage questions) >>> Unsubscribe: >>> openstack-dev-requ...@lists.openstack.org?subject:unsubscribe >>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >>> >> -- >> >> -- >> >> Andrew Woodward >> >> Mirantis >> >> Fuel Community Ambassador >> >> Ceph Community >> >> __________________________________________________________________________ >> OpenStack Development Mailing List (not for usage questions) >> Unsubscribe: >> openstack-dev-requ...@lists.openstack.org?subject:unsubscribe >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >> >> > __________________________________________________________________________ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > -- -- Andrew Woodward Mirantis Fuel Community Ambassador Ceph Community
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
