Agree that SERVICE_TOKEN usage eradication will be probably long standing
process, but IMO radosgw should follow usual way of managing Openstack
service interactions. Usually when service wants to integrate with
OpenStack, an appropriate user with role "admin" is created. I believe that
for radosgw
Update from Radoslaw Zarzynski
---
Hi,
I'm afraid that eradication of OS_SERVICE_TOKEN won't be quick
nor painless process due to dependencies. We would need to identify
and fix all applications that requires this auth method.
For example, Ceph RADOS Gateway (radosgw) currently requires [1]
Would send ceph estimation tomorrow.
Yet estimation != ETTA
On Wed, Jul 29, 2015 at 12:27 AM, Sergii Golovatiuk
wrote:
> Hi,
>
> Let's ask our Ceph developers how much time/resources they need to implement
> such functionality.
>
> --
> Best regards,
> Sergii Golovatiuk,
> Skype #golserge
> IRC #
Hi,
Let's ask our Ceph developers how much time/resources they need to
implement such functionality.
--
Best regards,
Sergii Golovatiuk,
Skype #golserge
IRC #holser
On Tue, Jul 28, 2015 at 11:21 PM, Andrew Woodward
wrote:
> It's literally how radosgw goes about verifying users, it has no schem
It's literally how radosgw goes about verifying users, it has no scheme of
using a user or working with auth-tokens. It would have to fixed in the
ceph-radosgw codebase. PKI tokens (which we don't use) rely on this less,
but its still used.
On Tue, Jul 28, 2015 at 2:16 PM Sergii Golovatiuk
wrote:
Why can't radosgw use own own credentials? If it's technical debt we need
to put it on plate to address in next release.
--
Best regards,
Sergii Golovatiuk,
Skype #golserge
IRC #holser
On Tue, Jul 28, 2015 at 10:21 PM, Andrew Woodward wrote:
> Keystone authtoken is also used by radosgw to vali
Keystone authtoken is also used by radosgw to validate users
On Tue, Jul 28, 2015 at 10:31 AM Andrew Woodward
wrote:
> IIRC the puppet modules, and even the heat domain create script make use
> of the token straight from the config file. It not being present could
> cause problems for some of th
IIRC the puppet modules, and even the heat domain create script make use of
the token straight from the config file. It not being present could cause
problems for some of the manifests. We would need to ensure that their
usage is minimized or removed.
On Tue, Jul 28, 2015 at 9:29 AM Sergii Golovat
Hi Oleksiy,
Good catch. Also OSTF should get endpoints from hiera as some plugins may
override the initial deployment settings. There may be cases when keystone
is detached by plugin.
--
Best regards,
Sergii Golovatiuk,
Skype #golserge
IRC #holser
On Tue, Jul 28, 2015 at 5:26 PM, Oleksiy Molchan
Hello all,
We need to discuss removal of OS_SERVICE_TOKEN usage in Fuel after
deployment. This came from https://bugs.launchpad.net/fuel/+bug/1430619. I
guess not all of us have an access to this bug, so to be short:
# A "shared secret" that can be used to bootstrap Keystone.
# This "token" does
10 matches
Mail list logo
