Bug 1438965
Summary: | radosgw keystone integration - revoked tokens response is missing signed section | ||
---|---|---|---|
Product: | [Red Hat Storage] Red Hat Ceph Storage | Reporter: | Matt Flusche <mflusche> |
Component: | RGW | Assignee: | Marcus Watts <mwatts> |
Status: | CLOSED ERRATA | QA Contact: | shilpa <smanjara> |
Severity: | medium | Docs Contact: | Erin Donnelly <edonnell> |
Priority: | medium | ||
Version: | 2.3 | CC: | cbodley, ceph-eng-bugs, edonnell, gkadam, hnallurv, kbader, kdreyer, mbenjamin, mflusche, mwatts, nchandek, owasserm, smanjara, sweil, vumrao |
Target Milestone: | rc | Keywords: | Reopened |
Target Release: | 2.* | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | RHEL: ceph-10.2.7-12.el7cp Ubuntu: ceph_10.2.7-14redhat1xenial | Doc Type: | Bug Fix |
Doc Text: |
.Two new parameters have been introduced to cope with the errors caused by modern Keystone token types
The token revocation API that the Ceph Object Gateway uses no longer works with modern token types in OpenStack and Keystone. This causes errors in the Ceph log and Python backtraces in Keystone.
To cope with these errors, two new parameters `rgw_keystone_token_cache_size` and `rgw_keystone_revocation_interval` have been introduced. Setting the `rgw_keystone_toke_cache_size` parameter to 0 in the Ceph configuration file removes the errors. Setting the `rgw_keystone_revocation_interval` parameter to 0 improves performance, but removes the ability to revoke tokens.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2018-01-30 17:45:45 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1436386, 1455856 | ||
Bug Blocks: | 1437916 |
Description
Matt Flusche
2017-04-04 22:00:49 UTC
Actually, this bug is causing the issue in Openstack 10 and RGW 1.3.x integration because now we do not have ca.pem and signing_cert.pem in /etc/keystone/ssl path because as Matt said OSP 10 is using the UUID tokens not the PKI tokens so we can not run below steps for importing certs in RGW node. mkdir /var/ceph/nss openssl x509 -in /etc/keystone/ssl/certs/ca.pem -pubkey | \ certutil -d /var/ceph/nss -A -n ca -t "TCu,Cu,Tuw" openssl x509 -in /etc/keystone/ssl/certs/signing_cert.pem -pubkey | \ certutil -A -d /var/ceph/nss -n signing_cert -t "P,P,P" and this is causing this issue. In OSP 8 all is working, I had the similar issue in OSP8 but when I imported certs with above steps all good. Same was recommended in the upstream tracker: http://tracker.ceph.com/issues/17186#note-3. After setting these values, the errors can no longer be seen: rgw keystone token cache size = 0 or rgw keystone revocation interval = 0 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:1497 |