Bug 1300855 - [RFE] Support for PKIZ and other token formats with Keystone integration
Summary: [RFE] Support for PKIZ and other token formats with Keystone integration
Alias: None
Product: Red Hat Ceph Storage
Classification: Red Hat
Component: RGW
Version: 1.3.2
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: 2.1
Assignee: Marcus Watts
QA Contact: shilpa
Bara Ancincova
Depends On:
Blocks: 1383917
TreeView+ depends on / blocked
Reported: 2016-01-21 22:54 UTC by Neil Levine
Modified: 2020-01-17 15:38 UTC (History)
12 users (show)

Fixed In Version: RHEL: ceph-10.2.3-5.el7cp Ubuntu: ceph_10.2.3-6redhat1xenial
Doc Type: Bug Fix
Doc Text:
.Ceph Object Gateway now supports new token formats with the Keystone integration Users can now use the following token formats for Keystone authentication: * PKIZ - compressed Public Key Infrastructure (PKI) * Fernet
Clone Of:
Last Closed: 2016-11-22 19:24:42 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:2815 normal SHIPPED_LIVE Moderate: Red Hat Ceph Storage security, bug fix, and enhancement update 2017-03-22 02:06:33 UTC

Description Neil Levine 2016-01-21 22:54:17 UTC
Keystone supports  a number of different token formats[1]. Currently RGW only supports UUID. 

RGW should also support PKI, PKIZ and Fernet.

[1] http://docs.openstack.org/developer/keystone/configuration.html#token-provider

Comment 1 Matt Benjamin (redhat) 2016-01-21 23:00:18 UTC
nb, we do support PKI tokens.

Comment 2 Neil Levine 2016-01-21 23:02:48 UTC
Thanks for clarifying.

Comment 4 blair.bethwaite 2016-01-27 05:29:23 UTC
Note that there is already a similar report at:

However, the description in that report states that PKIZ tokens do work. I can't see how/where this is handled in the code so looking for a confirmation from engineering please?

Comment 5 Matt Benjamin (redhat) 2016-01-27 15:55:32 UTC
Your interpretation of the code matches ours:  we don't think PKIZ token format is actually supported.

We'll post an update when we have verified more fully.

Comment 9 blair.bethwaite 2016-04-04 16:30:51 UTC
Actually, it does work. We setup a test cluster and verified this ourselves when this bug and associated ticket stalled. Here's some output using our production Radosgw gateway now that it is using Keystone with PKIZ:

blair@bethwaite:~$ env | grep OS_

blair@bethwaite:~$ swift --version
python-swiftclient 2.7.0

blair@bethwaite:~$ swift --debug --os-storage-url https://au-east.erc.monash.edu.au/swift/v1 stat  
DEBUG:keystoneclient.auth.identity.v2:Making authentication request to https://keystone.rc.nectar.org.au:5000/v2.0/tokens  
INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): keystone.rc.nectar.org.au  
DEBUG:requests.packages.urllib3.connectionpool:"POST /v2.0/tokens HTTP/1.1" 200 8874  
INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): au-east.erc.monash.edu.au  
DEBUG:requests.packages.urllib3.connectionpool:"HEAD /swift/v1 HTTP/1.1" 204 0  
DEBUG:swiftclient:REQ: curl -i https://au-east.erc.monash.edu.au/swift/v1 -I -H "X-Auth-Token: PKIZ_eJytWVt3oswSfe9fcd6zv
...more token...
DEBUG:swiftclient:RESP STATUS: 204 No Content
DEBUG:swiftclient:RESP HEADERS: [('Content-Length', '0'), ('X-Account-Object-Count', '12'), ('X-Account-Bytes-Used-Actual', '14971854848'), ('X-Trans-Id', 'tx00000000000000001e22d-0057029383-c9bd6-au-east'), ('Date', 'Mon, 04 Apr 2016 16:17:09 GMT'), ('X-Account-Bytes-Used', '14971838040'), ('X-Account-Container-Count', '7'), ('Content-type', 'text/plain; charset=utf-8'), ('Accept-Ranges', 'bytes')] 
                    Account: v1
                 Containers: 7
                    Objects: 12
                      Bytes: 14971838040
X-Account-Bytes-Used-Actual: 14971854848
                 X-Trans-Id: tx00000000000000001e22d-0057029383-c9bd6-au-east
               Content-Type: text/plain; charset=utf-8
              Accept-Ranges: bytes

Note in the output above that the token has the prefix "PKIZ_" and that the "swift stat" (basically, getting account info) completed successfully.

Hopefully this info can help avoid anyone unwittingly breaking this feature!

Comment 15 Matt Benjamin (redhat) 2016-10-03 17:58:20 UTC
Support is complete in Jewel (though PKIZ tokens are deprecated in OpenStack).

Comment 16 Matt Benjamin (redhat) 2016-10-03 17:59:06 UTC
(Correcting myself:  we support all Keystone token types, including the preferred Fernet tokens, in Jewel.)

Comment 22 errata-xmlrpc 2016-11-22 19:24:42 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.