Bug 1300855 - [RFE] Support for PKIZ and other token formats with Keystone integration
[RFE] Support for PKIZ and other token formats with Keystone integration
Product: Red Hat Ceph Storage
Classification: Red Hat
Component: RGW (Show other bugs)
Unspecified Unspecified
high Severity unspecified
: rc
: 2.1
Assigned To: Marcus Watts
Bara Ancincova
Depends On:
Blocks: 1383917
  Show dependency treegraph
Reported: 2016-01-21 17:54 EST by Neil Levine
Modified: 2017-07-30 11:42 EDT (History)
12 users (show)

See Also:
Fixed In Version: RHEL: ceph-10.2.3-5.el7cp Ubuntu: ceph_10.2.3-6redhat1xenial
Doc Type: Bug Fix
Doc Text:
.Ceph Object Gateway now supports new token formats with the Keystone integration Users can now use the following token formats for Keystone authentication: * PKIZ - compressed Public Key Infrastructure (PKI) * Fernet
Story Points: ---
Clone Of:
Last Closed: 2016-11-22 14:24:42 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Neil Levine 2016-01-21 17:54:17 EST
Keystone supports  a number of different token formats[1]. Currently RGW only supports UUID. 

RGW should also support PKI, PKIZ and Fernet.

[1] http://docs.openstack.org/developer/keystone/configuration.html#token-provider
Comment 1 Matt Benjamin (redhat) 2016-01-21 18:00:18 EST
nb, we do support PKI tokens.
Comment 2 Neil Levine 2016-01-21 18:02:48 EST
Thanks for clarifying.
Comment 4 blair.bethwaite 2016-01-27 00:29:23 EST
Note that there is already a similar report at:

However, the description in that report states that PKIZ tokens do work. I can't see how/where this is handled in the code so looking for a confirmation from engineering please?
Comment 5 Matt Benjamin (redhat) 2016-01-27 10:55:32 EST
Your interpretation of the code matches ours:  we don't think PKIZ token format is actually supported.

We'll post an update when we have verified more fully.
Comment 9 blair.bethwaite 2016-04-04 12:30:51 EDT
Actually, it does work. We setup a test cluster and verified this ourselves when this bug and associated ticket stalled. Here's some output using our production Radosgw gateway now that it is using Keystone with PKIZ:

blair@bethwaite:~$ env | grep OS_

blair@bethwaite:~$ swift --version
python-swiftclient 2.7.0

blair@bethwaite:~$ swift --debug --os-storage-url https://au-east.erc.monash.edu.au/swift/v1 stat  
DEBUG:keystoneclient.auth.identity.v2:Making authentication request to https://keystone.rc.nectar.org.au:5000/v2.0/tokens  
INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): keystone.rc.nectar.org.au  
DEBUG:requests.packages.urllib3.connectionpool:"POST /v2.0/tokens HTTP/1.1" 200 8874  
INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): au-east.erc.monash.edu.au  
DEBUG:requests.packages.urllib3.connectionpool:"HEAD /swift/v1 HTTP/1.1" 204 0  
DEBUG:swiftclient:REQ: curl -i https://au-east.erc.monash.edu.au/swift/v1 -I -H "X-Auth-Token: PKIZ_eJytWVt3oswSfe9fcd6zv
...more token...
DEBUG:swiftclient:RESP STATUS: 204 No Content
DEBUG:swiftclient:RESP HEADERS: [('Content-Length', '0'), ('X-Account-Object-Count', '12'), ('X-Account-Bytes-Used-Actual', '14971854848'), ('X-Trans-Id', 'tx00000000000000001e22d-0057029383-c9bd6-au-east'), ('Date', 'Mon, 04 Apr 2016 16:17:09 GMT'), ('X-Account-Bytes-Used', '14971838040'), ('X-Account-Container-Count', '7'), ('Content-type', 'text/plain; charset=utf-8'), ('Accept-Ranges', 'bytes')] 
                    Account: v1
                 Containers: 7
                    Objects: 12
                      Bytes: 14971838040
X-Account-Bytes-Used-Actual: 14971854848
                 X-Trans-Id: tx00000000000000001e22d-0057029383-c9bd6-au-east
               Content-Type: text/plain; charset=utf-8
              Accept-Ranges: bytes

Note in the output above that the token has the prefix "PKIZ_" and that the "swift stat" (basically, getting account info) completed successfully.

Hopefully this info can help avoid anyone unwittingly breaking this feature!
Comment 15 Matt Benjamin (redhat) 2016-10-03 13:58:20 EDT
Support is complete in Jewel (though PKIZ tokens are deprecated in OpenStack).
Comment 16 Matt Benjamin (redhat) 2016-10-03 13:59:06 EDT
(Correcting myself:  we support all Keystone token types, including the preferred Fernet tokens, in Jewel.)
Comment 22 errata-xmlrpc 2016-11-22 14:24:42 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.