Fix radosgw keystone authentication
Radosgw relies on shared secret token admin, passed via SERVICE_TOKEN variable, but token admin was deprecated, and devstack doesn't configure shared secret. This change switch on using service credentials instead, creates 'radosgw' service user with admin privileges and configure radosgw with them. Change-Id: I12d4ea4021b93be73358f0aa68a32879af8fda53
This commit is contained in:
1 changed files with 6 additions and 1 deletions
@@ -408,7 +408,9 @@ function _configure_ceph_rgw {
rgw print continue = false
rgw frontends = civetweb port=${CEPH_RGW_PORT}
rgw keystone url = http://${SERVICE_HOST}:35357
rgw keystone admin token = ${SERVICE_TOKEN}
rgw keystone admin user = radosgw
rgw keystone admin password = $SERVICE_PASSWORD
rgw keystone admin tenant = $SERVICE_PROJECT_NAME
rgw keystone accepted roles = Member, _member_, admin
rgw s3 auth use keystone = true
nss db path = ${CEPH_DATA_DIR}/radosgw/ceph-radosgw.$(hostname)/nss
@@ -439,6 +441,9 @@ function configure_ceph_embedded_rgw {
# Let keystone generate the certs, rgw needs these.
keystone-manage pki_setup --rebuild
# Create radosgw service user with admin privileges
create_service_user "radosgw" "admin"
# radosgw needs to access keystone's revocation list
sudo mkdir -p ${CEPH_DATA_DIR}/radosgw/ceph-radosgw.$(hostname)/nss
sudo openssl x509 -in /etc/keystone/ssl/certs/ca.pem -pubkey | \
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.