rados gateway unable to query revoked tokens
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| ceph-radosgw (Juju Charms Collection) |
Fix Released
|
High
|
Edward Hope-Morley | ||
| keystone (Juju Charms Collection) |
Fix Released
|
High
|
Edward Hope-Morley | ||
Bug Description
We are not configuring nss as part of the rgw installation when relating with keystone. The consequence is that the RGW is unable to retrieve a list of revoked tokens from keystone and thus cannot remove revoked tokens from its cache. Keystone always encodes and signs the response from .../v2.
More info at http://
Also at http://
This results in a load of the following in /var/log/
...
2015-11-26 17:47:39.614313 7f631f7fe700 0 ERROR: signer 0 status = SigningCertNotFound
2015-11-26 17:47:39.614685 7f631f7fe700 0 ERROR: problem decoding
2015-11-26 17:47:39.615043 7f631f7fe700 0 ceph_decode_cms returned -22
2015-11-26 17:47:39.615577 7f631f7fe700 0 ERROR: keystone revocation processing returned error r=-22
...
Related branches
- Liam Young (community): Approve
-
Diff: 588 lines (+68/-127)7 files modifiedhooks/keystone_context.py (+10/-25)
hooks/keystone_hooks.py (+19/-26)
hooks/keystone_utils.py (+21/-22)
templates/kilo/keystone.conf (+0/-2)
unit_tests/test_keystone_contexts.py (+0/-6)
unit_tests/test_keystone_hooks.py (+16/-18)
unit_tests/test_keystone_utils.py (+2/-28)
- Liam Young (community): Approve
- Ryan Beisner: Pending requested
-
Diff: 298 lines (+141/-11)4 files modifiedhooks/ceph_radosgw_context.py (+7/-0)
hooks/hooks.py (+118/-5)
templates/ceph.conf (+3/-1)
unit_tests/test_hooks.py (+13/-5)
| description: | updated |
| James Page (james-page) wrote | #1 |
| Changed in ceph-radosgw (Juju Charms Collection): | |
| status: | New → Triaged |
| Edward Hope-Morley (hopem) wrote | #2 |
| Changed in keystone (Juju Charms Collection): | |
| milestone: | none → 16.01 |
| importance: | Undecided → High |
| status: | New → Triaged |
| Changed in ceph-radosgw (Juju Charms Collection): | |
| assignee: | nobody → Edward Hope-Morley (hopem) |
| Changed in keystone (Juju Charms Collection): | |
| assignee: | nobody → Edward Hope-Morley (hopem) |
| status: | Triaged → In Progress |
| Changed in ceph-radosgw (Juju Charms Collection): | |
| status: | Triaged → In Progress |
| Changed in ceph-radosgw (Juju Charms Collection): | |
| status: | In Progress → Fix Committed |
| Changed in keystone (Juju Charms Collection): | |
| status: | In Progress → Fix Committed |
| tags: | added: canonical-bootstack |
| Changed in ceph-radosgw (Juju Charms Collection): | |
| status: | Fix Committed → Fix Released |
| Changed in keystone (Juju Charms Collection): | |
| status: | Fix Committed → Fix Released |
Reducing the token cache size will help relieve the immediate problem; however we should get things sorted out so that keystone is passing over its certs to identity-service related services such as ceph-radosgw.