rados gateway unable to query revoked tokens
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
ceph-radosgw (Juju Charms Collection) |
Fix Released
|
High
|
Edward Hope-Morley | ||
keystone (Juju Charms Collection) |
Fix Released
|
High
|
Edward Hope-Morley |
Bug Description
We are not configuring nss as part of the rgw installation when relating with keystone. The consequence is that the RGW is unable to retrieve a list of revoked tokens from keystone and thus cannot remove revoked tokens from its cache. Keystone always encodes and signs the response from .../v2.
More info at http://
Also at http://
This results in a load of the following in /var/log/
...
2015-11-26 17:47:39.614313 7f631f7fe700 0 ERROR: signer 0 status = SigningCertNotFound
2015-11-26 17:47:39.614685 7f631f7fe700 0 ERROR: problem decoding
2015-11-26 17:47:39.615043 7f631f7fe700 0 ceph_decode_cms returned -22
2015-11-26 17:47:39.615577 7f631f7fe700 0 ERROR: keystone revocation processing returned error r=-22
...
Related branches
- Liam Young (community): Approve
-
Diff: 588 lines (+68/-127)7 files modifiedhooks/keystone_context.py (+10/-25)
hooks/keystone_hooks.py (+19/-26)
hooks/keystone_utils.py (+21/-22)
templates/kilo/keystone.conf (+0/-2)
unit_tests/test_keystone_contexts.py (+0/-6)
unit_tests/test_keystone_hooks.py (+16/-18)
unit_tests/test_keystone_utils.py (+2/-28)
- Liam Young (community): Approve
- Ryan Beisner: Pending requested
-
Diff: 298 lines (+141/-11)4 files modifiedhooks/ceph_radosgw_context.py (+7/-0)
hooks/hooks.py (+118/-5)
templates/ceph.conf (+3/-1)
unit_tests/test_hooks.py (+13/-5)
description: | updated |
Changed in ceph-radosgw (Juju Charms Collection): | |
assignee: | nobody → Edward Hope-Morley (hopem) |
Changed in keystone (Juju Charms Collection): | |
assignee: | nobody → Edward Hope-Morley (hopem) |
status: | Triaged → In Progress |
Changed in ceph-radosgw (Juju Charms Collection): | |
status: | Triaged → In Progress |
Changed in ceph-radosgw (Juju Charms Collection): | |
status: | In Progress → Fix Committed |
Changed in keystone (Juju Charms Collection): | |
status: | In Progress → Fix Committed |
tags: | added: canonical-bootstack |
Changed in ceph-radosgw (Juju Charms Collection): | |
status: | Fix Committed → Fix Released |
Changed in keystone (Juju Charms Collection): | |
status: | Fix Committed → Fix Released |
Reducing the token cache size will help relieve the immediate problem; however we should get things sorted out so that keystone is passing over its certs to identity-service related services such as ceph-radosgw.