Ceph » rgw

The documentation only mentions admin token for radosgw integration with keystone. This is not the preferred method and in many cases will not work when the admin token is disabled as per openstack best practices. The admin token is properly only used to bootstrap a new install of keystone. The documentation here http://docs.ceph.com/docs/master/radosgw/config-ref/ should mention the configurables 'rgw keystone admin user', 'rgw keystone admin password', 'rgw keystone admin tenant' as the credentials with the "admin" role used to validate keystone tokens. The text here http://docs.ceph.com/docs/master/radosgw/keystone/ should be updated to prefer a service account with the "admin" role as the method of token validation with keystone integration. With kilo or later this user named swift would be created by 'openstack user create --password-prompt swift' and assigned the admin role with 'openstack role add --project service --user swift admin'.