Bug #17186
closedradosgw keystonev3 token revocation error
0%
Description
I am getting some unusual errors in my radosgw.log.
I have Keystone configured with fernet tokens.
I have RGW configured to use Keystone V3.
RGW starts.
Glance is configured to use swift provided by RGW.
Glance is able to upload an image.
However, I am getting the following error repeatedly:
2016-08-30 12:02:39.783567 7f1f55ffb700 0 revoked tokens response is missing signed section
2016-08-30 12:02:39.783590 7f1f55ffb700 0 ERROR: keystone revocation processing returned error r=-22
Any suggestions about how to resolve this error message?
Is it a red herring, a bug in my configuration, a bug in RGW?
Here is my RGW config from my ceph.conf file
[client.radosgw.gateway]
rgw_keystone_api_version = 3
rgw_keystone_token_cache_size = 500
user = ceph
rgw_keystone_admin_domain = default
rgw_keystone_url = https://127.0.0.1:35357
rgw_s3_auth_use_keystone = True
rgw_keystone_admin_password = secret
rgw_keystone_admin_user = rgwuser
rgw_frontends = civetweb port=8080
log_file = /var/log/ceph/radosgw.log
rgw_keystone_admin_project = services
host = clone
rgw_keystone_accepted_roles = admin,Member
keyring = /etc/ceph/ceph.client.radosgw.gateway.keyring
Updated by Ken Dreyer over 7 years ago
- Target version deleted (
v10.2.3) - Backport set to jewel
Keith Schincke (OpenStack community) requested we backport this fix to jewel, since he ran across this while making a puppet module to get RGW to do keystone V3/fernet
Updated by Matt Benjamin over 7 years ago
- Assignee changed from Matt Benjamin to Pritha Srivastava
Updated by Pritha Srivastava over 7 years ago
2016-08-30 12:02:39.783567 7f1f55ffb700 0 revoked tokens response is missing signed section --> this line implies that getting the revoked token list from keystone is failing.
I didnot have the keystone certs set up properly in my system so was able to see the above error in my rgw logs also. As soon as I fixed the certs, these errors went away. (The token format was UUID and version v2 in my setup though) (The certs are there in /etc/keystone/ssl/certs folder)
Logs from Keystone with text "v3/auth/tokens/OS-PKI/revoked" will help here to determine exactly why getting the revoked token list from keystone is failing.
Updated by Matt Benjamin over 7 years ago
- Status changed from New to In Progress
Updated by Yehuda Sadeh over 7 years ago
- Status changed from In Progress to Can't reproduce