Bug #22312
openERROR: keystone revocation processing returned error r=-22 on keystone v3 openstack ocata
0%
Description
Hi all.
Currently , my ceph cluster use ceph 12.2.2-1xenial on ubuntu 16.04.
my ceph config
rgw keystone api version = 3
rgw keystone url = http://10.5.8.72:5000
rgw keystone admin user = admin
rgw keystone admin password = admin
rgw keystone admin domain = Default
rgw keystone admin project = admin
#rgw keystone admin tenant = admin
rgw_keystone_verify_ssl = false
rgw_keystone_accepted_roles = admin,_member_,user
rgw_keystone_token_cache_size = 10
rgw_keystone_revocation_interval = 300
rgw s3 auth use keystone = true
log ceph
2017-12-04 14:39:11.770550 7f7bf4a8b700 0 revoked tokens response is missing signed section
2017-12-04 14:39:11.770572 7f7bf4a8b700 0 ERROR: keystone revocation processing returned error r=-22
Thanks.
Updated by hoan nv over 6 years ago
I found: start from ocata openstack
PKI token deprecated and not supported in Ocata
https://docs.openstack.org/security-guide/identity/tokens.html
in rgw_keystone.cc file, rgw call to v3/auth/tokens/OS-PKI/revoked url if use openstack identify ver3.
const auto keystone_version = config.get_api_version();
if (keystone_version rgw::keystone::ApiVersion::VER_2) {
url.append("v2.0/tokens/revoked");
} else if (keystone_version rgw::keystone::ApiVersion::VER_3) {
url.append("v3/auth/tokens/OS-PKI/revoked");
}req.set_send_length(0);
int ret = req.process(url.c_str());
if (ret < 0) {
return ret;
}bl.append((char)0); // NULL terminate for debug output
ldout(cct, 10) << "request returned " << bl.c_str() << dendl;
JSONParser parser;
if (!parser.parse(bl.c_str(), bl.length())) {
ldout(cct, 0) << "malformed json" << dendl;
return -EINVAL;
}JSONObjIter iter = parser.find_first("signed");
if (iter.end()) {
ldout(cct, 0) << "revoked tokens response is missing signed section" << dendl;
return -EINVAL;
}
Thanks
Updated by Matt Benjamin over 6 years ago
- Status changed from New to In Progress
- Assignee set to Marcus Watts
@Marcus Sorensen, could you take a look when able?