Actions
Fix #64394
openrefactor keystone EC2Engine to not use admin token
Status:
New
Priority:
Normal
Assignee:
-
Target version:
-
% Done:
0%
Source:
Tags:
Backport:
Reviewed:
Affected Versions:
ceph-qa-suite:
Pull request ID:
Crash signature (v1):
Crash signature (v2):
Description
See the discussion here https://github.com/ceph/ceph/pull/55236#discussion_r1484848663
we can refactor a lot of code in keystone EC2engine auth to get rid of keystone admin token usage
Now looking at it again I'm thinking that the logic in EC2Engine::get_from_keystone() might be flawed, we don't not need to pass an admin token in there because the API is public [1] [2], and with that said I think we can also refactor EC2Engine::get_secret_from_keystone() to pass in the user token in that function and get rid of the admin token requirement for Keystone auth EC2Engine [3] since policies changed in the past to not require admin access for the identity:ec2_get_credentialpolicy [4].
No data to display
Actions