Project

General

Profile

Documentation #13519

Documentation for using keystone admin username and password missing

Added by Mike Lowe over 8 years ago. Updated almost 8 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Target version:
-
% Done:

0%

Tags:
Backport:
Reviewed:
Affected Versions:
Pull request ID:

Description

The documentation only mentions admin token for radosgw integration with keystone. This is not the preferred method and in many cases will not work when the admin token is disabled as per openstack best practices. The admin token is properly only used to bootstrap a new install of keystone. The documentation here http://docs.ceph.com/docs/master/radosgw/config-ref/ should mention the configurables 'rgw keystone admin user', 'rgw keystone admin password', 'rgw keystone admin tenant' as the credentials with the "admin" role used to validate keystone tokens. The text here http://docs.ceph.com/docs/master/radosgw/keystone/ should be updated to prefer a service account with the "admin" role as the method of token validation with keystone integration. With kilo or later this user named swift would be created by 'openstack user create --password-prompt swift' and assigned the admin role with 'openstack role add --project service --user swift admin'.

Associated revisions

Revision d0eeb624 (diff)
Added by Abhishek Lekshmanan almost 8 years ago

doc:explain service tenant config for rgw keystone

Explain the configuration of `rgw keystone admin user`, tenant and
password which avoids the need for setting the keystone admin token
shared secret in ceph configuration, since this token is recommended to
be disabled in production environments.

Fixes: #13066, #13519
Signed-off-by: Abhishek Lekshmanan <>

History

#1 Updated by Abhishek Lekshmanan almost 8 years ago

  • Status changed from New to Resolved

Also available in: Atom PDF