Project

General

Profile

Bug #17186

radosgw keystonev3 token revocation error

Added by Matt Benjamin almost 3 years ago. Updated almost 3 years ago.

Status:
Can't reproduce
Priority:
High
Target version:
-
Start date:
08/31/2016
Due date:
% Done:

0%

Source:
Community (user)
Tags:
Backport:
jewel
Regression:
No
Severity:
2 - major
Reviewed:
Affected Versions:
ceph-qa-suite:
Pull request ID:

Description

I am getting some unusual errors in my radosgw.log.
I have Keystone configured with fernet tokens.
I have RGW configured to use Keystone V3.
RGW starts.
Glance is configured to use swift provided by RGW.
Glance is able to upload an image.

However, I am getting the following error repeatedly:
2016-08-30 12:02:39.783567 7f1f55ffb700 0 revoked tokens response is missing signed section
2016-08-30 12:02:39.783590 7f1f55ffb700 0 ERROR: keystone revocation processing returned error r=-22

Any suggestions about how to resolve this error message?
Is it a red herring, a bug in my configuration, a bug in RGW?

Here is my RGW config from my ceph.conf file
[client.radosgw.gateway]
rgw_keystone_api_version = 3
rgw_keystone_token_cache_size = 500
user = ceph
rgw_keystone_admin_domain = default
rgw_keystone_url = https://127.0.0.1:35357
rgw_s3_auth_use_keystone = True
rgw_keystone_admin_password = secret
rgw_keystone_admin_user = rgwuser
rgw_frontends = civetweb port=8080
log_file = /var/log/ceph/radosgw.log
rgw_keystone_admin_project = services
host = clone
rgw_keystone_accepted_roles = admin,Member
keyring = /etc/ceph/ceph.client.radosgw.gateway.keyring

History

#1 Updated by Ken Dreyer almost 3 years ago

  • Target version deleted (v10.2.3)
  • Backport set to jewel

Keith Schincke (OpenStack community) requested we backport this fix to jewel, since he ran across this while making a puppet module to get RGW to do keystone V3/fernet

#2 Updated by Matt Benjamin almost 3 years ago

  • Assignee changed from Matt Benjamin to Pritha Srivastava

#3 Updated by Pritha Srivastava almost 3 years ago

2016-08-30 12:02:39.783567 7f1f55ffb700 0 revoked tokens response is missing signed section --> this line implies that getting the revoked token list from keystone is failing.

I didnot have the keystone certs set up properly in my system so was able to see the above error in my rgw logs also. As soon as I fixed the certs, these errors went away. (The token format was UUID and version v2 in my setup though) (The certs are there in /etc/keystone/ssl/certs folder)

Logs from Keystone with text "v3/auth/tokens/OS-PKI/revoked" will help here to determine exactly why getting the revoked token list from keystone is failing.

#4 Updated by Matt Benjamin almost 3 years ago

  • Status changed from New to In Progress

#5 Updated by Yehuda Sadeh almost 3 years ago

  • Status changed from In Progress to Can't reproduce

Also available in: Atom PDF