Project

General

Profile

Bug #22312

ERROR: keystone revocation processing returned error r=-22 on keystone v3 openstack ocata

Added by hoan nv over 3 years ago. Updated over 3 years ago.

Status:
In Progress
Priority:
Normal
Assignee:
Target version:
% Done:

0%

Source:
Tags:
Backport:
Regression:
No
Severity:
2 - major
Reviewed:
Affected Versions:
ceph-qa-suite:
rgw
Pull request ID:
Crash signature (v1):
Crash signature (v2):

Description

Hi all.

Currently , my ceph cluster use ceph 12.2.2-1xenial on ubuntu 16.04.
my ceph config

rgw keystone api version = 3
rgw keystone url = http://10.5.8.72:5000
rgw keystone admin user = admin
rgw keystone admin password = admin
rgw keystone admin domain = Default
rgw keystone admin project = admin
#rgw keystone admin tenant = admin
rgw_keystone_verify_ssl = false
rgw_keystone_accepted_roles = admin,_member_,user
rgw_keystone_token_cache_size = 10
rgw_keystone_revocation_interval = 300
rgw s3 auth use keystone = true

log ceph

2017-12-04 14:39:11.770550 7f7bf4a8b700 0 revoked tokens response is missing signed section
2017-12-04 14:39:11.770572 7f7bf4a8b700 0 ERROR: keystone revocation processing returned error r=-22

Thanks.

History

#1 Updated by hoan nv over 3 years ago

I found: start from ocata openstack

PKI token deprecated and not supported in Ocata

https://docs.openstack.org/security-guide/identity/tokens.html

in rgw_keystone.cc file, rgw call to v3/auth/tokens/OS-PKI/revoked url if use openstack identify ver3.

const auto keystone_version = config.get_api_version();
if (keystone_version rgw::keystone::ApiVersion::VER_2) {
url.append("v2.0/tokens/revoked");
} else if (keystone_version rgw::keystone::ApiVersion::VER_3) {
url.append("v3/auth/tokens/OS-PKI/revoked");
}

req.set_send_length(0);
int ret = req.process(url.c_str());
if (ret < 0) {
return ret;
}

bl.append((char)0); // NULL terminate for debug output

ldout(cct, 10) << "request returned " << bl.c_str() << dendl;

JSONParser parser;

if (!parser.parse(bl.c_str(), bl.length())) {
ldout(cct, 0) << "malformed json" << dendl;
return -EINVAL;
}

JSONObjIter iter = parser.find_first("signed");
if (iter.end()) {
ldout(cct, 0) << "revoked tokens response is missing signed section" << dendl;
return -EINVAL;
}

Thanks

#2 Updated by Matt Benjamin over 3 years ago

  • Status changed from New to In Progress
  • Assignee set to Marcus Watts

@marcus, could you take a look when able?

#3 Updated by Yehuda Sadeh over 3 years ago

@marcus ping

Also available in: Atom PDF