4:23 a.m.
We have to clarify for a documentation change
(https://review.openstack.org/#/c/127494/) if the default keystone token
provider will change in the RDO packages.
According to
https://blueprints.launchpad.net/keystone/+spec/uuid-as-default-token-pro...
the default token provider changed from PKI back to UUID. Because of
that it is not longer necessary to setup the PKI certificates and keys.
Christian.
--
Christian Berendt
Cloud Solution Architect
Mail: berendt(a)b1-systems.de
B1 Systems GmbH
Osterfeldstraße 7 / 85088 Vohburg / http://www.b1-systems.de
GF: Ralph Dehner / Unternehmenssitz: Vohburg / AG: Ingolstadt,HRB 3537
5:25 p.m.
We have to clarify for a documentation change
(https://review.openstack.org/#/c/127494/) if the default keystone token
provider will change in the RDO packages.
I've replied in the review, repeating here for the archive:
openstack-keystone RPM does not modify upstream default i.e. [token]
provider is not set in
http://pkgs.fedoraproject.org/cgit/openstack-keystone.git/tree/keystone-d...
puppet-keystone modules was setting this to pki earlier but that was
changed to match Juno:
https://github.com/stackforge/puppet-keystone/commit/611d9649f21c304af3c3...
This is included in the latest RDO Juno build
openstack-puppet-modules-2014.2.1-0.4
I also double-checked that packstack is not setting token_provider parameter.
So all good for RDO Juno!
Cheers,
Alan
5:51 p.m.
So all good for RDO Juno!
Please note later -1 review from Nathan, I jumped to the conclusion!
"We still need to perform the PKI certificate setup, even if UUID
tokens are being used. The reason is that the token revocation list is
signed regardless of the token format. If the keys/cert are not
created, then an attempt to fetch the revocation list will result in
signing errors due to an underlying ENOENT."
6:16 p.m.
On 10/14/2014 03:51 PM, Alan Pevec wrote:
> So all good for RDO Juno!
Please note later -1 review from Nathan, I jumped to the conclusion!
"We still need to perform the PKI certificate setup, even if UUID
tokens are being used. The reason is that the token revocation list is
signed regardless of the token format. If the keys/cert are not
created, then an attempt to fetch the revocation list will result in
signing errors due to an underlying ENOENT."
The puppet-keystone module handles this properly now too, so things will
be set up correctly when using packstack.
The documentation should still mention that PKI setup is needed even
when using the UUID token format. This is true for all
platforms/distributions, not just RDO.
Thanks,
-NGK
_______________________________________________
Rdo-list mailing list
Rdo-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/rdo-list
2:07 p.m.
On 10/14/2014 03:25 PM, Alan Pevec wrote:
> We have to clarify for a documentation change
> (https://review.openstack.org/#/c/127494/) if the default keystone token
> provider will change in the RDO packages.
I've replied in the review, repeating here for the archive:
openstack-keystone RPM does not modify upstream default i.e. [token]
provider is not set in
http://pkgs.fedoraproject.org/cgit/openstack-keystone.git/tree/keystone-d...
puppet-keystone modules was setting this to pki earlier but that was
changed to match Juno:
https://github.com/stackforge/puppet-keystone/commit/611d9649f21c304af3c3...
This is included in the latest RDO Juno build
openstack-puppet-modules-2014.2.1-0.4
I also double-checked that packstack is not setting token_provider parameter.
This is sadly not true. Packstack is still defaulting to PKI:
https://bugs.launchpad.net/packstack/+bug/1382160
I've proposed a fix here:
https://review.openstack.org/#/c/129018/
Thanks,
-NGK
So all good for RDO Juno!
Cheers,
Alan
_______________________________________________
Rdo-list mailing list
Rdo-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/rdo-list
3696
days inactive
3698
days old
4 comments
3 participants
participants (3)
-
Alan Pevec -
Christian Berendt -
Nathan Kinder