.. confval:: rgw_keystone_url
.. confval:: rgw_keystone_admin_domain
.. confval:: rgw_keystone_admin_project
-.. confval:: rgw_keystone_admin_token
-.. confval:: rgw_keystone_admin_token_path
.. confval:: rgw_keystone_admin_tenant
.. confval:: rgw_keystone_admin_user
.. confval:: rgw_keystone_admin_password
services:
- rgw
with_legacy: true
-- name: rgw_keystone_admin_token
- type: str
- level: advanced
- desc: 'DEPRECATED: The admin token (shared secret) that is used for the Keystone
- requests.'
- fmt_desc: The Keystone admin token (shared secret). In Ceph RGW
- authentication with the admin token has priority over
- authentication with the admin credentials
- (``rgw_keystone_admin_user``, ``rgw_keystone_admin_password``,
- ``rgw_keystone_admin_tenant``, ``rgw_keystone_admin_project``,
- ``rgw_keystone_admin_domain``). The Keystone admin token
- has been deprecated, but can be used to integrate with
- older environments. It is preferred to instead configure
- ``rgw_keystone_admin_token_path`` to avoid exposing the token.
- services:
- - rgw
- with_legacy: true
-- name: rgw_keystone_admin_token_path
- type: str
- level: advanced
- desc: Path to a file containing the admin token (shared secret) that is used for
- the Keystone requests.
- fmt_desc: Path to a file containing the Keystone admin token
- (shared secret). In Ceph RadosGW authentication with
- the admin token has priority over authentication with
- the admin credentials
- (``rgw_keystone_admin_user``, ``rgw_keystone_admin_password``,
- ``rgw_keystone_admin_tenant``, ``rgw_keystone_admin_project``,
- ``rgw_keystone_admin_domain``).
- The Keystone admin token has been deprecated, but can be
- used to integrate with older environments.
- services:
- - rgw
- with_legacy: true
- name: rgw_keystone_admin_user
type: str
level: advanced
}
/* warn about insecure keystone secret config options */
- if (!(g_ceph_context->_conf->rgw_keystone_admin_token.empty() ||
- g_ceph_context->_conf->rgw_keystone_admin_password.empty())) {
+ if (!g_ceph_context->_conf->rgw_keystone_admin_password.empty()) {
dout(0)
- << "WARNING: rgw_keystone_admin_token and "
- "rgw_keystone_admin_password should be avoided as they can "
- "expose secrets. Prefer the new rgw_keystone_admin_token_path "
- "and rgw_keystone_admin_password_path options, which read their "
- "secrets from files."
+ << "WARNING: The use of rgw_keystone_admin_password should be avoided as "
+ "it can expose the plaintext password. Prefer the rgw_keystone_admin_password_path "
+ "option which read the password from a file."
<< dendl;
}
return s;
}
-std::string CephCtxConfig::get_admin_token() const noexcept
-{
- auto& atv = g_ceph_context->_conf->rgw_keystone_admin_token_path;
- if (!atv.empty()) {
- return read_secret(atv);
- } else {
- auto& atv = g_ceph_context->_conf->rgw_keystone_admin_token;
- if (!atv.empty()) {
- return atv;
- }
- }
- return empty;
-}
-
std::string CephCtxConfig::get_admin_password() const noexcept {
auto& apv = g_ceph_context->_conf->rgw_keystone_admin_password_path;
if (!apv.empty()) {
std::string& token,
bool& token_cached)
{
- /* Let's check whether someone uses the deprecated "admin token" feature
- * based on a shared secret from keystone.conf file. */
- const auto& admin_token = config.get_admin_token();
- if (! admin_token.empty()) {
- token = std::string(admin_token.data(), admin_token.length());
- return 0;
- }
-
TokenEnvelope t;
/* Try cache first before calling Keystone for a new admin token. */
public:
virtual std::string get_endpoint_url() const noexcept = 0;
- virtual std::string get_admin_token() const noexcept = 0;
virtual std::string_view get_admin_user() const noexcept = 0;
virtual std::string get_admin_password() const noexcept = 0;
virtual std::string_view get_admin_tenant() const noexcept = 0;
std::string get_endpoint_url() const noexcept override;
- std::string get_admin_token() const noexcept override;
-
std::string_view get_admin_user() const noexcept override {
return g_ceph_context->_conf->rgw_keystone_admin_user;
}
projects / ceph.git / commitdiff