From: Tobias Urdin Date: Mon, 10 Mar 2025 14:13:10 +0000 (+0100) Subject: rgw/auth: Remove legacy Keystone admin token X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=6d058963adffbfcd270191e595ec539996cd71b9;p=ceph.git rgw/auth: Remove legacy Keystone admin token The legacy hardcoded admin token in the Keystone configuration is removed since several years and is not possible or supported anymore. The only supported way is to authenticate with a username and password to retrieve a token that is valid for a specified amount of time. Signed-off-by: Tobias Urdin --- diff --git a/doc/radosgw/config-ref.rst b/doc/radosgw/config-ref.rst index 0e2bc9d6f6cb..8ad993b59ed0 100644 --- a/doc/radosgw/config-ref.rst +++ b/doc/radosgw/config-ref.rst @@ -217,8 +217,6 @@ Keystone Settings .. confval:: rgw_keystone_url .. confval:: rgw_keystone_admin_domain .. confval:: rgw_keystone_admin_project -.. confval:: rgw_keystone_admin_token -.. confval:: rgw_keystone_admin_token_path .. confval:: rgw_keystone_admin_tenant .. confval:: rgw_keystone_admin_user .. confval:: rgw_keystone_admin_password diff --git a/src/common/options/rgw.yaml.in b/src/common/options/rgw.yaml.in index 3ce9118f6f82..328a2134c8eb 100644 --- a/src/common/options/rgw.yaml.in +++ b/src/common/options/rgw.yaml.in @@ -709,40 +709,6 @@ options: services: - rgw with_legacy: true -- name: rgw_keystone_admin_token - type: str - level: advanced - desc: 'DEPRECATED: The admin token (shared secret) that is used for the Keystone - requests.' - fmt_desc: The Keystone admin token (shared secret). In Ceph RGW - authentication with the admin token has priority over - authentication with the admin credentials - (``rgw_keystone_admin_user``, ``rgw_keystone_admin_password``, - ``rgw_keystone_admin_tenant``, ``rgw_keystone_admin_project``, - ``rgw_keystone_admin_domain``). The Keystone admin token - has been deprecated, but can be used to integrate with - older environments. It is preferred to instead configure - ``rgw_keystone_admin_token_path`` to avoid exposing the token. - services: - - rgw - with_legacy: true -- name: rgw_keystone_admin_token_path - type: str - level: advanced - desc: Path to a file containing the admin token (shared secret) that is used for - the Keystone requests. - fmt_desc: Path to a file containing the Keystone admin token - (shared secret). In Ceph RadosGW authentication with - the admin token has priority over authentication with - the admin credentials - (``rgw_keystone_admin_user``, ``rgw_keystone_admin_password``, - ``rgw_keystone_admin_tenant``, ``rgw_keystone_admin_project``, - ``rgw_keystone_admin_domain``). - The Keystone admin token has been deprecated, but can be - used to integrate with older environments. - services: - - rgw - with_legacy: true - name: rgw_keystone_admin_user type: str level: advanced diff --git a/src/rgw/rgw_appmain.cc b/src/rgw/rgw_appmain.cc index 9bacbcb23c5d..d9f9e58c9c48 100644 --- a/src/rgw/rgw_appmain.cc +++ b/src/rgw/rgw_appmain.cc @@ -290,14 +290,11 @@ void rgw::AppMain::cond_init_apis() } /* warn about insecure keystone secret config options */ - if (!(g_ceph_context->_conf->rgw_keystone_admin_token.empty() || - g_ceph_context->_conf->rgw_keystone_admin_password.empty())) { + if (!g_ceph_context->_conf->rgw_keystone_admin_password.empty()) { dout(0) - << "WARNING: rgw_keystone_admin_token and " - "rgw_keystone_admin_password should be avoided as they can " - "expose secrets. Prefer the new rgw_keystone_admin_token_path " - "and rgw_keystone_admin_password_path options, which read their " - "secrets from files." + << "WARNING: The use of rgw_keystone_admin_password should be avoided as " + "it can expose the plaintext password. Prefer the rgw_keystone_admin_password_path " + "option which read the password from a file." << dendl; } diff --git a/src/rgw/rgw_keystone.cc b/src/rgw/rgw_keystone.cc index 2767cea06def..f2ccf4a72bba 100644 --- a/src/rgw/rgw_keystone.cc +++ b/src/rgw/rgw_keystone.cc @@ -95,20 +95,6 @@ static inline std::string read_secret(const std::string& file_path) return s; } -std::string CephCtxConfig::get_admin_token() const noexcept -{ - auto& atv = g_ceph_context->_conf->rgw_keystone_admin_token_path; - if (!atv.empty()) { - return read_secret(atv); - } else { - auto& atv = g_ceph_context->_conf->rgw_keystone_admin_token; - if (!atv.empty()) { - return atv; - } - } - return empty; -} - std::string CephCtxConfig::get_admin_password() const noexcept { auto& apv = g_ceph_context->_conf->rgw_keystone_admin_password_path; if (!apv.empty()) { @@ -129,14 +115,6 @@ int Service::get_admin_token(const DoutPrefixProvider *dpp, std::string& token, bool& token_cached) { - /* Let's check whether someone uses the deprecated "admin token" feature - * based on a shared secret from keystone.conf file. */ - const auto& admin_token = config.get_admin_token(); - if (! admin_token.empty()) { - token = std::string(admin_token.data(), admin_token.length()); - return 0; - } - TokenEnvelope t; /* Try cache first before calling Keystone for a new admin token. */ diff --git a/src/rgw/rgw_keystone.h b/src/rgw/rgw_keystone.h index cc9ff48cdceb..4eeebb4fd5da 100644 --- a/src/rgw/rgw_keystone.h +++ b/src/rgw/rgw_keystone.h @@ -37,7 +37,6 @@ protected: public: virtual std::string get_endpoint_url() const noexcept = 0; - virtual std::string get_admin_token() const noexcept = 0; virtual std::string_view get_admin_user() const noexcept = 0; virtual std::string get_admin_password() const noexcept = 0; virtual std::string_view get_admin_tenant() const noexcept = 0; @@ -60,8 +59,6 @@ public: std::string get_endpoint_url() const noexcept override; - std::string get_admin_token() const noexcept override; - std::string_view get_admin_user() const noexcept override { return g_ceph_context->_conf->rgw_keystone_admin_user; }