From 8ac23fd720135e56181360dcc5c9f16b99f0273d Mon Sep 17 00:00:00 2001
From: Deepika Upadhyay <deepika.upadhyay@clyso.com>
Date: Mon, 28 Oct 2024 14:49:52 +0530
Subject: [PATCH] rgw: make keystone work without admin token(service ac
 requirement)

Ceph RGW admin credentials must not be a requirement.
Both ec2 auth and keystone token validation work without an admin token.

And the user token verification will use its own token. The only
requirement for the service admin user token is the allow_expired, but
in our case we don't use this parameter.

fixes: https://tracker.ceph.com/issues/68327

Co-authored-by: @kayrus
Signed-off-by: Deepika Upadhyay <deepika.upadhyay@clyso.com>
(cherry picked from commit 55ce1782e159190fd9202b6e270a1a2c470b0626)
---
 src/rgw/rgw_auth_keystone.cc | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/src/rgw/rgw_auth_keystone.cc b/src/rgw/rgw_auth_keystone.cc
index 519f307e98747..e0d28d411e190 100644
--- a/src/rgw/rgw_auth_keystone.cc
+++ b/src/rgw/rgw_auth_keystone.cc
@@ -80,7 +80,12 @@ admin_token_retry:
     throw -EINVAL;
   }
 
-  validate.append_header("X-Auth-Token", admin_token);
+  if (allow_expired) {
+    validate.append_header("X-Auth-Token", admin_token);
+  } else {
+    validate.append_header("X-Auth-Token", token);
+  }
+
   validate.set_send_length(0);
 
   validate.set_url(url);
-- 
2.39.5