jewel: rgw: swift: disable revocation thread under certain circumstances #14789
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Keystone tokens can be revoked. This causes them to fail
validation. However, in ceph, we cache them. As long as
they're in the cache we trust them. To find revoked tokens
there's a call OSI-PKI/revoked but that's only useful for
pki tokens. Installations using fernet/uuid may not even
have the proper credentials to support the call, in which
case the call blows up in various ways filling up logs
with complaints.
This code makes the revocation thread optional; by disabling it,
the complaints go away. A further fix is in the works
to use other more modern calls available in modern keystone
installations to properly deal with non-PKI/PKIZ tokens.
(NB: jewel has this logic in src/rgw/rgw_swift.cc not in src/rgw/rgw_keystone.h)
To disable the revocation thread, use at least one of these:
rgw_keystone_token_cache_size = 0
using this will cause tokens to be validated on every call.
You may instead want to set
rgw_keystone_revocation_interval = 0
using just this will disable the revocation thread,
but leaves the cache in use. That avoids the extra
validation overhead, but means token revocation won't
work very well.
Fixes: http://tracker.ceph.com/issues/9493
Fixes: http://tracker.ceph.com/issues/19499
Signed-off-by: Marcus Watts mwatts@redhat.com
(cherry picked from commit 003291a)