jewel: rgw: swift: disable revocation thread under certain circumstances

[mdw-at-linuxbox]

Keystone tokens can be revoked. This causes them to fail
validation. However, in ceph, we cache them. As long as
they're in the cache we trust them. To find revoked tokens
there's a call OSI-PKI/revoked but that's only useful for
pki tokens. Installations using fernet/uuid may not even
have the proper credentials to support the call, in which
case the call blows up in various ways filling up logs
with complaints.

This code makes the revocation thread optional; by disabling it,
the complaints go away. A further fix is in the works
to use other more modern calls available in modern keystone
installations to properly deal with non-PKI/PKIZ tokens.

(NB: jewel has this logic in src/rgw/rgw_swift.cc not in src/rgw/rgw_keystone.h)

To disable the revocation thread, use at least one of these:
rgw_keystone_token_cache_size = 0
using this will cause tokens to be validated on every call.
You may instead want to set
rgw_keystone_revocation_interval = 0
using just this will disable the revocation thread,
but leaves the cache in use. That avoids the extra
validation overhead, but means token revocation won't
work very well.

Fixes: http://tracker.ceph.com/issues/9493
Fixes: http://tracker.ceph.com/issues/19499

Signed-off-by: Marcus Watts mwatts@redhat.com
(cherry picked from commit 003291a)

[ktdreyer]

backport tracked in http://tracker.ceph.com/issues/19772

[mdw-at-linuxbox]

I've run an instance of this with keystone. Turning off
rgw keystone revocation interval = 0
rgw keystone token cache size = 0
turns off the revocation thread. (turning off either alone should suffice, with slight differences in behavior as per the commit message.)

[theanalyst]

@yehudasa @cbodley this passed an integration run http://tracker.ceph.com/issues/19538#note-61 do you think we're ready to merge this PR to jewel?

[cbodley]

@theanalyst yes please