[openstack-dev] [all] [clients] [keystone] lack of retrying tokens leads to overall OpenStack fragility
Duncan Thomas
duncan.thomas at gmail.com
Thu Sep 11 14:00:02 UTC 2014
On 11 September 2014 03:17, Angus Lees <gus at inodes.org> wrote:
> (As inspired by eg kerberos)
> 2. Ensure at some environmental/top layer that the advertised token lifetime
> exceeds the timeout set on the request, before making the request. This
> implies (since there's no special handling in place) failing if the token was
> expired earlier than expected.
We've a related problem in cinder (cinder-backup uses the user's token
to talk to swift, and the backup can easily take longer than the token
expiry time) which could not be solved by this, since the time the
backup takes is unknown (compression, service and resource contention,
etc alter the time by multiple orders of magnitude)
More information about the OpenStack-dev
mailing list