[openstack-dev] 2 Minute tokens

Jay Pipes jaypipes at gmail.com
Tue Sep 30 15:13:32 UTC 2014


On 09/30/2014 10:44 AM, Adam Young wrote:
> What is keeping us from dropping the (scoped) token duration to 5 minutes?
>
> If we could keep their lifetime as short as network skew lets us, we
> would be able to:
>
> Get rid of revocation checking.
> Get rid of persisted tokens.
>
> OK, so that assumes we can move back to PKI tokens, but we're working
> on that.
>
> What are the uses that require long lived tokens?  Can they be replaced
> with a better mechanism for long term delegation (OAuth or Keystone
> trusts) as Heat has done?

I think you will find that most folks just don't know the intracacies of 
non-UUID tokens in Keystone. I think we'd be open to any options that 
are reliable, well-documented and don't produce 4K in each HTTP request.

Best,
-jay



More information about the OpenStack-dev mailing list