[openstack-dev] [keystone] SPFE: Authenticated Encryption (AE) Tokens

Lance Bragstad lbragstad at gmail.com
Fri Feb 13 19:47:27 UTC 2015


Hello all,


I'm proposing the Authenticated Encryption (AE) Token specification [1] as
an SPFE. AE tokens increases scalability of Keystone by removing token
persistence. This provider has been discussed prior to, and at the Paris
summit [2]. There is an implementation that is currently up for review [3],
that was built off a POC. Based on the POC, there has been some performance
analysis done with respect to the token formats available in Keystone
(UUID, PKI, PKIZ, AE) [4].

The Keystone team spent some time discussing limitations of the current POC
implementation at the mid-cycle. One case that still needs to be addressed
(and is currently being worked), is federated tokens. When requesting
unscoped federated tokens, the token contains unbound groups which would
need to be carried in the token. This case can be handled by AE tokens but
it would be possible for an unscoped federated AE token to exceed an
acceptable AE token length (i.e. < 255 characters). Long story short, a
federation migration could be used to ensure federated AE tokens never
exceed a certain length.

Feel free to leave your comments on the AE Token spec.

Thanks!

Lance

[1] https://review.openstack.org/#/c/130050/
[2] https://etherpad.openstack.org/p/kilo-keystone-authorization
[3] https://review.openstack.org/#/c/145317/
[4] http://dolphm.com/benchmarking-openstack-keystone-token-formats/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150213/d8b89e8b/attachment.html>


More information about the OpenStack-dev mailing list