[openstack-dev] [keystone] SPFE: Authenticated Encryption (AE) Tokens

Brad Topol btopol at us.ibm.com
Fri Feb 13 21:13:36 UTC 2015 

I am a vote of Yes for the Authenticated Encryption (AE) Token 
specification receiving a Spec Freeze exception.   This approach has 
tremendous potential to significantly improve Keystone and POC code 
already exists. I feel there is enough runway that it is worth trying to 
move forward with this spec in this release cycle.

Thanks,

Brad


Brad Topol, Ph.D.
IBM Distinguished Engineer
OpenStack
(919) 543-0646
Internet:  btopol at us.ibm.com
Assistant: Kendra Witherspoon (919) 254-0680



From:   Lance Bragstad <lbragstad at gmail.com>
To:     "OpenStack Development Mailing List (not for usage questions)" 
<openstack-dev at lists.openstack.org>
Date:   02/13/2015 02:52 PM
Subject:        [openstack-dev] [keystone] SPFE: Authenticated Encryption 
(AE)    Tokens



Hello all, 


I'm proposing the Authenticated Encryption (AE) Token specification [1] as 
an SPFE. AE tokens increases scalability of Keystone by removing token 
persistence. This provider has been discussed prior to, and at the Paris 
summit [2]. There is an implementation that is currently up for review 
[3], that was built off a POC. Based on the POC, there has been some 
performance analysis done with respect to the token formats available in 
Keystone (UUID, PKI, PKIZ, AE) [4]. 

The Keystone team spent some time discussing limitations of the current 
POC implementation at the mid-cycle. One case that still needs to be 
addressed (and is currently being worked), is federated tokens. When 
requesting unscoped federated tokens, the token contains unbound groups 
which would need to be carried in the token. This case can be handled by 
AE tokens but it would be possible for an unscoped federated AE token to 
exceed an acceptable AE token length (i.e. < 255 characters). Long story 
short, a federation migration could be used to ensure federated AE tokens 
never exceed a certain length. 

Feel free to leave your comments on the AE Token spec. 

Thanks! 

Lance

[1] https://review.openstack.org/#/c/130050/
[2] https://etherpad.openstack.org/p/kilo-keystone-authorization
[3] https://review.openstack.org/#/c/145317/
[4] http://dolphm.com/benchmarking-openstack-keystone-token-formats/
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150213/f4e09ded/attachment.html>

More information about the OpenStack-dev mailing list