[openstack-dev] [Keystone] State of Fernet tokens
ayoung at redhat.com
Thu Feb 25 04:50:19 UTC 2016
A lot of people seem to be counting on Fernet tokens, so I figured I'd
give a quick update.
Back in December, I made a quick check to see what would happen if we
swapped Fernet in as the default token provider. A bunch of tests
fails. Lance Bragstad and Raildo Mascena took that and ran with it.
As of tonight, there are 18 Failed test. 4 are due to trust tokens on
V2. we need to explicitly prevent trust execution for the V2 API, as
the rules are not being enforced. We sent up a warning about this
before, but let me make it explicit; V2 Trust support is being yanked
due to the need to make Fernet work.
There are also some strange things going on with revocation events.
Since token revocations are only going to be handled via the revocation
event API (not revocation list) we need to get this right.
Here is the complete list of failing tests right now:
These three are the trust tests I described above.
[0.420011s] ... FAILED
[0.443193s] ... FAILED
[0.465307s] ... FAILED
Something seems to be strange with Cache invalidation. They all deal
with token deletion, which is handled by Revocation Events now.
But this seems to be a test problem, not with the main code.
[0.082660s] ... FAILED
[0.085062s] ... FAILED
[0.106043s] ... FAILED
[0.081628s] ... FAILED
[0.244603s] ... FAILED
[0.237667s] ... FAILED
[0.278852s] ... FAILED
[0.254170s] ... FAILED
[1.390265s] ... FAILED
[0.111520s] ... FAILED
Since the revocation list is not going to be used with Fernet, I am not
too worried about these. I think these tests can be changed to use PKI
tokens for now.
[2.025202s] ... FAILED
[1.650198s] ... FAILED
[1.024048s] ... FAILED
[1.091590s] ... FAILED
And this one? Passed when I ran it directly. Looks like a bad test setup.
[2.169297s] ... FAILED
Review is here:
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OpenStack-dev