[openstack-dev] [Keystone][Token expiration]

lương hữu tuấn tuantuluong at gmail.com
Mon Apr 3 12:55:41 UTC 2017 

Hi Dolph,

Thanks for reply, it means that from the db point of view, token is expired
but it is still passed to other service users in request (token stored in
memory?) and keystone allows this expired token? And to make this feature
working, we should apply the header of "X-Service-Token" and change of
"allow_expired" in keystone.conf.

Br,

Tuan/Nokia

On Mon, Apr 3, 2017 at 2:36 PM, Dolph Mathews <dolph.mathews at gmail.com>
wrote:

> > does it mean that the token now will live forever
>
> No; it behaves as described in the document you linked. If you have any
> specific security concerns, please raise them appropriately (such as a
> security bug, if necessary).
>
> On Mon, Apr 3, 2017 at 5:27 AM lương hữu tuấn <tuantuluong at gmail.com>
> wrote:
>
>> Hi keystone folks,
>>
>> I have had a chance to take a look to this below patch for allowing the
>> expired token and it was merged in Octaka:
>>
>> https://specs.openstack.org/openstack/keystone-specs/
>> specs/keystone/ocata/allow-expired.html
>>
>> In our project, we also have problem with token expiration when running
>> mistral workflow. I have a concern that if this patch works as it does,
>> does it mean that the token now will live forever ("forever" seems so
>> sloppy, but it seems like the token is no longer expired). In this case, it
>> seems not good for security purpose.
>>
>> Br,
>>
>> Tuan/Nokia
>> ____________________________________________________________
>> ______________
>> OpenStack Development Mailing List (not for usage questions)
>> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:
>> unsubscribe
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
> --
> -Dolph
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20170403/bfeb9b2a/attachment.html>

More information about the OpenStack-dev mailing list