<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 06/18/2013 09:13 PM, Kant, Arun
wrote:<br>
</div>
<blockquote
cite="mid:73F9E923B857FC4685A32B062C964A5D62EA2F57@G4W3223.americas.hpqcorp.net"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
<meta name="Generator" content="Microsoft Word 12 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">The
issue with having un-managed number of tokens for same
credential is that it can be easily exploited. Getting a
token is one of initial step (gateway) to get access to
services. A rogue client can keep creating unlimited number
of tokens and possibly create denial of service attack on
services. If there are somewhat limited number of tokens,
then cloud provider can possibly use tokenId based
rate-limiting approach.</span></p>
</div>
</blockquote>
Better here to rate limit, then.<br>
<br>
<br>
<blockquote
cite="mid:73F9E923B857FC4685A32B062C964A5D62EA2F57@G4W3223.americas.hpqcorp.net"
type="cite">
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Extending
the expiry to some fixed interval might be okay as that can
be considered as continuing user session similar to what is
seen when a user keeps browsing an application while logged
in. <br>
</span></p>
</div>
</blockquote>
Tokens are resources created by Keystone. No reason to ask to
create something new if it is not needed.<br>
<br>
The caching needs to be done client side. We have ongoing work
using python-keyring to support that.<br>
<br>
<blockquote
cite="mid:73F9E923B857FC4685A32B062C964A5D62EA2F57@G4W3223.americas.hpqcorp.net"
type="cite">
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">-Arun<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<div style="border:none;border-top:solid #B5C4DF
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:black">From:
</span></b><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:black">Adam
Young <<a moz-do-not-send="true"
href="mailto:ayoung@redhat.com">ayoung@redhat.com</a>><br>
<b>Reply-To: </b>OpenStack Development Mailing List <<a
moz-do-not-send="true"
href="mailto:openstack-dev@lists.openstack.org">openstack-dev@lists.openstack.org</a>><br>
<b>Date: </b>Friday, June 14, 2013 3:33 PM<br>
<b>To: </b>"<a moz-do-not-send="true"
href="mailto:openstack-dev@lists.openstack.org">openstack-dev@lists.openstack.org</a>"
<<a moz-do-not-send="true"
href="mailto:openstack-dev@lists.openstack.org">openstack-dev@lists.openstack.org</a>><br>
<b>Subject: </b>Re: [openstack-dev] [Keystone][Folsom]
Token re-use<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:10.5pt;font-family:"Calibri","sans-serif";color:black"><o:p> </o:p></span></p>
</div>
<div>
<div>
<div>
<p class="MsoNormal"><span
style="font-size:10.5pt;font-family:"Calibri","sans-serif";color:black">On
06/13/2013 07:58 PM, Ravi Chunduru wrote:<o:p></o:p></span></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><span
style="font-size:10.5pt;font-family:"Calibri","sans-serif";color:black">Hi,
<o:p></o:p></span></p>
<div>
<p class="MsoNormal"><span
style="font-size:10.5pt;font-family:"Calibri","sans-serif";color:black">
We are having Folsom setup and we find that our
token table increases a lot. I understand client can
re-use the token but why doesnt keystone reuse the
token if client asks it with same credentials.. <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:10.5pt;font-family:"Calibri","sans-serif";color:black">I
would like to know if there is any reason for not
doing so.<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:10.5pt;font-family:"Calibri","sans-serif";color:black"><o:p> </o:p></span></p>
</div>
<div>
<div>
<p class="MsoNormal"><span
style="font-size:10.5pt;font-family:"Calibri","sans-serif";color:black">Thanks
in advance,<o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span
style="font-size:10.5pt;font-family:"Calibri","sans-serif";color:black">--
<br>
Ravi<o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span
style="font-size:10.5pt;font-family:"Calibri","sans-serif";color:black"><br>
<br>
<br>
<o:p></o:p></span></p>
<pre><span style="color:black">_______________________________________________<o:p></o:p></span></pre>
<pre><span style="color:black">OpenStack-dev mailing list<o:p></o:p></span></pre>
<pre><span style="color:black"><a moz-do-not-send="true" href="mailto:OpenStack-dev@lists.openstack.org">OpenStack-dev@lists.openstack.org</a><a moz-do-not-send="true" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><o:p></o:p></span></pre>
</blockquote>
<p class="MsoNormal"><span
style="font-size:10.5pt;font-family:"Calibri","sans-serif";color:black">You
can cache the token on the client side and reuse. Tokens
have a an expiry, so if you request a new token, you
extend the expiry. <o:p></o:p></span></p>
</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
OpenStack-dev mailing list
<a class="moz-txt-link-abbreviated" href="mailto:OpenStack-dev@lists.openstack.org">OpenStack-dev@lists.openstack.org</a>
<a class="moz-txt-link-freetext" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a>
</pre>
</blockquote>
<br>
</body>
</html>