<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 06/20/2013 04:50 PM, Ali, Haneef
wrote:<br>
</div>
<blockquote
cite="mid:D1EC508A39233D48A3F3FA9188A4BBF83DCFFE0D@G9W0725.americas.hpqcorp.net"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
<meta name="Generator" content="Microsoft Word 12 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;}
span.EmailStyle21
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:1382051247;
mso-list-type:hybrid;
mso-list-template-ids:-1979286828 67698705 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l0:level1
{mso-level-text:"%1\)";
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level2
{mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level3
{mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level4
{mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level5
{mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level6
{mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level7
{mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level8
{mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level9
{mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoListParagraph"
style="text-indent:-.25in;mso-list:l0 level1 lfo2"><!--[if !supportLists]--><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><span
style="mso-list:Ignore">1)<span style="font:7.0pt
"Times New Roman"">
</span></span></span><!--[endif]--><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">I’m
really not sure how that will solve the original issue
(Token table size increase). Of course we can have a job to
remove the expired token.
</span></p>
</div>
</blockquote>
It is not expiry that is the issue, but revocation. Expirey is
handled by the fact that the token is a signed document with a
timestamp in it. We don't really need to store expired tokens at
all.<br>
<br>
<blockquote
cite="mid:D1EC508A39233D48A3F3FA9188A4BBF83DCFFE0D@G9W0725.americas.hpqcorp.net"
type="cite">
<div class="WordSection1">
<p class="MsoListParagraph"
style="text-indent:-.25in;mso-list:l0 level1 lfo2"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p></o:p></span></p>
<p class="MsoListParagraph"
style="text-indent:-.25in;mso-list:l0 level1 lfo2"><!--[if !supportLists]--><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><span
style="mso-list:Ignore">2)<span style="font:7.0pt
"Times New Roman"">
</span></span></span><!--[endif]--><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">We
really have to think how the other services are using
keystone. Keystone “createToken” volume is going to
increase. Fixing one issue going to create another one.</span></p>
</div>
</blockquote>
Yes it will. But in the past, the load was on Keystone token
validate, and PKI has removed that load. Right now, the greater
load on Keystone is coming from token create, but that is because
token caching is not in place. With proper caching, Keystone would
be hit only once for most workloads. It is currently hit for every
Remote call. It is not the token generation that is the issue, but
the issuing of the tokens that needs to be throttled back.<br>
<blockquote
cite="mid:D1EC508A39233D48A3F3FA9188A4BBF83DCFFE0D@G9W0725.americas.hpqcorp.net"
type="cite">
<div class="WordSection1">
<p class="MsoListParagraph"
style="text-indent:-.25in;mso-list:l0 level1 lfo2"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p></o:p></span></p>
<p class="MsoListParagraph"
style="margin-left:1.0in;text-indent:-.25in;mso-list:l0 level2
lfo2">
<!--[if !supportLists]--><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><span
style="mso-list:Ignore">1.<span style="font:7.0pt
"Times New Roman"">
</span></span></span><!--[endif]--><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> If
I understood correctly swift is using memcache to increase
the validateToken performance. What will happen to it?
Obviously load to “validateToken” will also increase.</span></p>
</div>
</blockquote>
Validate token happens in process with PKI tokens, not via remote
call. Memcache just prevents swift from having to make that check
more than once per token. Revocation still needs to be checked
every time.<br>
<br>
<blockquote
cite="mid:D1EC508A39233D48A3F3FA9188A4BBF83DCFFE0D@G9W0725.americas.hpqcorp.net"
type="cite">
<div class="WordSection1">
<p class="MsoListParagraph"
style="margin-left:1.0in;text-indent:-.25in;mso-list:l0 level2
lfo2"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p></o:p></span></p>
<p class="MsoListParagraph"
style="margin-left:1.0in;text-indent:-.25in;mso-list:l0 level2
lfo2">
<!--[if !supportLists]--><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><span
style="mso-list:Ignore">2.<span style="font:7.0pt
"Times New Roman"">
</span></span></span><!--[endif]--><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">In
few cases I have seen VM creation taking more than 5 min. (
download image from glance and create vm). Short lived
token ( 5 min) will be a real fun in this case.</span></p>
</div>
</blockquote>
That is what trusts are for. Nova should not be using a bearer
token to perform operations on behalf of the user. Nova should be
getting a delegated token via a trust to perform those operations.
If a vm takes 5 minutes, it should not matter if the tokens time
out, as Nova will get a token when it needs it. Bearer tokens are a
poor design approach, and we have work going on that will remedy
that.<br>
<br>
<blockquote
cite="mid:D1EC508A39233D48A3F3FA9188A4BBF83DCFFE0D@G9W0725.americas.hpqcorp.net"
type="cite">
<div class="WordSection1">
<p class="MsoListParagraph"
style="margin-left:1.0in;text-indent:-.25in;mso-list:l0 level2
lfo2"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Thanks<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Haneef<o:p></o:p></span></p>
<p class="MsoListParagraph" style="margin-left:1.0in"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<div style="border:none;border-top:solid #B5C4DF
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">
Ravi Chunduru [<a class="moz-txt-link-freetext" href="mailto:ravivsn@gmail.com">mailto:ravivsn@gmail.com</a>]
<br>
<b>Sent:</b> Thursday, June 20, 2013 11:49 AM<br>
<b>To:</b> OpenStack Development Mailing List<br>
<b>Subject:</b> Re: [openstack-dev] FW: [Keystone][Folsom]
Token re-use<o:p></o:p></span></p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-bottom:12.0pt">+1 <o:p></o:p></p>
<div>
<p class="MsoNormal">On Thu, Jun 20, 2013 at 11:37 AM, Dolph
Mathews <<a moz-do-not-send="true"
href="mailto:dolph.mathews@gmail.com" target="_blank">dolph.mathews@gmail.com</a>>
wrote:<o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div>
<div>
<div>
<p class="MsoNormal">On Wed, Jun 19, 2013 at 2:20
PM, Adam Young <<a moz-do-not-send="true"
href="mailto:ayoung@redhat.com" target="_blank">ayoung@redhat.com</a>>
wrote:<o:p></o:p></p>
<div>
<div>
<p class="MsoNormal">I really want to go the
other way on this: I want token to be very
short lived, ideally something like 1 minute,
but probably 5 minutes to account for clock
skew. I want to get rid of token revocation
list checking. I'd like to get away from
revocation altogether: tokens are not stored
in the backend. If they are ephemeral, we can
just check that the token has a valid
signature and that the time has not expired.<o:p></o:p></p>
</div>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
<div>
<p class="MsoNormal">+10<o:p></o:p></p>
</div>
<div>
<div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<blockquote style="border:none;border-left:solid
#CCCCCC 1.0pt;padding:0in 0in 0in
6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt">
<div>
<div>
<div>
<div>
<p class="MsoNormal"><br>
<br>
<br>
<br>
<br>
<br>
On 06/19/2013 12:59 PM, Ravi Chunduru
wrote:<o:p></o:p></p>
</div>
</div>
</div>
<div>
<div>
<blockquote
style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal">Thats still an open
item in this thread. <o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Let me summarize
once again<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">1) Use case for
keystone not to re-issue same token
for same credentials<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">2) Ratelimit cons
and service unavailability <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"
style="margin-bottom:12.0pt">3)
Further information on python
keyring if not going by keystone
re-issue of the tokens.<o:p></o:p></p>
<div>
<p class="MsoNormal">On Wed, Jun 19,
2013 at 9:16 AM, Yee, Guang <<a
moz-do-not-send="true"
href="mailto:guang.yee@hp.com"
target="_blank">guang.yee@hp.com</a>>
wrote:<o:p></o:p></p>
<div>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Just
out of curiosity, is there
really a use case where user
need to request multiple
tokens of the same scope,
where the only difference
are the expiration dates?</span><o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Guang</span><o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<div
style="border:none;border-top:solid
#B5C4DF 1.0pt;padding:3.0pt
0in 0in 0in">
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">
Dolph Mathews [mailto:<a
moz-do-not-send="true"
href="mailto:dolph.mathews@gmail.com"
target="_blank">dolph.mathews@gmail.com</a>]
<br>
<b>Sent:</b> Wednesday,
June 19, 2013 7:27 AM</span><o:p></o:p></p>
<div>
<div>
<p class="MsoNormal"><br>
<b>To:</b> OpenStack
Development Mailing List<br>
<b>Subject:</b> Re:
[openstack-dev] FW:
[Keystone][Folsom] Token
re-use<o:p></o:p></p>
</div>
</div>
</div>
<div>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<div>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">On
Wed, Jun 19, 2013 at
1:42 AM, Ali, Haneef
<<a
moz-do-not-send="true"
href="mailto:haneef.ali@hp.com" target="_blank">haneef.ali@hp.com</a>>
wrote:<o:p></o:p></p>
<div>
<div>
<p><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">1)</span><span
style="font-size:7.0pt;color:#1F497D">
</span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Token
Caching is not
always going
to help. It
depends on the
application.
E.g A user
writes a cron
job to check
the health of
swift by
listing a
predefined
container
every 1
minute.
This will
obviously
create a token
every minute.
</span><o:p></o:p></p>
<p><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<p><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">2)</span><span
style="font-size:7.0pt;color:#1F497D">
</span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Also
I like to
understand how
rate limiting
is done for v3
tokens. Rate
limiting
involves
source ip +
request
pattern. In
V3 there are
so many ways
to get the
token and the
rate limiting
becomes too
complex</span><o:p></o:p></p>
<p><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
</div>
</div>
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Rate limit
the number of
requests to POST
/v2.0/tokens and
POST
/v3/auth/tokens<o:p></o:p></p>
</div>
<blockquote
style="border:none;border-left:solid
#CCCCCC
1.0pt;padding:0in
0in 0in
6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt">
<div>
<div>
<p><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Just
for unscoped
token, all
the following
are equivalent
requests. In
case of scoped
tokens we have
even more
combinations.
Rouge
clients can
easily mess
with rate
limiting by
mixing request
patterns. Also
rate limiting
across regions
may not be
possible.</span><o:p></o:p></p>
<p
style="margin-left:1.0in"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">a.</span><span
style="font-size:7.0pt;color:#1F497D">
</span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> UserId/Password</span><o:p></o:p></p>
<p
style="margin-left:1.0in"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">b.</span><span
style="font-size:7.0pt;color:#1F497D">
</span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> UserName/Password/domainId</span><o:p></o:p></p>
<p
style="margin-left:1.0in"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">c.</span><span
style="font-size:7.0pt;color:#1F497D">
</span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">UserName/Password/DomainName</span><o:p></o:p></p>
<p
class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<p
class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Thanks</span><o:p></o:p></p>
<p
class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Haneef</span><o:p></o:p></p>
<p
class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<p
class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">
Ravi Chunduru
[mailto:<a
moz-do-not-send="true"
href="mailto:ravivsn@gmail.com" target="_blank">ravivsn@gmail.com</a>]
<br>
<b>Sent:</b>
Tuesday, June
18, 2013 11:02
PM<br>
<b>To:</b>
OpenStack
Development
Mailing List<br>
<b>Subject:</b>
Re:
[openstack-dev]
FW:
[Keystone][Folsom]
Token re-use</span><o:p></o:p></p>
<div>
<div>
<p
class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p
class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">I agree we
need a way to
overcome these
rogue clients
but by rate
limiting
genuine
requests will
get effected.
Then one would
need retries
and some times
critical
operations
gets failed.
It beats the
whole logic of
being
available.<o:p></o:p></p>
<div>
<p
class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<div>
<p
class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
</div>
<div>
<p
class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">About the
keyrings, How
do we tackle
if a service
is using JSON
API calls and
not python
clients?<o:p></o:p></p>
</div>
<div>
<p
class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
</div>
<div>
<p
class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Thanks,<o:p></o:p></p>
</div>
<div>
<p
class="MsoNormal"
style="mso-margin-top-alt:auto;margin-bottom:12.0pt">-Ravi.<o:p></o:p></p>
<div>
<p
class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">On Tue, Jun
18, 2013 at
6:37 PM, Adam
Young <<a
moz-do-not-send="true"
href="mailto:ayoung@redhat.com" target="_blank">ayoung@redhat.com</a>>
wrote:<o:p></o:p></p>
<div>
<div>
<div>
<p
class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">On 06/18/2013
09:13 PM,
Kant, Arun
wrote:<o:p></o:p></p>
</div>
<blockquote
style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p
class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">The
issue with
having
un-managed
number of
tokens for
same
credential is
that it can be
easily
exploited.
Getting a
token is one
of initial
step (gateway)
to get access
to services. A
rogue client
can keep
creating
unlimited
number of
tokens and
possibly
create denial
of service
attack on
services. If
there are
somewhat
limited number
of tokens,
then cloud
provider can
possibly use
tokenId based
rate-limiting
approach.</span><o:p></o:p></p>
</div>
</blockquote>
</div>
<p
class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Better here
to rate limit,
then.<o:p></o:p></p>
<div>
<p
class="MsoNormal"
style="mso-margin-top-alt:auto;margin-bottom:12.0pt"><br>
<br>
<o:p></o:p></p>
<div>
<p
class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<p
class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Extending
the expiry to
some fixed
interval might
be okay as
that can be
considered as
continuing
user session
similar to
what is seen
when a user
keeps browsing
an application
while logged
in.
</span><o:p></o:p></p>
</div>
</div>
<p
class="MsoNormal"
style="mso-margin-top-alt:auto;margin-bottom:12.0pt">Tokens are
resources
created by
Keystone. No
reason to ask
to create
something new
if it is not
needed.<br>
<br>
The caching
needs to be
done client
side. We have
ongoing work
using
python-keyring
to support
that.<o:p></o:p></p>
<div>
<div>
<p
class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<p
class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">-Arun</span><o:p></o:p></p>
<p
class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<p
class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<div
style="border:none;border-top:solid
#B5C4DF
1.0pt;padding:3.0pt
0in 0in 0in">
<p
class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif"">From:
</span></b><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif"">Adam
Young <<a
moz-do-not-send="true"
href="mailto:ayoung@redhat.com" target="_blank">ayoung@redhat.com</a>><br>
<b>Reply-To: </b>OpenStack
Development
Mailing List
<<a
moz-do-not-send="true"
href="mailto:openstack-dev@lists.openstack.org" target="_blank">openstack-dev@lists.openstack.org</a>><br>
<b>Date: </b>Friday,
June 14, 2013
3:33 PM<br>
<b>To: </b>"<a
moz-do-not-send="true" href="mailto:openstack-dev@lists.openstack.org"
target="_blank">openstack-dev@lists.openstack.org</a>"
<<a
moz-do-not-send="true"
href="mailto:openstack-dev@lists.openstack.org" target="_blank">openstack-dev@lists.openstack.org</a>><br>
<b>Subject: </b>Re:
[openstack-dev]
[Keystone][Folsom]
Token re-use</span><o:p></o:p></p>
</div>
<div>
<p
class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:10.5pt;font-family:"Calibri","sans-serif""> </span><o:p></o:p></p>
</div>
<div>
<div>
<div>
<p
class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:10.5pt;font-family:"Calibri","sans-serif"">On
06/13/2013
07:58 PM, Ravi
Chunduru
wrote:</span><o:p></o:p></p>
</div>
<blockquote
style="margin-top:5.0pt;margin-bottom:5.0pt">
<p
class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:10.5pt;font-family:"Calibri","sans-serif"">Hi,
</span><o:p></o:p></p>
<div>
<p
class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:10.5pt;font-family:"Calibri","sans-serif"">
We are having
Folsom setup
and we find
that our token
table
increases a
lot. I
understand
client can
re-use the
token but why
doesnt
keystone reuse
the token if
client asks it
with same
credentials.. </span><o:p></o:p></p>
</div>
<div>
<p
class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:10.5pt;font-family:"Calibri","sans-serif"">I
would like to
know if there
is any reason
for not doing
so.</span><o:p></o:p></p>
</div>
<div>
<p
class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:10.5pt;font-family:"Calibri","sans-serif""> </span><o:p></o:p></p>
</div>
<div>
<div>
<p
class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:10.5pt;font-family:"Calibri","sans-serif"">Thanks
in advance,</span><o:p></o:p></p>
</div>
<p
class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:10.5pt;font-family:"Calibri","sans-serif"">--
<br>
Ravi</span><o:p></o:p></p>
</div>
<p
class="MsoNormal"
style="mso-margin-top-alt:auto;margin-bottom:12.0pt"> <o:p></o:p></p>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>OpenStack-dev mailing list<o:p></o:p></pre>
<pre><a moz-do-not-send="true" href="mailto:OpenStack-dev@lists.openstack.org" target="_blank">OpenStack-dev@lists.openstack.org</a><a moz-do-not-send="true" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><o:p></o:p></pre>
</blockquote>
<p
class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:10.5pt;font-family:"Calibri","sans-serif"">You
can cache the
token on the
client side
and reuse.
Tokens have a
an expiry, so
if you request
a new token,
you extend the
expiry. </span><o:p></o:p></p>
</div>
</div>
</div>
<p
class="MsoNormal"
style="mso-margin-top-alt:auto;margin-bottom:12.0pt"> <o:p></o:p></p>
</div>
<div>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>OpenStack-dev mailing list<o:p></o:p></pre>
<pre><a moz-do-not-send="true" href="mailto:OpenStack-dev@lists.openstack.org" target="_blank">OpenStack-dev@lists.openstack.org</a><o:p></o:p></pre>
<pre><a moz-do-not-send="true" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><o:p></o:p></pre>
</div>
<p
class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
</div>
<p
class="MsoNormal"
style="mso-margin-top-alt:auto;margin-bottom:12.0pt"><br>
_______________________________________________<br>
OpenStack-dev
mailing list<br>
<a
moz-do-not-send="true"
href="mailto:OpenStack-dev@lists.openstack.org" target="_blank">OpenStack-dev@lists.openstack.org</a><br>
<a
moz-do-not-send="true"
href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev"
target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><o:p></o:p></p>
</div>
<p
class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><br>
<br
clear="all">
<o:p></o:p></p>
<div>
<p
class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
</div>
<p
class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">--
<br>
Ravi<o:p></o:p></p>
</div>
</div>
</div>
</div>
</div>
</div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;margin-bottom:12.0pt"><br>
_______________________________________________<br>
OpenStack-dev
mailing list<br>
<a
moz-do-not-send="true"
href="mailto:OpenStack-dev@lists.openstack.org" target="_blank">OpenStack-dev@lists.openstack.org</a><br>
<a
moz-do-not-send="true"
href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev"
target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><o:p></o:p></p>
</blockquote>
</div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
</div>
</div>
</div>
</div>
</div>
</div>
<p class="MsoNormal"
style="margin-bottom:12.0pt"><br>
_______________________________________________<br>
OpenStack-dev mailing list<br>
<a moz-do-not-send="true"
href="mailto:OpenStack-dev@lists.openstack.org"
target="_blank">OpenStack-dev@lists.openstack.org</a><br>
<a moz-do-not-send="true"
href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev"
target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><o:p></o:p></p>
</div>
<p class="MsoNormal"><br>
<br clear="all">
<o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<p class="MsoNormal">-- <br>
Ravi<o:p></o:p></p>
</div>
<p class="MsoNormal"
style="margin-bottom:12.0pt"><o:p> </o:p></p>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>OpenStack-dev mailing list<o:p></o:p></pre>
<pre><a moz-do-not-send="true" href="mailto:OpenStack-dev@lists.openstack.org" target="_blank">OpenStack-dev@lists.openstack.org</a><o:p></o:p></pre>
<pre><a moz-do-not-send="true" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><o:p></o:p></pre>
</blockquote>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
</div>
<p class="MsoNormal"
style="margin-bottom:12.0pt"><br>
_______________________________________________<br>
OpenStack-dev mailing list<br>
<a moz-do-not-send="true"
href="mailto:OpenStack-dev@lists.openstack.org"
target="_blank">OpenStack-dev@lists.openstack.org</a><br>
<a moz-do-not-send="true"
href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev"
target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><o:p></o:p></p>
</blockquote>
</div>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
_______________________________________________<br>
OpenStack-dev mailing list<br>
<a moz-do-not-send="true"
href="mailto:OpenStack-dev@lists.openstack.org">OpenStack-dev@lists.openstack.org</a><br>
<a moz-do-not-send="true"
href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev"
target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><o:p></o:p></p>
</div>
<p class="MsoNormal"><br>
<br clear="all">
<o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<p class="MsoNormal">-- <br>
Ravi<o:p></o:p></p>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
OpenStack-dev mailing list
<a class="moz-txt-link-abbreviated" href="mailto:OpenStack-dev@lists.openstack.org">OpenStack-dev@lists.openstack.org</a>
<a class="moz-txt-link-freetext" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a>
</pre>
</blockquote>
<br>
</body>
</html>