
<html>

  <head>

    <meta content="text/html; charset=ISO-8859-1"

      http-equiv="Content-Type">

  </head>

  <body text="#000000" bgcolor="#FFFFFF">

    <div class="moz-cite-prefix">On 08/23/2013 12:43 PM, Joe Gordon

      wrote:<br>

    </div>

    <blockquote

cite="mid:CAHXdxOeDPyfCzO2za-9ChDcpqkACtqPrMgfyaJjjY0giakTHKA@mail.gmail.com"

      type="cite">

      <p dir="ltr"><br>

        On Aug 23, 2013 12:24 PM, "Dolph Mathews" <<a

          moz-do-not-send="true" href="mailto:dolph.mathews@gmail.com">dolph.mathews@gmail.com</a>>

        wrote:<br>

        ><br>

        ><br>

        > On Fri, Aug 23, 2013 at 10:51 AM, Miller, Mark M (EB SW

        Cloud - R&D - Corvallis) <<a moz-do-not-send="true"

          href="mailto:mark.m.miller@hp.com">mark.m.miller@hp.com</a>>

        wrote:<br>

        >><br>

        >> Hello,<br>

        >><br>

        >>  <br>

        >><br>

        >> I would think you would want to reuse the same token

        but update the expiration time as if it were the first time the

        token had been generated.<br>

        ><br>

        ><br>

        > That wouldn't work for PKI tokens, as the resulting

        signature would have to change.<br>

        >  <br>

        >><br>

        >>  <br>

        >><br>

        >> Mark<br>

        >><br>

        >>  <br>

        >><br>

        >> From: Yongsheng Gong [mailto:<a moz-do-not-send="true"

          href="mailto:gongysh@unitedstack.com">gongysh@unitedstack.com</a>]

        <br>

        >> Sent: Friday, August 23, 2013 12:40 AM<br>

        >> To: OpenStack Development Mailing List<br>

        >> Subject: [openstack-dev] [keystone] Two BPs for

        managing the tokens<br>

        >><br>

        >>  <br>

        >><br>

        >> Hi,<br>

        >><br>

        >> Talked with Henry Nash and Jamie Lennox on IRC, I have

        created two BPs to manage the keystone tokens:<br>

        >><br>

        >> 1.  <a moz-do-not-send="true"

href="https://blueprints.launchpad.net/keystone/+spec/periodically-flush-expired-token">https://blueprints.launchpad.net/keystone/+spec/periodically-flush-expired-token</a><br>

      </p>

    </blockquote>

    <br>

    Not sure that this is worth writing or maintaining.  The system

    services for Cron are much more robust, and we don;t have to

    maintain them.<br>

    <br>

    I do have this review for your consideration, though:<br>

    <br>

    <a class="moz-txt-link-freetext" href="https://review.openstack.org/#/c/43510/">https://review.openstack.org/#/c/43510/</a><br>

    <br>

    In conjunction with the caching layer, it might be the right

    approach:  flush the old tokens upon revocation list regeneration.<br>

    <br>

    <br>

    <blockquote

cite="mid:CAHXdxOeDPyfCzO2za-9ChDcpqkACtqPrMgfyaJjjY0giakTHKA@mail.gmail.com"

      type="cite">

      <p dir="ltr">

        >><br>

        >> which is used to delete expired token<br>

        >><br>

        >> 2.  <a moz-do-not-send="true"

          href="https://blueprints.launchpad.net/keystone/+spec/reuse-token">https://blueprints.launchpad.net/keystone/+spec/reuse-token</a><br>

        >><br>

        >> which will re-use valid token<br>

        >><br>

        >>  <br>

        >><br>

        >> These two BPs will help us to reduce the token records

        in token table enormously.<br>

        >><br>

        >>  <br>

        >><br>

        >> I have put some ideas on the BP description.<br>

        >><br>

        >>  <br>

        >><br>

        >> Any comments are welcome.<br>

        >></p>

      <p dir="ltr">What about Adam Young's vision for keystone, which I

        like, <br>

        <a moz-do-not-send="true"

          href="http://adam.younglogic.com/2013/07/a-vision-for-keystone/">http://adam.younglogic.com/2013/07/a-vision-for-keystone/</a><br>

        These two blueprints don't appear to be in line with it.</p>

      <p dir="ltr">Also, instead of making keystone reuse tokens why not

        make the token reuse in the clients better (keyring based). 

        Last I checked it was disabled and broken in nova (there was a

        patch to fix it, but keep it disabled)</p>

      <p dir="ltr">>>  <br>

        >><br>

        >>  <br>

        >><br>

        >> Regards,<br>

        >><br>

        >> Yong Sheng Gong<br>

        >><br>

        >><br>

        >> _______________________________________________<br>

        >> OpenStack-dev mailing list<br>

        >> <a moz-do-not-send="true"

          href="mailto:OpenStack-dev@lists.openstack.org">OpenStack-dev@lists.openstack.org</a><br>

        >> <a moz-do-not-send="true"

          href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>

        >><br>

        ><br>

        ><br>

        ><br>

        > -- <br>

        ><br>

        > -Dolph<br>

        ><br>

        > _______________________________________________<br>

        > OpenStack-dev mailing list<br>

        > <a moz-do-not-send="true"

          href="mailto:OpenStack-dev@lists.openstack.org">OpenStack-dev@lists.openstack.org</a><br>

        > <a moz-do-not-send="true"

          href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>

        ><br>

      </p>

      <br>

      <fieldset class="mimeAttachmentHeader"></fieldset>

      <br>

      <pre wrap="">_______________________________________________

OpenStack-dev mailing list

<a class="moz-txt-link-abbreviated" href="mailto:OpenStack-dev@lists.openstack.org">OpenStack-dev@lists.openstack.org</a>

<a class="moz-txt-link-freetext" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a>

</pre>

    </blockquote>

    <br>

  </body>

</html>