<div dir="ltr"><br><div class="gmail_extra"><div class="gmail_quote">On Fri, Aug 23, 2013 at 7:48 PM, Yongsheng Gong <span dir="ltr"><<a href="mailto:gongysh@unitedstack.com" target="_blank">gongysh@unitedstack.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hi adam,<div>Can u explain more about '<span style="font-family:arial,sans-serif;font-size:12.800000190734863px">In conjunction with the caching layer, it might be the right approach: flush the old tokens upon revocation list regeneration.'?</span></div>
<div><span style="font-family:arial,sans-serif;font-size:12.800000190734863px"><br></span></div><div><span style="font-family:arial,sans-serif;font-size:12.800000190734863px">when is the </span><span style="color:rgb(51,51,51);font-family:'Ubuntu Mono',monospace;font-size:11.818181991577148px;line-height:17.99715805053711px">list_revoked_tokens called?</span></div>
<div><span style="color:rgb(51,51,51);font-family:'Ubuntu Mono',monospace;font-size:11.818181991577148px;line-height:17.99715805053711px"><br></span></div></div></blockquote><div><br></div><div>In a PKI-token based deployment, auth_token periodically fetches a list of revoked tokens so that it knows which tokens to deny, even though they are otherwise valid.</div>
<div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><span style="color:rgb(51,51,51);font-family:'Ubuntu Mono',monospace;font-size:11.818181991577148px;line-height:17.99715805053711px"></span></div>
<div><span style="color:rgb(51,51,51);font-family:'Ubuntu Mono',monospace;font-size:11.818181991577148px;line-height:17.99715805053711px">thanks</span></div>
</div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><br><div class="gmail_quote">On Sat, Aug 24, 2013 at 1:51 AM, Adam Young <span dir="ltr"><<a href="mailto:ayoung@redhat.com" target="_blank">ayoung@redhat.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF"><div>
<div>On 08/23/2013 12:43 PM, Joe Gordon
wrote:<br>
</div>
<blockquote type="cite">
<p dir="ltr"><br>
On Aug 23, 2013 12:24 PM, "Dolph Mathews" <<a href="mailto:dolph.mathews@gmail.com" target="_blank">dolph.mathews@gmail.com</a>>
wrote:<br>
><br>
><br>
> On Fri, Aug 23, 2013 at 10:51 AM, Miller, Mark M (EB SW
Cloud - R&D - Corvallis) <<a href="mailto:mark.m.miller@hp.com" target="_blank">mark.m.miller@hp.com</a>>
wrote:<br>
>><br>
>> Hello,<br>
>><br>
>> <br>
>><br>
>> I would think you would want to reuse the same token
but update the expiration time as if it were the first time the
token had been generated.<br>
><br>
><br>
> That wouldn't work for PKI tokens, as the resulting
signature would have to change.<br>
> <br>
>><br>
>> <br>
>><br>
>> Mark<br>
>><br>
>> <br>
>><br>
>> From: Yongsheng Gong [mailto:<a href="mailto:gongysh@unitedstack.com" target="_blank">gongysh@unitedstack.com</a>]
<br>
>> Sent: Friday, August 23, 2013 12:40 AM<br>
>> To: OpenStack Development Mailing List<br>
>> Subject: [openstack-dev] [keystone] Two BPs for
managing the tokens<br>
>><br>
>> <br>
>><br>
>> Hi,<br>
>><br>
>> Talked with Henry Nash and Jamie Lennox on IRC, I have
created two BPs to manage the keystone tokens:<br>
>><br>
>> 1. <a href="https://blueprints.launchpad.net/keystone/+spec/periodically-flush-expired-token" target="_blank">https://blueprints.launchpad.net/keystone/+spec/periodically-flush-expired-token</a><br>
</p>
</blockquote>
<br></div>
Not sure that this is worth writing or maintaining. The system
services for Cron are much more robust, and we don;t have to
maintain them.<br>
<br>
I do have this review for your consideration, though:<br>
<br>
<a href="https://review.openstack.org/#/c/43510/" target="_blank">https://review.openstack.org/#/c/43510/</a><br>
<br>
In conjunction with the caching layer, it might be the right
approach: flush the old tokens upon revocation list regeneration.<div><div><br>
<br>
<br>
<blockquote type="cite">
<p dir="ltr">
>><br>
>> which is used to delete expired token<br>
>><br>
>> 2. <a href="https://blueprints.launchpad.net/keystone/+spec/reuse-token" target="_blank">https://blueprints.launchpad.net/keystone/+spec/reuse-token</a><br>
>><br>
>> which will re-use valid token<br>
>><br>
>> <br>
>><br>
>> These two BPs will help us to reduce the token records
in token table enormously.<br>
>><br>
>> <br>
>><br>
>> I have put some ideas on the BP description.<br>
>><br>
>> <br>
>><br>
>> Any comments are welcome.<br>
>></p>
<p dir="ltr">What about Adam Young's vision for keystone, which I
like, <br>
<a href="http://adam.younglogic.com/2013/07/a-vision-for-keystone/" target="_blank">http://adam.younglogic.com/2013/07/a-vision-for-keystone/</a><br>
These two blueprints don't appear to be in line with it.</p>
<p dir="ltr">Also, instead of making keystone reuse tokens why not
make the token reuse in the clients better (keyring based).
Last I checked it was disabled and broken in nova (there was a
patch to fix it, but keep it disabled)</p>
<p dir="ltr">>> <br>
>><br>
>> <br>
>><br>
>> Regards,<br>
>><br>
>> Yong Sheng Gong<br>
>><br>
>><br>
>> _______________________________________________<br>
>> OpenStack-dev mailing list<br>
>> <a href="mailto:OpenStack-dev@lists.openstack.org" target="_blank">OpenStack-dev@lists.openstack.org</a><br>
>> <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
>><br>
><br>
><br>
><br>
> -- <br>
><br>
> -Dolph<br>
><br>
> _______________________________________________<br>
> OpenStack-dev mailing list<br>
> <a href="mailto:OpenStack-dev@lists.openstack.org" target="_blank">OpenStack-dev@lists.openstack.org</a><br>
> <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
><br>
</p>
<br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
OpenStack-dev mailing list
<a href="mailto:OpenStack-dev@lists.openstack.org" target="_blank">OpenStack-dev@lists.openstack.org</a>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a>
</pre>
</blockquote>
<br>
</div></div></div>
<br>_______________________________________________<br>
OpenStack-dev mailing list<br>
<a href="mailto:OpenStack-dev@lists.openstack.org" target="_blank">OpenStack-dev@lists.openstack.org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br></blockquote></div><br></div>
</div></div><br>_______________________________________________<br>
OpenStack-dev mailing list<br>
<a href="mailto:OpenStack-dev@lists.openstack.org">OpenStack-dev@lists.openstack.org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br></blockquote></div><br><br clear="all"><div><br></div>-- <br><div><br></div>-Dolph
</div></div>