<html>
  <head>
    <meta content="text/html; charset=windows-1252"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <div class="moz-cite-prefix">On 03/16/2015 05:33 AM, joehuang wrote:<br>
    </div>
    <blockquote
cite="mid:5E7A3D1BF5FD014E86E5F971CF446EFF54246FD5@szxema505-mbs.china.huawei.com"
      type="cite">
      <meta http-equiv="Content-Type" content="text/html;
        charset=windows-1252">
      <meta name="Generator" content="Microsoft Word 12 (filtered
        medium)">
      <style><!--
/* Font Definitions */
@font-face
        {font-family:\5B8B\4F53;
        panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
        {font-family:"Cambria Math";
        panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
        {font-family:"\@\5B8B\4F53";
        panose-1:2 1 6 0 3 1 1 1 1 1;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0cm;
        margin-bottom:.0001pt;
        font-size:12.0pt;
        font-family:"Times New Roman","serif";
        color:black;}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:blue;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {mso-style-priority:99;
        color:purple;
        text-decoration:underline;}
p
        {mso-style-priority:99;
        mso-margin-top-alt:auto;
        margin-right:0cm;
        mso-margin-bottom-alt:auto;
        margin-left:0cm;
        font-size:12.0pt;
        font-family:"Times New Roman","serif";
        color:black;}
pre
        {mso-style-priority:99;
        mso-style-link:"HTML \9884\8BBE\683C\5F0F Char";
        margin:0cm;
        margin-bottom:.0001pt;
        font-size:10.0pt;
        font-family:"Courier New";
        color:black;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
        {mso-style-priority:99;
        mso-style-link:"\6279\6CE8\6846\6587\672C Char";
        margin:0cm;
        margin-bottom:.0001pt;
        font-size:9.0pt;
        font-family:"Times New Roman","serif";
        color:black;}
span.HTMLChar
        {mso-style-name:"HTML \9884\8BBE\683C\5F0F Char";
        mso-style-priority:99;
        mso-style-link:"HTML \9884\8BBE\683C\5F0F";
        font-family:"Courier New";
        color:black;}
span.apple-converted-space
        {mso-style-name:apple-converted-space;}
span.EmailStyle21
        {mso-style-type:personal;
        font-family:"Calibri","sans-serif";
        color:#1F497D;}
span.EmailStyle22
        {mso-style-type:personal;
        font-family:"Calibri","sans-serif";
        color:#1F497D;}
span.Char
        {mso-style-name:"\6279\6CE8\6846\6587\672C Char";
        mso-style-priority:99;
        mso-style-link:\6279\6CE8\6846\6587\672C;
        font-family:\5B8B\4F53;
        color:black;}
span.EmailStyle25
        {mso-style-type:personal-reply;
        font-family:"Calibri","sans-serif";
        color:#1F497D;}
.MsoChpDefault
        {mso-style-type:export-only;
        font-size:10.0pt;}
@page WordSection1
        {size:612.0pt 792.0pt;
        margin:72.0pt 90.0pt 72.0pt 90.0pt;}
div.WordSection1
        {page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
      <div class="WordSection1">
        <p class="MsoNormal"><span
style="font-size:10.5pt;font-family:"Calibri","sans-serif";color:#1F497D"
            lang="EN-US">[Topic]: Huge token size<o:p></o:p></span></p>
        <p class="MsoNormal"><span
style="font-size:10.5pt;font-family:"Calibri","sans-serif";color:#1F497D"
            lang="EN-US"><o:p> </o:p></span></p>
        <p class="MsoNormal"><span
style="font-size:10.5pt;font-family:"Calibri","sans-serif";color:#1F497D"
            lang="EN-US">Hello,
            <o:p></o:p></span></p>
        <p class="MsoNormal"><span
style="font-size:10.5pt;font-family:"Calibri","sans-serif";color:#1F497D"
            lang="EN-US"><o:p> </o:p></span></p>
        <p class="MsoNormal"><span
style="font-size:10.5pt;font-family:"Calibri","sans-serif";color:#1F497D"
            lang="EN-US">As you may or may not be aware of, a
            requirement project proposal Multisite[1] was started in
            OPNFV in order to identify gaps in implementing OpenStack
            across multiple sites. <o:p></o:p></span></p>
        <p class="MsoNormal"><span
style="font-size:10.5pt;font-family:"Calibri","sans-serif";color:#1F497D"
            lang="EN-US"><o:p> </o:p></span></p>
        <p class="MsoNormal"><span
style="font-size:10.5pt;font-family:"Calibri","sans-serif";color:#1F497D"
            lang="EN-US">Although the proposal has not been approved</span><span
style="font-size:10.5pt;font-family:"Calibri","sans-serif";color:#1F497D"
            lang="EN-US"> yet</span><span
style="font-size:10.5pt;font-family:"Calibri","sans-serif";color:#1F497D"
            lang="EN-US">, we’ve started to run some experiments to try
            out different methods. One of the problem we identify in
            those experiments is that, when we want  to use a shared
            KeyStone for 101 Regions ( including ~500 endpoints ). The
            token size is huge (The token format is PKI), please see
            details in the attachments:<o:p></o:p></span></p>
        <p class="MsoNormal"><span
style="font-size:10.5pt;font-family:"Calibri","sans-serif";color:#1F497D"
            lang="EN-US"><o:p> </o:p></span></p>
        <p class="MsoNormal"><span
style="font-size:10.5pt;font-family:"Calibri","sans-serif";color:#1F497D"
            lang="EN-US">token_catalog.txt, 162KB: catalog list included
            in the token<o:p></o:p></span></p>
        <p class="MsoNormal"><span
style="font-size:10.5pt;font-family:"Calibri","sans-serif";color:#1F497D"
            lang="EN-US">token_pki.txt, 536KB: non-compressed token size<o:p></o:p></span></p>
        <p class="MsoNormal"><span
style="font-size:10.5pt;font-family:"Calibri","sans-serif";color:#1F497D"
            lang="EN-US">token_pkiz.txt, 40KB: compressed token size</span><span
style="font-size:10.5pt;font-family:"Calibri","sans-serif";color:#1F497D"
            lang="EN-US">
          </span><span
style="font-size:10.5pt;font-family:"Calibri","sans-serif";color:#1F497D"
            lang="EN-US"><o:p></o:p></span></p>
        <p class="MsoNormal"><span
style="font-size:10.5pt;font-family:"Calibri","sans-serif";color:#1F497D"
            lang="EN-US"><o:p> </o:p></span></p>
        <p class="MsoNormal"><span
style="font-size:10.5pt;font-family:"Calibri","sans-serif";color:#1F497D"
            lang="EN-US">I understand that KeyStone has a way like
            endpoint_filter to reduce the size of token, however this
            requires to manage many (hard to id the exact number)
            endpoints can be seen by a project, and the size is not easy
            to exactly controlled.
            <o:p></o:p></span></p>
        <p class="MsoNormal"><span
style="font-size:10.5pt;font-family:"Calibri","sans-serif";color:#1F497D"
            lang="EN-US"><o:p> </o:p></span></p>
        <p class="MsoNormal"><span
style="font-size:10.5pt;font-family:"Calibri","sans-serif";color:#1F497D"
            lang="EN-US">Do you guys have any insights in how to reduce
            the token size if PKI token used? Is there any BP relates to
            this issue? Or should we fire one to tackle this?</span></p>
      </div>
    </blockquote>
    <br>
    <br>
    Right now there is an effort for non-multisite to get a handle on
    the problem.  The Fernet token format will make it possible for a
    token to be ephemeral.  The scheme is this:<br>
    <br>
    Encode the minimal amount of Data into the token possible.<br>
    <br>
    Always validate the token on the Keystone server.<br>
    <br>
    On the Keystone server, the token validation is performed by
    checking the message HMAC, and then expanding out the data.<br>
    <br>
    This concept is expandable to multi site in two ways. <br>
    <br>
    For a completely trusted and symmetric multisite deployement, the
    keystone servers can share keys.  The Kite project was
    <a class="moz-txt-link-freetext" href="http://git.openstack.org/cgit/openstack/kite">http://git.openstack.org/cgit/openstack/kite</a> origianlly spun up to
    manage this sort of symmetric key sharing, and is a natural
    extension.<br>
    <br>
    If two keystone server need to sign for and validate separate serts
    of data (future work)  the form of signing could be returned to
    Asymmetric Crypto.  This would lead to a minimal tokne size of about
    800 Bytes (I haven't tested exactly).  It would mean that any
    service responsible for validating tokens would need to fetch and
    cache the responses for things like catalog and role assignments.  <br>
    <br>
    The epehemeral nature of the Fernet specification means that
    revocation data needs to bepersisted separate from the token, so it
    is not 100% ephemeral, but the amount of stored data should be (I
    estimate) two orders of magnatude smaller, maybe three.  Password
    changes, project deactivations,  and role revocations will still
    cause some traffic there.  These will need to be synchronized across
    token validation servers.<br>
    <br>
    Great topic for discussion in Vancouver.<br>
    <br>
    <br>
    <br>
    <br>
    <br>
    <blockquote
cite="mid:5E7A3D1BF5FD014E86E5F971CF446EFF54246FD5@szxema505-mbs.china.huawei.com"
      type="cite">
      <div class="WordSection1">
        <p class="MsoNormal"><span
style="font-size:10.5pt;font-family:"Calibri","sans-serif";color:#1F497D"
            lang="EN-US"><o:p></o:p></span></p>
        <p class="MsoNormal"><span
style="font-size:10.5pt;font-family:"Calibri","sans-serif";color:#1F497D"
            lang="EN-US"><o:p> </o:p></span></p>
        <p class="MsoNormal"><span
style="font-size:10.5pt;font-family:"Calibri","sans-serif";color:#1F497D"
            lang="EN-US">[1]<a moz-do-not-send="true"
              href="https://wiki.opnfv.org/requirements_projects/multisite">https://wiki.opnfv.org/requirements_projects/multisite</a><o:p></o:p></span></p>
        <p class="MsoNormal"><span
style="font-size:10.5pt;font-family:"Calibri","sans-serif";color:#1F497D"
            lang="EN-US"><o:p> </o:p></span></p>
        <p class="MsoNormal"
          style="text-align:justify;text-justify:inter-ideograph"><span
style="font-size:10.5pt;font-family:"Calibri","sans-serif";color:#1F497D"
            lang="EN-US">Best Regards<o:p></o:p></span></p>
        <p class="MsoNormal"
          style="text-align:justify;text-justify:inter-ideograph"><span
style="font-size:10.5pt;font-family:"Calibri","sans-serif";color:#1F497D"
            lang="EN-US">Chaoyi Huang ( Joe Huang )<o:p></o:p></span></p>
        <p class="MsoNormal"><span
style="font-size:10.5pt;font-family:"Calibri","sans-serif";color:#1F497D"
            lang="EN-US"><o:p> </o:p></span></p>
        <p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
      </div>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
      <pre wrap="">__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: <a class="moz-txt-link-abbreviated" href="mailto:OpenStack-dev-request@lists.openstack.org?subject:unsubscribe">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a>
<a class="moz-txt-link-freetext" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a>
</pre>
    </blockquote>
    <br>
  </body>
</html>