<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Mar 8, 2016 at 10:58 AM, Adam Young <span dir="ltr"><<a href="mailto:ayoung@redhat.com" target="_blank">ayoung@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
  
    
  
  <div text="#000000" bgcolor="#FFFFFF"><div><div class="h5">
    <div>On 03/08/2016 11:06 AM, Matt Fischer
      wrote:<br>
    </div>
    <blockquote type="cite">
      <div dir="ltr">This would be complicated to setup. How would the
        Openstack services validate the token? Which keystone node would
        they use? A better question is why would you want to do this? </div>
      <div class="gmail_extra"><br>
        <div class="gmail_quote">On Tue, Mar 8, 2016 at 8:45 AM, rezroo
          <span dir="ltr"><<a href="mailto:openstack@roodsari.us" target="_blank">openstack@roodsari.us</a>></span>
          wrote:<br>
          <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">Keystone
            supports both tokens and ec2 credentials simultaneously, but
            as far as I can tell, will only do a single token format
            (uuid, pki/z, fernet) at a time. Is it possible or advisable
            to configure keystone to issue multiple token formats? For
            example, I could configure two keystone servers, each using
            a different token format, so depending on endpoint used, I
            could get a uuid or pki token. Each service can use either
            token format, so is there a conceptual or implementation
            issue with this setup?<br></blockquote></div></div></blockquote></div></div></div></blockquote><div><br></div><div>We do have token-less authentication built into keystone, which was released in Liberty and might help with the service authentication case you described [0]. Having a keystone node validate multiple token formats is tough because it requires the token providers to know enough information about other token formats to confidently say "yes, this is a PKI token" or "no, this isn't a fernet token". Is the sole idea behind letting the client pick the token format to get around the service authentication situation? Is there another case you have that makes sense for a client to pick it's token format?</div><div><br></div><div>[0] <a href="https://github.com/openstack/keystone-specs/blob/master/specs/liberty/keystone-tokenless-authz-with-x509-ssl-client-cert.rst">https://github.com/openstack/keystone-specs/blob/master/specs/liberty/keystone-tokenless-authz-with-x509-ssl-client-cert.rst</a></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div text="#000000" bgcolor="#FFFFFF"><div><div class="h5"><blockquote type="cite"><div class="gmail_extra"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
            Thanks,<br>
            Reza<br>
            <br>
__________________________________________________________________________<br>
            OpenStack Development Mailing List (not for usage questions)<br>
            Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" rel="noreferrer" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br>
            <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" rel="noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
          </blockquote>
        </div>
        <br>
      </div>
      <br>
      <fieldset></fieldset>
      <br>
      <pre>__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: <a href="mailto:OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a>
</pre>
    </blockquote></div></div>
    Theoretically:<br>
    <br>
    Two different Keystone servers could independently issue different
    token formats.  They would need to share a common backend, so that
    they could all be verified online.  PKIZ  could be issued from
    multiple servers, each using different signing certs, so long as all
    the services got all the certs.<br>
    <br>
    Practically:<br>
    <br>
    You'd be insane to do this in production<br>
  </div>

<br>__________________________________________________________________________<br>
OpenStack Development Mailing List (not for usage questions)<br>
Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" rel="noreferrer" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" rel="noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br></blockquote></div><br></div></div>