<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">On 03/09/2016 01:11 AM, Tim Bell wrote:<br>
</div>
<blockquote cite="mid:774AE78E-97B3-4238-AF5D-B3D8005C7CE6@cern.ch"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
<div>
<div>
<div><br>
</div>
</div>
</div>
<span id="OLK_SRC_BODY_SECTION">
<div style="font-family:Calibri; font-size:12pt;
text-align:left; color:black; BORDER-BOTTOM: medium none;
BORDER-LEFT: medium none; PADDING-BOTTOM: 0in; PADDING-LEFT:
0in; PADDING-RIGHT: 0in; BORDER-TOP: #b5c4df 1pt solid;
BORDER-RIGHT: medium none; PADDING-TOP: 3pt">
<span style="font-weight:bold">From: </span>Matt Fischer <<a
moz-do-not-send="true" href="mailto:matt@mattfischer.com"><a class="moz-txt-link-abbreviated" href="mailto:matt@mattfischer.com">matt@mattfischer.com</a></a>><br>
<span style="font-weight:bold">Reply-To: </span>"OpenStack
Development Mailing List (not for usage questions)" <<a
moz-do-not-send="true"
href="mailto:openstack-dev@lists.openstack.org"><a class="moz-txt-link-abbreviated" href="mailto:openstack-dev@lists.openstack.org">openstack-dev@lists.openstack.org</a></a>><br>
<span style="font-weight:bold">Date: </span>Tuesday 8 March
2016 at 20:35<br>
<span style="font-weight:bold">To: </span>"OpenStack
Development Mailing List (not for usage questions)" <<a
moz-do-not-send="true"
href="mailto:openstack-dev@lists.openstack.org"><a class="moz-txt-link-abbreviated" href="mailto:openstack-dev@lists.openstack.org">openstack-dev@lists.openstack.org</a></a>><br>
<span style="font-weight:bold">Subject: </span>Re:
[openstack-dev] [keystone] Using multiple token formats in a
one openstack cloud<br>
</div>
<div><br>
</div>
<blockquote id="MAC_OUTLOOK_ATTRIBUTION_BLOCKQUOTE"
style="BORDER-LEFT: #b5c4df 5 solid; PADDING:0 0 0 5; MARGIN:0
0 0 5;">
<div>
<div>
<div dir="ltr">I don't think your example is right: "<span
style="font-size:12.8px">PKI will validate that token
without going to any keystone server". How would it
track revoked tokens? I'm pretty sure that they still
get validated, they are stored in the DB even.</span>
<div><span style="font-size:12.8px"><br>
</span></div>
<div><span style="font-size:12.8px">I also disagree that
there are different use cases. Just switch to fernet
and save yourself what's going to be weeks of pain
with probably no improvement in anything with this
idea.</span></div>
</div>
</div>
</div>
</blockquote>
</span>
<div><br>
</div>
<div>Is there any details on how to switch to Fernet for a running
cloud ? I can see a migration path where the cloud is stopped,
the token format changed and the cloud restarted.</div>
<div><br>
</div>
<div>It seems more complex (and maybe insane, as Adam would say)
to do this for a running cloud without disturbing the users of
the cloud.</div>
<div><br>
</div>
<div>Tim</div>
</blockquote>
<br>
So, Fernet does not persist, UUID does. I would guess that a
transition plan would involve being able to fall back to a persisted
UUID if the Fernet validation does not work. <br>
<br>
<br>
<blockquote cite="mid:774AE78E-97B3-4238-AF5D-B3D8005C7CE6@cern.ch"
type="cite">
<span id="OLK_SRC_BODY_SECTION">
<blockquote id="MAC_OUTLOOK_ATTRIBUTION_BLOCKQUOTE"
style="BORDER-LEFT: #b5c4df 5 solid; PADDING:0 0 0 5; MARGIN:0
0 0 5;">
<div>
<div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Tue, Mar 8, 2016 at 9:56 AM,
rezroo <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:openstack@roodsari.us"
target="_blank">openstack@roodsari.us</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">The basic idea
is to let the openstack clients decide what sort
of token optimization to use - for example, while
a normal client uses uuid tokens, some services
like heat or magnum may opt for pki tokens for
their operations. A service like nova, configured
for PKI will validate that token without going to
any keystone server, but if it gets a uuid token
then validates it with a keystone endpoint. I'm
under the impression that the different token
formats have different use-cases, so am wondering
if there is a conceptual reason why multiple token
formats are an either/or scenario.
<div>
<div class="h5"><br>
<br>
<div>On 3/8/2016 8:06 AM, Matt Fischer wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">This would be complicated to
setup. How would the Openstack services
validate the token? Which keystone node
would they use? A better question is why
would you want to do this? </div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Tue, Mar 8,
2016 at 8:45 AM, rezroo <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:openstack@roodsari.us"
target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:openstack@roodsari.us">openstack@roodsari.us</a></a>></span>
wrote:<br>
<blockquote class="gmail_quote"
style="margin:0 0 0
.8ex;border-left:1px #ccc
solid;padding-left:1ex">
Keystone supports both tokens and ec2
credentials simultaneously, but as far
as I can tell, will only do a single
token format (uuid, pki/z, fernet) at
a time. Is it possible or advisable to
configure keystone to issue multiple
token formats? For example, I could
configure two keystone servers, each
using a different token format, so
depending on endpoint used, I could
get a uuid or pki token. Each service
can use either token format, so is
there a conceptual or implementation
issue with this setup?<br>
Thanks,<br>
Reza<br>
<br>
__________________________________________________________________________<br>
OpenStack Development Mailing List
(not for usage questions)<br>
Unsubscribe: <a
moz-do-not-send="true"
href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe"
rel="noreferrer" target="_blank">
<a class="moz-txt-link-abbreviated" href="mailto:OpenStack-dev-request@lists.openstack.org?subject:unsubscribe">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a></a><br>
<a moz-do-not-send="true"
href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev"
rel="noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset></fieldset>
<br>
<pre>__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: <a moz-do-not-send="true" href="mailto:OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><a moz-do-not-send="true" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a></pre>
</blockquote>
<br>
</div>
</div>
</div>
<br>
__________________________________________________________________________<br>
OpenStack Development Mailing List (not for usage
questions)<br>
Unsubscribe: <a moz-do-not-send="true"
href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe"
rel="noreferrer" target="_blank">
OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br>
<a moz-do-not-send="true"
href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev"
rel="noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</blockquote>
</span>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: <a class="moz-txt-link-abbreviated" href="mailto:OpenStack-dev-request@lists.openstack.org?subject:unsubscribe">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a>
<a class="moz-txt-link-freetext" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a>
</pre>
</blockquote>
<br>
</body>
</html>