Open Stack

It would be helpful to identify which SDK?

You're probably aware the auth service and the object storage service are
different http endpoints - you get a token from auth, you provide the token
to swift with the request - swift validates the token and authorizes the
request.  If the token provided to swift can not be validated - you should
get a new one and retry the request to Swift.  The specifics of what's
required here depend on the SDK - it may be able to "re-auth" for you.

Tokens are not account/container based - but rather tied to the user making
the request.  With Keystone roles associate a user to a project and grant
access to accounts in Swift.  Container's can individually grant access via
ACL's - but it's still a scoping to a user (or perhaps a role on a
project).  You could use tempurls tho [1].

I thought the default token lifetime was 24 hours, it's curious they only
last 1hr for you.  There was a issue pre-swift 2.0 which required keystone
auth to be placed in the pipeline after the large object middleware which
could cause token expiration to interrupt a long running download of a
static or dynamic large object - but I don't see how that would effect
writes.  Generally the application (or the SDK) deals with a 401 error from
Swift by simply asking the auth service for a fresh token - you could try
avoid the re-auth by periodically identifying with the auth service and
using the token it returns - but most of the time it doesn't obviate the
need for the retry on 401 code so people tend to stick with EAFP.

-Clay

1. http://docs.openstack.org/developer/swift/middleware.html#tempurl

On Wed, Apr 22, 2015 at 11:13 AM, Forrest Townsend <forrest.town18 at gmail.com
> wrote:

> Hey all,
>
> I am writing an application that writes and reads from Swift using an SDK
> to communicate to Openstack. Would like to hear some insight as to avoid
> the default 60 minute token expiration. What I was looking into was
> recreating the connection to Openstack but wasn't sure if this actually
> created a new token. The use case where I hit an expiration is when I have
> a connection open and doing many writes that exceed 60 minutes, at the 60
> minute mark, I get a disconnection.
>
> Are token's account/container based?
>
> Rather than setting the token expiration in the keystone.conf to a custom
> value, I would like to know from an application point of view how to get
> around this.
>
> Thanks,
> Forrest T.
>
> _______________________________________________
> Mailing list:
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to     : openstack at lists.openstack.org
> Unsubscribe :
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20150422/5073161b/attachment.html>