
<html>

  <head>

    <meta content="text/html; charset=ISO-8859-1"

      http-equiv="Content-Type">

  </head>

  <body text="#000000" bgcolor="#FFFFFF">

    On 05/07/2012 10:08 PM, 陈军 wrote:

    <blockquote

      cite="mid:1336442882.45591.YahooMailNeo@web92401.mail.cnh.yahoo.com"

      type="cite">

      <div style="color:#000; background-color:#fff; font-family:宋体,

        simsun, serif;font-size:10pt">

        <div><span>Every service that receives requests with a token

            needs to communicate with keystone to verify a user's

            identity.</span></div>

        <div>A rough diagram of how keystone works can be found in the

          sequence diagram:<span><a class="moz-txt-link-freetext" href="http://docs.openstack.org/trunk/openstack-identity/admin/content/what-is.html">http://docs.openstack.org/trunk/openstack-identity/admin/content/what-is.html</a></span></div>

        <div><span><br>

          </span></div>

        <div><span>While there is a mass of users or the scale of cloud

            becomes huge,</span><span> will </span><span> keystone be

            the bottlenect?<br>

          </span></div>

      </div>

      <br>

      <fieldset class="mimeAttachmentHeader"></fieldset>

      <br>

      <pre wrap="">_______________________________________________

Mailing list: <a class="moz-txt-link-freetext" href="https://launchpad.net/~openstack">https://launchpad.net/~openstack</a>

Post to     : <a class="moz-txt-link-abbreviated" href="mailto:openstack@lists.launchpad.net">openstack@lists.launchpad.net</a>

Unsubscribe : <a class="moz-txt-link-freetext" href="https://launchpad.net/~openstack">https://launchpad.net/~openstack</a>

More help   : <a class="moz-txt-link-freetext" href="https://help.launchpad.net/ListHelp">https://help.launchpad.net/ListHelp</a>

</pre>

    </blockquote>

    I think so, which is why I am working on this:<br>

    <a class="moz-txt-link-freetext" href="https://blueprints.launchpad.net/keystone/+spec/pki">https://blueprints.launchpad.net/keystone/+spec/pki</a><br>

    <br>

    <br>

    THe tl;dr  version:  provide the roles in the token as a

    cryptographically signed document.  The services like Glance and

    Nova will use a public key from Keystone to verify the tokens and

    roles instead of talking back to the Keystone server.<br>

  </body>

</html>