<html><head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; color: rgb(0, 0, 0); font-size: 14px; font-family: Calibri, sans-serif; "><div><br></div><div>From reading Adam's blog, it appears that the mixed use of PKI and hashed PKI only works with Horizon. Not sure if other authenticating services would work the same as it requires logic in the service doing the authentication to understand how to handle the token. I guess it's a function of the authtoken middleware being used, so perhaps other services (swift?) could use it if using the same middleware module.</div><div><br></div><div>Also, Im not familiar with Pingdom, but it would seem to be a minor bug on their side that they choke on large HTTP headers. The HTTP protocol does not have any such restriction AFAIK and they should be able to handle it.</div><div><br></div><div>-Wyllys</div><div><br></div><span id="OLK_SRC_BODY_SECTION"><div style="font-family:Calibri; font-size:11pt; text-align:left; color:black; BORDER-BOTTOM: medium none; BORDER-LEFT: medium none; PADDING-BOTTOM: 0in; PADDING-LEFT: 0in; PADDING-RIGHT: 0in; BORDER-TOP: #b5c4df 1pt solid; BORDER-RIGHT: medium none; PADDING-TOP: 3pt"><span style="font-weight:bold">From: </span> <Ferreira>, Rafael <<a href="mailto:raf@io.com">raf@io.com</a>><br><span style="font-weight:bold">Date: </span> Friday, January 31, 2014 10:31 AM<br><span style="font-weight:bold">To: </span> Remo Mattei <<a href="mailto:remo@italy1.com">remo@italy1.com</a>>, Wyllys Ingersoll <<a href="mailto:wyllys.ingersoll@evault.com">wyllys.ingersoll@evault.com</a>><br><span style="font-weight:bold">Cc: </span> "<a href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a>" <<a href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a>><br><span style="font-weight:bold">Subject: </span> Re: [Openstack] [Barbican] Keystone PKI token too much long<br></div><div><br></div><blockquote id="MAC_OUTLOOK_ATTRIBUTION_BLOCKQUOTE" style="BORDER-LEFT: #b5c4df 5 solid; PADDING:0 0 0 5; MARGIN:0 0 0 5;"><div><style>body{font-family:Helvetica,Arial;font-size:13px}</style><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;"><div id="bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px; color: rgba(0,0,0,1.0); margin: 0px; line-height: auto;">
I don’t believe so, it gives you the best of both worlds really, short tokens with server side validation (requiring an extra call to keystone) and client side validation with the exact same token (in PKI form) when needed. AFAIK, this is not accidental behavior,
we stumbled upon it while reviewing the keystone source code. </div><div id="bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px; color: rgba(0,0,0,1.0); margin: 0px; line-height: auto;"><br></div><div id="bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px; color: rgba(0,0,0,1.0); margin: 0px; line-height: auto;">
pertinent code path: </div><div id="bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px; color: rgba(0,0,0,1.0); margin: 0px; line-height: auto;"><a href="https://github.com/openstack/keystone/blob/master/keystone/common/cms.py">https://github.com/openstack/keystone/blob/master/keystone/common/cms.py</a></div><div id="bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px; color: rgba(0,0,0,1.0); margin: 0px; line-height: auto;"><br></div><div id="bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px; color: rgba(0,0,0,1.0); margin: 0px; line-height: auto;">
other references:</div><div id="bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px; color: rgba(0,0,0,1.0); margin: 0px; line-height: auto;"><a href="http://adam.younglogic.com/2012/10/pki-tokens-horizon/">http://adam.younglogic.com/2012/10/pki-tokens-horizon/</a></div><div id="bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px; color: rgba(0,0,0,1.0); margin: 0px; line-height: auto;"><br></div><div id="bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px; color: rgba(0,0,0,1.0); margin: 0px; line-height: auto;">
Bug to make the hash function configurable: </div><div id="bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px; color: rgba(0,0,0,1.0); margin: 0px; line-height: auto;"><a href="https://bugs.launchpad.net/keystone/+bug/1174499">https://bugs.launchpad.net/keystone/+bug/1174499</a></div><div id="bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px; color: rgba(0,0,0,1.0); margin: 0px; line-height: auto;"><br></div><div id="bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px; color: rgba(0,0,0,1.0); margin: 0px; line-height: auto;">
We’re using this today to enable pingdom to monitor our converged infrastructure product built on openstack (pingdom can’t handle the large PKI tokens).</div><div id="bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px; color: rgba(0,0,0,1.0); margin: 0px; line-height: auto;"><br></div><div id="bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px; color: rgba(0,0,0,1.0); margin: 0px; line-height: auto;">
- raf</div><div id="bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px; color: rgba(0,0,0,1.0); margin: 0px; line-height: auto;"><br></div><div id="bloop_sign_1391181526865067008" class="bloop_sign"></div><br><p style="color:#A0A0A8;">On January 31, 2014 at 7:36:18 AM, Wyllys Ingersoll (<a href="mailto://wyllys.ingersoll@evault.com">wyllys.ingersoll@evault.com</a>) wrote:</p><blockquote type="cite" class="clean_bq"><span><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; color: rgb(0, 0, 0); font-size: 14px; font-family: Calibri, sans-serif; "><div><br></div><div>How would that work then? The point of having PKI tokens is so that the clients themselves can verify the token without requiring a round-trip call back to keystone to look up the token and verify it. If you just have an MD5 hash, there is no way for
the clients to verify the token, which sort of defeats the purpose, no?</div><div><br></div><div>-Wyllys</div><div><br></div><div><br></div><span id="OLK_SRC_BODY_SECTION"><div style="font-family:Calibri; font-size:11pt; text-align:left; color:black; BORDER-BOTTOM: medium none; BORDER-LEFT: medium none; PADDING-BOTTOM: 0in; PADDING-LEFT: 0in; PADDING-RIGHT: 0in; BORDER-TOP: #b5c4df 1pt solid; BORDER-RIGHT: medium none; PADDING-TOP: 3pt"><span style="font-weight:bold">From: </span>Remo Mattei <<a href="mailto:remo@italy1.com">remo@italy1.com</a>><br><span style="font-weight:bold">Date: </span>Friday, January 31, 2014 8:40 AM<br><span style="font-weight:bold">To: </span>"Ferreira, Rafael" <<a href="mailto:raf@io.com">raf@io.com</a>><br><span style="font-weight:bold">Cc: </span>"<a href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a>" <<a href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a>><br><span style="font-weight:bold">Subject: </span>Re: [Openstack] [Barbican] Keystone PKI token too much long<br></div><div><br></div><blockquote id="MAC_OUTLOOK_ATTRIBUTION_BLOCKQUOTE" style="BORDER-LEFT: #b5c4df 5 solid; PADDING:0 0 0 5; MARGIN:0 0 0 5;"><div><div dir="auto"><div>Hi Rafael</div><div>Do you have the info on how that has been implemented. </div><div><br></div><div>Thanks</div><div>Remo<br><br><div style="orphans: auto; widows: auto;">Inviato da iPhone (<span style="background-color: rgba(255, 255, 255, 0);">)</span></div></div><div><br>
Il giorno Jan 31, 2014, alle ore 8:27, "Ferreira, Rafael" <<a href="mailto:raf@io.com">raf@io.com</a>> ha scritto:<br><br></div><blockquote type="cite"><div><div>By the way, you can achieve the same benefits of uuid tokens (shorter tokens) with PKI by simply using a md5 hash of the PKI token for your X-Auth headers. This is poorly documented but it seems to work just fine. </div><div><br></div><span id="OLK_SRC_BODY_SECTION"><div style="font-family:Calibri; font-size:11pt; text-align:left; color:black; BORDER-BOTTOM: medium none; BORDER-LEFT: medium none; PADDING-BOTTOM: 0in; PADDING-LEFT: 0in; PADDING-RIGHT: 0in; BORDER-TOP: #b5c4df 1pt solid; BORDER-RIGHT: medium none; PADDING-TOP: 3pt"><span style="font-weight:bold">From: </span>Adam Young <<a href="mailto:ayoung@redhat.com">ayoung@redhat.com</a>><br><span style="font-weight:bold">Date: </span>Tuesday, January 28, 2014 at 1:41 PM<br><span style="font-weight:bold">To: </span>"<a href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a>" <<a href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a>><br><span style="font-weight:bold">Subject: </span>Re: [Openstack] [Barbican] Keystone PKI token too much long<br></div><div><br></div><div><div bgcolor="#FFFFFF" text="#000000"><div class="moz-cite-prefix">On 01/22/2014 12:21 PM, John Wood wrote:<br></div><blockquote cite="mid:49F5BF8205841548AB38409969C7AB3F915D7755@ORD1EXD02.RACKSPACE.CORP" type="cite"><div style="direction: ltr;font-family: Tahoma;color:
#000000;font-size: 10pt;">
(Adding another member of our team Douglas)
<div><br></div><div>Hello Giuseppe,</div><div><br></div><div>For questions about news or patches for Keystone's PKI vs UUID modes, you might reach out to the
<a class="moz-txt-link-abbreviated" href="mailto:openstack-dev@lists.openstack.org">
openstack-dev@lists.openstack.org</a> mailing list, with the subject line prefixed with [openstack-dev] [keystone] </div><div><br></div><div>Our observation has been that the PKI mode can generate large text blocks for tokens (esp. for large service catalogs) that cause http header errors. </div><div><br></div><div>Regarding the specific barbican scripts you are running, we haven't run those in a while, so I'll investigate as we might need to update them. Please email back your /etc/barbican/barbican-api-paste.ini paste config file when you have a chance as well.
</div><div><br></div><div>Thanks,</div><div>John</div><div><br></div><div><br><div style="font-family: Times New Roman; color: #000000;
font-size: 16px"><hr tabindex="-1"><div id="divRpF494683" style="direction: ltr;"><font face="Tahoma" color="#000000" size="2"><b>From:</b> Giuseppe Galeota [<a class="moz-txt-link-abbreviated" href="mailto:giuseppegaleota@gmail.com">giuseppegaleota@gmail.com</a>]<br><b>Sent:</b> Wednesday, January 22, 2014 7:36 AM<br><b>To:</b> <a class="moz-txt-link-abbreviated" href="mailto:openstack@lists.openstack.org">
openstack@lists.openstack.org</a><br><b>Cc:</b> John Wood<br><b>Subject:</b> [Openstack] [Barbican] Keystone PKI token too much long<br></font><br></div><div><div dir="ltr">Dear all,
<div>I have configured Keystone for Barbican using this <a moz-do-not-send="true" href="https://github.com/cloudkeep/barbican/wiki/Developer-Guide-for-Keystone" target="_blank">
guide</a>.</div><div><br></div><div>Is there any news or patch about the need to use a shorter token? I would not use a modified token.</div></div></div></div></div></div></blockquote>
Its a known problem. You can request a token without the service catalog using an extension.<br><br>
One possible future enhancement is to compress the key.<br><br><br><blockquote cite="mid:49F5BF8205841548AB38409969C7AB3F915D7755@ORD1EXD02.RACKSPACE.CORP" type="cite"><div style="direction: ltr;font-family: Tahoma;color:
#000000;font-size: 10pt;"><div><div style="font-family: Times New Roman; color: #000000;
font-size: 16px"><div><div dir="ltr"><div><br></div><div>Following you can find an extract of the linked guide:</div><div><ul><li><span style="color: rgb(51, 51, 51); font-family: Helvetica, arial, freesans, clean, sans-serif; font-size: 15.333333015441895px; line-height: 17px; ">(Optional) Typical keystone setup creates PKI tokens that are long, do not fit easily into curl requests
without splitting into components. For testing purposes suggest updating the keystone database with a shorter token-id. (An alternative is to set up keystone to generate uuid tokens.) From the above output grad the token expiry value, referred to as "x-y-z"</span><br></li></ul><div class="" style="color:rgb(51,51,51);
font-family:Helvetica,arial,freesans,clean,sans-serif;
font-size:15.333333015441895px; line-height:17px"><pre style="font-family:Consolas,'Liberation Mono',Courier,monospace; font-size:13px; margin-top:15px; margin-bottom:15px; background-color:rgb(248,248,248); border:1px solid rgb(221,221,221); line-height:19px; overflow:auto; padding:6px 10px; word-wrap:normal"><span class="">mysql</span> <span class="" style="font-weight:bold">-</span><span class="">u</span> <span class="">root</span><span class="">use</span> <span class="">keystone</span><span class="">;</span><span class="">update</span> <span class="">token</span> <span class="">set</span> <span class="">id</span><span class="" style="font-weight:bold">=</span><span class="" style="color:rgb(221,17,68)">"foo"</span> <span class="">where</span> <span class="">expires</span><span class="" style="font-weight:bold">=</span><span class="" style="color:rgb(221,17,68)">"x-y-z"</span> <span class="">;</span></pre></div></div><div><br></div><div>Thank you,</div><div>Giuseppe</div></div></div></div></div></div><br><fieldset class="mimeAttachmentHeader"></fieldset> <br><pre wrap="">_______________________________________________
Mailing list: <a class="moz-txt-link-freetext" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a>
Post to : <a class="moz-txt-link-abbreviated" href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a>
Unsubscribe : <a class="moz-txt-link-freetext" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a></pre></blockquote><br></div></div></span>The communication contained in this e-mail is confidential and is intended only for the named recipient(s) and may contain information that is privileged, proprietary, attorney work product or exempt from disclosure under applicable law. If you have
received this message in error, or are not the named recipient(s), please note that any form of distribution, copying or use of this communication or the information in it is strictly prohibited and may be unlawful. Please immediately notify the sender of
the error, and delete this communication including any attached files from your system. Thank you for your cooperation. !DSPAM:1,52eba57b226891577754402!
</div></blockquote><blockquote type="cite"><div><span>_______________________________________________</span><br><span>Mailing list: <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack">
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a></span><br><span>Post to : <a href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a></span><br><span>Unsubscribe : <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack">
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a></span><br><span></span><br><span></span><br><span>!DSPAM:1,52eba57b226891577754402!</span><br></div></blockquote></div></div></blockquote></span></div></span></blockquote>
The communication contained in this e-mail is confidential and is intended only for the named recipient(s) and may contain information that is privileged, proprietary, attorney work product or exempt from disclosure under applicable law. If you have received
this message in error, or are not the named recipient(s), please note that any form of distribution, copying or use of this communication or the information in it is strictly prohibited and may be unlawful. Please immediately notify the sender of the error,
and delete this communication including any attached files from your system. Thank you for your cooperation.
</div></div></blockquote></span></body></html>