<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 01/31/2014 11:24 AM, Miller, Mark M
(EB SW Cloud - R&D - Corvallis) wrote:<br>
</div>
<blockquote
cite="mid:D6182642CE6D2D4FBFCDF99946E249883B4612D1@G9W0343.americas.hpqcorp.net"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
<meta name="Generator" content="Microsoft Word 14 (filtered
medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]-->
<style><!--
/* Font Definitions */
@font-face
{font-family:Helvetica;
panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New","serif";}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:1466391247;
mso-list-template-ids:-41747530;}
@list l0:level1
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New","serif";
mso-bidi-font-family:"Times New Roman";}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Hello,<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">We
ran into a problem when using Apache2 and WSGi as the web
front end for Keystone. Keystone v2.0 returns the token in
the response body but v3 returns the token in the response
header. Apache has an internal limit of 8190 bytes for the
response header which means that you will get an error when
you request a token with includes an endpoint catalog that
has more than about 12 endpoints in it. We had to turn the
catalog off.<o:p></o:p></span></p>
</div>
</blockquote>
<br>
Setting the header size is a config option;<br>
<br>
I believe it is <br>
<code>LimitRequestFieldSize <br>
<br>
<a class="moz-txt-link-freetext" href="http://httpd.apache.org/docs/2.2/mod/core.html#LimitRequestFieldSize">http://httpd.apache.org/docs/2.2/mod/core.html#LimitRequestFieldSize</a><br>
<br>
So set that larger. 10K should be acceptable, based on the reports
I've heard.<br>
<br>
</code>
<blockquote
cite="mid:D6182642CE6D2D4FBFCDF99946E249883B4612D1@G9W0343.americas.hpqcorp.net"
type="cite">
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Mark<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<div style="border:none;border-left:solid blue 1.5pt;padding:0in
0in 0in 4.0pt">
<div>
<div style="border:none;border-top:solid #B5C4DF
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">
Remo Mattei [<a class="moz-txt-link-freetext" href="mailto:remo@italy1.com">mailto:remo@italy1.com</a>]
<br>
<b>Sent:</b> Friday, January 31, 2014 5:41 AM<br>
<b>To:</b> Ferreira, Rafael<br>
<b>Cc:</b> <a class="moz-txt-link-abbreviated" href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a><br>
<b>Subject:</b> Re: [Openstack] [Barbican] Keystone
PKI token too much long<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">Hi Rafael<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Do you have the info on how that has
been implemented. <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Thanks<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt">Remo<o:p></o:p></p>
<div>
<p class="MsoNormal">Inviato da iPhone ()<o:p></o:p></p>
</div>
</div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
Il giorno Jan 31, 2014, alle ore 8:27, "Ferreira, Rafael"
<<a moz-do-not-send="true" href="mailto:raf@io.com">raf@io.com</a>>
ha scritto:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<p class="MsoNormal">By the way, you can achieve the
same benefits of uuid tokens (shorter tokens) with PKI
by simply using a md5 hash of the PKI token for your
X-Auth headers. This is poorly documented but it seems
to work just fine. <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div style="border:none;border-top:solid #B5C4DF
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:black">From:
</span></b><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:black">Adam
Young <<a moz-do-not-send="true"
href="mailto:ayoung@redhat.com">ayoung@redhat.com</a>><br>
<b>Date: </b>Tuesday, January 28, 2014 at 1:41 PM<br>
<b>To: </b>"<a moz-do-not-send="true"
href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a>"
<<a moz-do-not-send="true"
href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a>><br>
<b>Subject: </b>Re: [Openstack] [Barbican] Keystone
PKI token too much long<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<div>
<div>
<p class="MsoNormal">On 01/22/2014 12:21 PM, John
Wood wrote:<o:p></o:p></p>
</div>
<blockquote
style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black">(Adding
another member of our team Douglas)
<o:p></o:p></span></p>
<div>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black">Hello
Giuseppe,<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black">For
questions about news or patches for
Keystone's PKI vs UUID modes, you might
reach out to the
<a moz-do-not-send="true"
href="mailto:openstack-dev@lists.openstack.org">openstack-dev@lists.openstack.org</a>
mailing list, with the subject line prefixed
with [openstack-dev] [keystone] <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black">Our
observation has been that the PKI mode can
generate large text blocks for tokens (esp.
for large service catalogs) that cause http
header errors. <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black">Regarding
the specific barbican scripts you are
running, we haven't run those in a while, so
I'll investigate as we might need to update
them. Please email back your
/etc/barbican/barbican-api-paste.ini paste
config file when you have a chance as well.
<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black">Thanks,<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black">John<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black"><o:p> </o:p></span></p>
<div>
<div class="MsoNormal"
style="text-align:center" align="center"><span
style="color:black">
<hr align="center" size="2" width="100%">
</span></div>
<div id="divRpF494683">
<p class="MsoNormal"
style="margin-bottom:12.0pt"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black">
Giuseppe Galeota [<a
moz-do-not-send="true"
href="mailto:giuseppegaleota@gmail.com">giuseppegaleota@gmail.com</a>]<br>
<b>Sent:</b> Wednesday, January 22, 2014
7:36 AM<br>
<b>To:</b> <a moz-do-not-send="true"
href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a><br>
<b>Cc:</b> John Wood<br>
<b>Subject:</b> [Openstack] [Barbican]
Keystone PKI token too much long</span><span
style="color:black"><o:p></o:p></span></p>
</div>
<div>
<div>
<p class="MsoNormal"><span
style="color:black">Dear all, <o:p></o:p></span></p>
<div>
<p class="MsoNormal"><span
style="color:black">I have
configured Keystone for Barbican
using this
<a moz-do-not-send="true"
href="https://github.com/cloudkeep/barbican/wiki/Developer-Guide-for-Keystone"
target="_blank">
guide</a>.<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="color:black"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="color:black">Is there any
news or patch about the need to use
a shorter token? I would not use a
modified token.<o:p></o:p></span></p>
</div>
</div>
</div>
</div>
</div>
</div>
</blockquote>
<p class="MsoNormal">Its a known problem. You can
request a token without the service catalog using an
extension.<br>
<br>
One possible future enhancement is to compress the
key.<br>
<br>
<br>
<br>
<o:p></o:p></p>
<div>
<div>
<div>
<div>
<div>
<div>
<p class="MsoNormal"><span
style="color:black"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="color:black">Following you can
find an extract of the linked guide:<o:p></o:p></span></p>
</div>
<div>
<ul type="disc">
<li class="MsoNormal"
style="color:black;mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0
level1 lfo1">
<span
style="font-size:11.5pt;font-family:"Helvetica","sans-serif";color:#333333">(Optional)
Typical keystone setup creates PKI
tokens that are long, do not fit
easily into curl requests without
splitting into components. For
testing purposes suggest updating
the keystone database with a shorter
token-id. (An alternative is to set
up keystone to generate uuid
tokens.) From the above output grad
the token expiry value, referred to
as "x-y-z"</span><o:p></o:p></li>
</ul>
<div>
<div
style="mso-element:para-border-div;border:solid
#DDDDDD 1.0pt;padding:5.0pt 8.0pt
5.0pt 8.0pt;background:#F8F8F8">
<pre style="mso-margin-top-alt:11.25pt;margin-right:0in;margin-bottom:11.25pt;margin-left:0in;line-height:14.25pt;background:#F8F8F8;border:none;padding:0in;word-wrap:normal;overflow:auto"><span style="font-family:Consolas;color:#333333">mysql <b>-</b>u rootuse keystone;update token set id<b>=</b></span><span style="font-family:Consolas;color:#DD1144">"foo"</span><span style="font-family:Consolas;color:#333333"> where expires<b>=</b></span><span style="font-family:Consolas;color:#DD1144">"x-y-z"</span><span style="font-family:Consolas;color:#333333"> ;<o:p></o:p></span></pre>
</div>
</div>
</div>
<div>
<p class="MsoNormal"><span
style="color:black"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="color:black">Thank you,<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="color:black">Giuseppe<o:p></o:p></span></p>
</div>
</div>
</div>
</div>
</div>
</div>
<p class="MsoNormal"><br>
<br>
<br>
<o:p></o:p></p>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>Mailing list: <a moz-do-not-send="true" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><o:p></o:p></pre>
<pre>Post to : <a moz-do-not-send="true" href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a><o:p></o:p></pre>
<pre>Unsubscribe : <a moz-do-not-send="true" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><o:p></o:p></pre>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
<p class="MsoNormal">The communication contained in this
e-mail is confidential and is intended only for the
named recipient(s) and may contain information that is
privileged, proprietary, attorney work product or exempt
from disclosure under applicable law. If you have
received this message in error, or are not the named
recipient(s), please note that any form of distribution,
copying or use of this communication or the information
in it is strictly prohibited and may be unlawful. Please
immediately notify the sender of the error, and delete
this communication including any attached files from
your system. Thank you for your cooperation.
!DSPAM:1,52eba57b226891577754402!
<o:p></o:p></p>
</div>
</blockquote>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal">_______________________________________________<br>
Mailing list: <a moz-do-not-send="true"
href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack">
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><br>
Post to : <a moz-do-not-send="true"
href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a><br>
Unsubscribe : <a moz-do-not-send="true"
href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack">
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><br>
<br>
<br>
!DSPAM:1,52eba57b226891577754402!<o:p></o:p></p>
</div>
</blockquote>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Mailing list: <a class="moz-txt-link-freetext" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a>
Post to : <a class="moz-txt-link-abbreviated" href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a>
Unsubscribe : <a class="moz-txt-link-freetext" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a>
</pre>
</blockquote>
<br>
</body>
</html>