<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 01/31/2014 08:40 AM, Remo Mattei
wrote:<br>
</div>
<blockquote
cite="mid:B0C43CFD-3624-4432-8AFD-FB949D08FDBE@italy1.com"
type="cite">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div>Hi Rafael</div>
<div>Do you have the info on how that has been implemented. <br>
</div>
</blockquote>
It falls back to a Keystone server lookup to validate the tokens. I
would not recommend doing that.<br>
<br>
<blockquote
cite="mid:B0C43CFD-3624-4432-8AFD-FB949D08FDBE@italy1.com"
type="cite">
<div><br>
</div>
<div>Thanks</div>
<div>Remo<br>
<br>
<div style="orphans: auto; widows: auto;">Inviato da iPhone (<span
style="background-color: rgba(255, 255, 255, 0);">)</span></div>
</div>
<div><br>
Il giorno Jan 31, 2014, alle ore 8:27, "Ferreira, Rafael" <<a
moz-do-not-send="true" href="mailto:raf@io.com">raf@io.com</a>>
ha scritto:<br>
<br>
</div>
<blockquote type="cite">
<div>
<meta http-equiv="Content-Type" content="text/html;
charset=UTF-8">
<div>By the way, you can achieve the same benefits of uuid
tokens (shorter tokens) with PKI by simply using a md5 hash
of the PKI token for your X-Auth headers. This is poorly
documented but it seems to work just fine. </div>
<div><br>
</div>
<span id="OLK_SRC_BODY_SECTION">
<div style="font-family:Calibri; font-size:11pt;
text-align:left; color:black; BORDER-BOTTOM: medium none;
BORDER-LEFT: medium none; PADDING-BOTTOM: 0in;
PADDING-LEFT: 0in; PADDING-RIGHT: 0in; BORDER-TOP: #b5c4df
1pt solid; BORDER-RIGHT: medium none; PADDING-TOP: 3pt">
<span style="font-weight:bold">From: </span>Adam Young
<<a moz-do-not-send="true"
href="mailto:ayoung@redhat.com">ayoung@redhat.com</a>><br>
<span style="font-weight:bold">Date: </span>Tuesday,
January 28, 2014 at 1:41 PM<br>
<span style="font-weight:bold">To: </span>"<a
moz-do-not-send="true"
href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a>"
<<a moz-do-not-send="true"
href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a>><br>
<span style="font-weight:bold">Subject: </span>Re:
[Openstack] [Barbican] Keystone PKI token too much long<br>
</div>
<div><br>
</div>
<div>
<div bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 01/22/2014 12:21 PM,
John Wood wrote:<br>
</div>
<blockquote
cite="mid:49F5BF8205841548AB38409969C7AB3F915D7755@ORD1EXD02.RACKSPACE.CORP"
type="cite">
<div style="direction: ltr;font-family: Tahoma;color:
#000000;font-size: 10pt;">
(Adding another member of our team Douglas)
<div><br>
</div>
<div>Hello Giuseppe,</div>
<div><br>
</div>
<div>For questions about news or patches for
Keystone's PKI vs UUID modes, you might reach out
to the
<a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:openstack-dev@lists.openstack.org">
openstack-dev@lists.openstack.org</a> mailing
list, with the subject line prefixed with
[openstack-dev] [keystone] </div>
<div><br>
</div>
<div>Our observation has been that the PKI mode can
generate large text blocks for tokens (esp. for
large service catalogs) that cause http header
errors. </div>
<div><br>
</div>
<div>Regarding the specific barbican scripts you are
running, we haven't run those in a while, so I'll
investigate as we might need to update them.
Please email back your
/etc/barbican/barbican-api-paste.ini paste config
file when you have a chance as well. </div>
<div><br>
</div>
<div>Thanks,</div>
<div>John</div>
<div><br>
</div>
<div><br>
<div style="font-family: Times New Roman; color:
#000000; font-size: 16px">
<hr tabindex="-1">
<div id="divRpF494683" style="direction: ltr;"><font
face="Tahoma" color="#000000" size="2"><b>From:</b>
Giuseppe Galeota [<a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:giuseppegaleota@gmail.com">giuseppegaleota@gmail.com</a>]<br>
<b>Sent:</b> Wednesday, January 22, 2014
7:36 AM<br>
<b>To:</b> <a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:openstack@lists.openstack.org">
openstack@lists.openstack.org</a><br>
<b>Cc:</b> John Wood<br>
<b>Subject:</b> [Openstack] [Barbican]
Keystone PKI token too much long<br>
</font><br>
</div>
<div>
<div dir="ltr">Dear all,
<div>I have configured Keystone for Barbican
using this <a moz-do-not-send="true"
href="https://github.com/cloudkeep/barbican/wiki/Developer-Guide-for-Keystone"
target="_blank">
guide</a>.</div>
<div><br>
</div>
<div>Is there any news or patch about the
need to use a shorter token? I would not
use a modified token.</div>
</div>
</div>
</div>
</div>
</div>
</blockquote>
Its a known problem. You can request a token without
the service catalog using an extension.<br>
<br>
One possible future enhancement is to compress the key.<br>
<br>
<br>
<blockquote
cite="mid:49F5BF8205841548AB38409969C7AB3F915D7755@ORD1EXD02.RACKSPACE.CORP"
type="cite">
<div style="direction: ltr;font-family: Tahoma;color:
#000000;font-size: 10pt;">
<div>
<div style="font-family: Times New Roman; color:
#000000; font-size: 16px">
<div>
<div dir="ltr">
<div><br>
</div>
<div>Following you can find an extract of
the linked guide:</div>
<div>
<ul>
<li><span style="color: rgb(51, 51, 51);
font-family: Helvetica, arial,
freesans, clean, sans-serif;
font-size: 15.333333015441895px;
line-height: 17px;">(Optional)
Typical keystone setup creates PKI
tokens that are long, do not fit
easily into curl requests without
splitting into components. For
testing purposes suggest updating
the keystone database with a shorter
token-id. (An alternative is to set
up keystone to generate uuid
tokens.) From the above output grad
the token expiry value, referred to
as "x-y-z"</span><br>
</li>
</ul>
<div class="" style="color:rgb(51,51,51);
font-family:Helvetica,arial,freesans,clean,sans-serif;
font-size:15.333333015441895px;
line-height:17px">
<pre style="font-family:Consolas,'Liberation Mono',Courier,monospace; font-size:13px; margin-top:15px; margin-bottom:15px; background-color:rgb(248,248,248); border:1px solid rgb(221,221,221); line-height:19px; overflow:auto; padding:6px 10px; word-wrap:normal"><span class="">mysql</span> <span class="" style="font-weight:bold">-</span><span class="">u</span> <span class="">root</span><span class="">use</span> <span class="">keystone</span><span class="">;</span><span class="">update</span> <span class="">token</span> <span class="">set</span> <span class="">id</span><span class="" style="font-weight:bold">=</span><span class="" style="color:rgb(221,17,68)">"foo"</span> <span class="">where</span> <span class="">expires</span><span class="" style="font-weight:bold">=</span><span class="" style="color:rgb(221,17,68)">"x-y-z"</span> <span class="">;</span></pre>
</div>
</div>
<div><br>
</div>
<div>Thank you,</div>
<div>Giuseppe</div>
</div>
</div>
</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Mailing list: <a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a>
Post to : <a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a>
Unsubscribe : <a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a></pre>
</blockquote>
<br>
</div>
</div>
</span>The communication contained in this e-mail is
confidential and is intended only for the named recipient(s)
and may contain information that is privileged, proprietary,
attorney work product or exempt from disclosure under
applicable law. If you have received this message in error, or
are not the named recipient(s), please note that any form of
distribution, copying or use of this communication or the
information in it is strictly prohibited and may be unlawful.
Please immediately notify the sender of the error, and delete
this communication including any attached files from your
system. Thank you for your cooperation.
!DSPAM:1,52eba57b226891577754402!
</div>
</blockquote>
<blockquote type="cite">
<div><span>_______________________________________________</span><br>
<span>Mailing list: <a moz-do-not-send="true"
href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a></span><br>
<span>Post to : <a moz-do-not-send="true"
href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a></span><br>
<span>Unsubscribe : <a moz-do-not-send="true"
href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a></span><br>
<span></span><br>
<span></span><br>
<span>!DSPAM:1,52eba57b226891577754402!</span><br>
</div>
</blockquote>
</blockquote>
<br>
</body>
</html>