<div dir="ltr">It would be helpful to identify which SDK?<div><br></div><div>You're probably aware the auth service and the object storage service are different http endpoints - you get a token from auth, you provide the token to swift with the request - swift validates the token and authorizes the request. If the token provided to swift can not be validated - you should get a new one and retry the request to Swift. The specifics of what's required here depend on the SDK - it may be able to "re-auth" for you.</div><div><br></div><div>Tokens are not account/container based - but rather tied to the user making the request. With Keystone roles associate a user to a project and grant access to accounts in Swift. Container's can individually grant access via ACL's - but it's still a scoping to a user (or perhaps a role on a project). You could use tempurls tho [1].</div><div><br></div><div>I thought the default token lifetime was 24 hours, it's curious they only last 1hr for you. There was a issue pre-swift 2.0 which required keystone auth to be placed in the pipeline after the large object middleware which could cause token expiration to interrupt a long running download of a static or dynamic large object - but I don't see how that would effect writes. Generally the application (or the SDK) deals with a 401 error from Swift by simply asking the auth service for a fresh token - you could try avoid the re-auth by periodically identifying with the auth service and using the token it returns - but most of the time it doesn't obviate the need for the retry on 401 code so people tend to stick with EAFP. </div><div><br></div><div>-Clay</div><div><br></div><div>1. <a href="http://docs.openstack.org/developer/swift/middleware.html#tempurl">http://docs.openstack.org/developer/swift/middleware.html#tempurl</a></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Apr 22, 2015 at 11:13 AM, Forrest Townsend <span dir="ltr"><<a href="mailto:forrest.town18@gmail.com" target="_blank">forrest.town18@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hey all, <br><br>I am writing an application that writes and reads from Swift using an SDK to communicate to Openstack. Would like to hear some insight as to avoid the default 60 minute token expiration. What I was looking into was recreating the connection to Openstack but wasn't sure if this actually created a new token. The use case where I hit an expiration is when I have a connection open and doing many writes that exceed 60 minutes, at the 60 minute mark, I get a disconnection. <br><br>Are token's account/container based?<br><br>Rather than setting the token expiration in the keystone.conf to a custom value, I would like to know from an application point of view how to get around this.<br><br>Thanks,<br>Forrest T.</div>
<br>_______________________________________________<br>
Mailing list: <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><br>
Post to : <a href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a><br>
Unsubscribe : <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><br>
<br></blockquote></div><br></div>