[openstack-dev] [keystone] Two BPs for managing the tokens
Adam Young
ayoung at redhat.com
Fri Aug 23 17:51:01 UTC 2013
On 08/23/2013 12:43 PM, Joe Gordon wrote:
>
>
> On Aug 23, 2013 12:24 PM, "Dolph Mathews" <dolph.mathews at gmail.com
> <mailto:dolph.mathews at gmail.com>> wrote:
> >
> >
> > On Fri, Aug 23, 2013 at 10:51 AM, Miller, Mark M (EB SW Cloud - R&D
> - Corvallis) <mark.m.miller at hp.com <mailto:mark.m.miller at hp.com>> wrote:
> >>
> >> Hello,
> >>
> >>
> >>
> >> I would think you would want to reuse the same token but update the
> expiration time as if it were the first time the token had been generated.
> >
> >
> > That wouldn't work for PKI tokens, as the resulting signature would
> have to change.
> >
> >>
> >>
> >>
> >> Mark
> >>
> >>
> >>
> >> From: Yongsheng Gong [mailto:gongysh at unitedstack.com
> <mailto:gongysh at unitedstack.com>]
> >> Sent: Friday, August 23, 2013 12:40 AM
> >> To: OpenStack Development Mailing List
> >> Subject: [openstack-dev] [keystone] Two BPs for managing the tokens
> >>
> >>
> >>
> >> Hi,
> >>
> >> Talked with Henry Nash and Jamie Lennox on IRC, I have created two
> BPs to manage the keystone tokens:
> >>
> >> 1.
> https://blueprints.launchpad.net/keystone/+spec/periodically-flush-expired-token
>
Not sure that this is worth writing or maintaining. The system services
for Cron are much more robust, and we don;t have to maintain them.
I do have this review for your consideration, though:
https://review.openstack.org/#/c/43510/
In conjunction with the caching layer, it might be the right approach:
flush the old tokens upon revocation list regeneration.
> >>
> >> which is used to delete expired token
> >>
> >> 2. https://blueprints.launchpad.net/keystone/+spec/reuse-token
> >>
> >> which will re-use valid token
> >>
> >>
> >>
> >> These two BPs will help us to reduce the token records in token
> table enormously.
> >>
> >>
> >>
> >> I have put some ideas on the BP description.
> >>
> >>
> >>
> >> Any comments are welcome.
> >>
>
> What about Adam Young's vision for keystone, which I like,
> http://adam.younglogic.com/2013/07/a-vision-for-keystone/
> These two blueprints don't appear to be in line with it.
>
> Also, instead of making keystone reuse tokens why not make the token
> reuse in the clients better (keyring based). Last I checked it was
> disabled and broken in nova (there was a patch to fix it, but keep it
> disabled)
>
> >>
> >>
> >>
> >>
> >> Regards,
> >>
> >> Yong Sheng Gong
> >>
> >>
> >> _______________________________________________
> >> OpenStack-dev mailing list
> >> OpenStack-dev at lists.openstack.org
> <mailto:OpenStack-dev at lists.openstack.org>
> >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> >>
> >
> >
> >
> > --
> >
> > -Dolph
> >
> > _______________________________________________
> > OpenStack-dev mailing list
> > OpenStack-dev at lists.openstack.org
> <mailto:OpenStack-dev at lists.openstack.org>
> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> >
>
>
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20130823/00db580c/attachment.html>
More information about the OpenStack-dev
mailing list