[openstack-dev] [keystone] Two BPs for managing the tokens
Yongsheng Gong
gongysh at unitedstack.com
Sat Aug 24 00:48:46 UTC 2013
Hi adam,
Can u explain more about 'In conjunction with the caching layer, it might
be the right approach: flush the old tokens upon revocation list
regeneration.'?
when is the list_revoked_tokens called?
thanks
On Sat, Aug 24, 2013 at 1:51 AM, Adam Young <ayoung at redhat.com> wrote:
> On 08/23/2013 12:43 PM, Joe Gordon wrote:
>
>
> On Aug 23, 2013 12:24 PM, "Dolph Mathews" <dolph.mathews at gmail.com> wrote:
> >
> >
> > On Fri, Aug 23, 2013 at 10:51 AM, Miller, Mark M (EB SW Cloud - R&D -
> Corvallis) <mark.m.miller at hp.com> wrote:
> >>
> >> Hello,
> >>
> >>
> >>
> >> I would think you would want to reuse the same token but update the
> expiration time as if it were the first time the token had been generated.
> >
> >
> > That wouldn't work for PKI tokens, as the resulting signature would have
> to change.
> >
> >>
> >>
> >>
> >> Mark
> >>
> >>
> >>
> >> From: Yongsheng Gong [mailto:gongysh at unitedstack.com]
> >> Sent: Friday, August 23, 2013 12:40 AM
> >> To: OpenStack Development Mailing List
> >> Subject: [openstack-dev] [keystone] Two BPs for managing the tokens
> >>
> >>
> >>
> >> Hi,
> >>
> >> Talked with Henry Nash and Jamie Lennox on IRC, I have created two BPs
> to manage the keystone tokens:
> >>
> >> 1.
> https://blueprints.launchpad.net/keystone/+spec/periodically-flush-expired-token
>
>
> Not sure that this is worth writing or maintaining. The system services
> for Cron are much more robust, and we don;t have to maintain them.
>
> I do have this review for your consideration, though:
>
> https://review.openstack.org/#/c/43510/
>
> In conjunction with the caching layer, it might be the right approach:
> flush the old tokens upon revocation list regeneration.
>
>
>
> >>
> >> which is used to delete expired token
> >>
> >> 2. https://blueprints.launchpad.net/keystone/+spec/reuse-token
> >>
> >> which will re-use valid token
> >>
> >>
> >>
> >> These two BPs will help us to reduce the token records in token table
> enormously.
> >>
> >>
> >>
> >> I have put some ideas on the BP description.
> >>
> >>
> >>
> >> Any comments are welcome.
> >>
>
> What about Adam Young's vision for keystone, which I like,
> http://adam.younglogic.com/2013/07/a-vision-for-keystone/
> These two blueprints don't appear to be in line with it.
>
> Also, instead of making keystone reuse tokens why not make the token reuse
> in the clients better (keyring based). Last I checked it was disabled and
> broken in nova (there was a patch to fix it, but keep it disabled)
>
> >>
> >>
> >>
> >>
> >> Regards,
> >>
> >> Yong Sheng Gong
> >>
> >>
> >> _______________________________________________
> >> OpenStack-dev mailing list
> >> OpenStack-dev at lists.openstack.org
> >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> >>
> >
> >
> >
> > --
> >
> > -Dolph
> >
> > _______________________________________________
> > OpenStack-dev mailing list
> > OpenStack-dev at lists.openstack.org
> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> >
>
>
> _______________________________________________
> OpenStack-dev mailing listOpenStack-dev at lists.openstack.orghttp://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20130824/e0b5e783/attachment.html>
More information about the OpenStack-dev
mailing list