[openstack-dev] [keystone] Two BPs for managing the tokens

Dolph Mathews dolph.mathews at gmail.com
Sat Aug 24 01:42:45 UTC 2013 

On Fri, Aug 23, 2013 at 7:48 PM, Yongsheng Gong <gongysh at unitedstack.com>wrote:

> Hi adam,
> Can u explain more about 'In conjunction with the caching layer, it might
> be the right approach:  flush the old tokens upon revocation list
> regeneration.'?
>
> when is the list_revoked_tokens called?
>
>
In a PKI-token based deployment, auth_token periodically fetches a list of
revoked tokens so that it knows which tokens to deny, even though they are
otherwise valid.


> thanks
>
>
> On Sat, Aug 24, 2013 at 1:51 AM, Adam Young <ayoung at redhat.com> wrote:
>
>>  On 08/23/2013 12:43 PM, Joe Gordon wrote:
>>
>>
>> On Aug 23, 2013 12:24 PM, "Dolph Mathews" <dolph.mathews at gmail.com>
>> wrote:
>> >
>> >
>> > On Fri, Aug 23, 2013 at 10:51 AM, Miller, Mark M (EB SW Cloud - R&D -
>> Corvallis) <mark.m.miller at hp.com> wrote:
>> >>
>> >> Hello,
>> >>
>> >>
>> >>
>> >> I would think you would want to reuse the same token but update the
>> expiration time as if it were the first time the token had been generated.
>> >
>> >
>> > That wouldn't work for PKI tokens, as the resulting signature would
>> have to change.
>> >
>> >>
>> >>
>> >>
>> >> Mark
>> >>
>> >>
>> >>
>> >> From: Yongsheng Gong [mailto:gongysh at unitedstack.com]
>> >> Sent: Friday, August 23, 2013 12:40 AM
>> >> To: OpenStack Development Mailing List
>> >> Subject: [openstack-dev] [keystone] Two BPs for managing the tokens
>> >>
>> >>
>> >>
>> >> Hi,
>> >>
>> >> Talked with Henry Nash and Jamie Lennox on IRC, I have created two BPs
>> to manage the keystone tokens:
>> >>
>> >> 1.
>> https://blueprints.launchpad.net/keystone/+spec/periodically-flush-expired-token
>>
>>
>> Not sure that this is worth writing or maintaining.  The system services
>> for Cron are much more robust, and we don;t have to maintain them.
>>
>> I do have this review for your consideration, though:
>>
>> https://review.openstack.org/#/c/43510/
>>
>> In conjunction with the caching layer, it might be the right approach:
>> flush the old tokens upon revocation list regeneration.
>>
>>
>>
>>  >>
>> >> which is used to delete expired token
>> >>
>> >> 2.  https://blueprints.launchpad.net/keystone/+spec/reuse-token
>> >>
>> >> which will re-use valid token
>> >>
>> >>
>> >>
>> >> These two BPs will help us to reduce the token records in token table
>> enormously.
>> >>
>> >>
>> >>
>> >> I have put some ideas on the BP description.
>> >>
>> >>
>> >>
>> >> Any comments are welcome.
>> >>
>>
>> What about Adam Young's vision for keystone, which I like,
>> http://adam.younglogic.com/2013/07/a-vision-for-keystone/
>> These two blueprints don't appear to be in line with it.
>>
>> Also, instead of making keystone reuse tokens why not make the token
>> reuse in the clients better (keyring based).  Last I checked it was
>> disabled and broken in nova (there was a patch to fix it, but keep it
>> disabled)
>>
>> >>
>> >>
>> >>
>> >>
>> >> Regards,
>> >>
>> >> Yong Sheng Gong
>> >>
>> >>
>> >> _______________________________________________
>> >> OpenStack-dev mailing list
>> >> OpenStack-dev at lists.openstack.org
>> >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>> >>
>> >
>> >
>> >
>> > --
>> >
>> > -Dolph
>> >
>> > _______________________________________________
>> > OpenStack-dev mailing list
>> > OpenStack-dev at lists.openstack.org
>> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>> >
>>
>>
>> _______________________________________________
>> OpenStack-dev mailing listOpenStack-dev at lists.openstack.orghttp://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>>
>>
>> _______________________________________________
>> OpenStack-dev mailing list
>> OpenStack-dev at lists.openstack.org
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>>
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>


-- 

-Dolph
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20130823/39404e30/attachment.html>

More information about the OpenStack-dev mailing list