Open Stack

On 06/18/2013 09:13 PM, Kant, Arun wrote:
>
> The issue with having un-managed number of tokens for same credential 
> is that it can be easily exploited. Getting a token is one of initial 
> step (gateway) to get access to services. A rogue client can keep 
> creating unlimited number of tokens and possibly create denial of 
> service attack on services. If there are somewhat limited number of 
> tokens, then cloud provider can possibly use tokenId based 
> rate-limiting approach.
>
Better here to rate limit, then.


> Extending the expiry to some fixed interval might be okay as that can 
> be considered as continuing user session similar to what is seen when 
> a user keeps browsing an application while logged in.
>
Tokens are resources created by Keystone.  No reason to ask to create 
something new if it is not needed.

The caching needs to be done client side.  We have ongoing work using 
python-keyring to support that.

> -Arun
>
> *From: *Adam Young <ayoung at redhat.com <mailto:ayoung at redhat.com>>
> *Reply-To: *OpenStack Development Mailing List 
> <openstack-dev at lists.openstack.org 
> <mailto:openstack-dev at lists.openstack.org>>
> *Date: *Friday, June 14, 2013 3:33 PM
> *To: *"openstack-dev at lists.openstack.org 
> <mailto:openstack-dev at lists.openstack.org>" 
> <openstack-dev at lists.openstack.org 
> <mailto:openstack-dev at lists.openstack.org>>
> *Subject: *Re: [openstack-dev] [Keystone][Folsom] Token re-use
>
> On 06/13/2013 07:58 PM, Ravi Chunduru wrote:
>
>     Hi,
>
>     We are having Folsom setup and we find that our token table
>     increases a lot. I understand client can re-use the token but why
>     doesnt keystone reuse the token if client asks it with same
>     credentials..
>
>     I would like to know if there is any reason for not doing so.
>
>     Thanks in advance,
>
>     -- 
>     Ravi
>
>
>
>
>     _______________________________________________
>
>     OpenStack-dev mailing list
>
>     OpenStack-dev at lists.openstack.org  <mailto:OpenStack-dev at lists.openstack.org>http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
> You can cache the token on the client side and reuse. Tokens have a an 
> expiry, so if you request a new token, you extend the expiry.
>
>
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20130618/5a17dd3a/attachment.html>