[openstack-dev] FW: [Keystone][Folsom] Token re-use

Ravi Chunduru ravivsn at gmail.com
Wed Jun 19 06:02:04 UTC 2013


I agree we need a way to overcome these rogue clients but by rate limiting
genuine requests will get effected. Then one would need retries and some
times critical operations gets failed. It beats the whole logic of being
available.


About the keyrings, How do we tackle if a service is using JSON API calls
and not python clients?

Thanks,
-Ravi.

On Tue, Jun 18, 2013 at 6:37 PM, Adam Young <ayoung at redhat.com> wrote:

>  On 06/18/2013 09:13 PM, Kant, Arun wrote:
>
>  The issue with having un-managed number of tokens for same credential is
> that it can be easily exploited. Getting a token is one of initial step
> (gateway) to get access to services. A rogue client can keep creating
> unlimited number of tokens and possibly create denial of service attack on
> services. If there are somewhat limited number of tokens, then cloud
> provider can possibly use tokenId based rate-limiting approach.
>
> Better here to rate limit, then.
>
>
>
>  ****
>
> ** **
>
> Extending the expiry to some fixed interval might be okay as that can be
> considered as continuing user session similar to what is seen when a user
> keeps browsing an application while logged in.
>
> Tokens are resources created by Keystone.  No reason to ask to create
> something new if it is not needed.
>
> The caching needs to be done client side.  We have ongoing work using
> python-keyring to support that.
>
>  ****
>
> ** **
>
> -Arun****
>
> ** **
>
> ** **
>
> *From: *Adam Young <ayoung at redhat.com>
> *Reply-To: *OpenStack Development Mailing List <
> openstack-dev at lists.openstack.org>
> *Date: *Friday, June 14, 2013 3:33 PM
> *To: *"openstack-dev at lists.openstack.org" <
> openstack-dev at lists.openstack.org>
> *Subject: *Re: [openstack-dev] [Keystone][Folsom] Token re-use****
>
> ** **
>
> On 06/13/2013 07:58 PM, Ravi Chunduru wrote:****
>
> Hi, ****
>
>   We are having Folsom setup and we find that our token table increases a
> lot. I understand client can re-use the token but why doesnt keystone reuse
> the token if client asks it with same credentials.. ****
>
> I would like to know if there is any reason for not doing so.****
>
> ** **
>
> Thanks in advance,****
>
> --
> Ravi****
>
>
>
>
> ****
>
> _______________________________________________****
>
> OpenStack-dev mailing list****
>
> OpenStack-dev at lists.openstack.orghttp://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev****
>
>  You can cache the token on the client side and reuse. Tokens have a an
> expiry, so if you request a new token, you extend the expiry.  ****
>
>
> _______________________________________________
> OpenStack-dev mailing listOpenStack-dev at lists.openstack.orghttp://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>


-- 
Ravi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20130618/3ad12c0c/attachment.html>


More information about the OpenStack-dev mailing list