[openstack-dev] [Openstack] [Barbican] Keystone PKI token too much long
Giuseppe Galeota
giuseppegaleota at gmail.com
Tue Jul 22 09:04:19 UTC 2014
Dear all,
have you some good news about the problem related to
the "
Keystone PKI token too much long" for Barbican?
Thank you,
Giuseppe
2014-01-31 14:27 GMT+01:00 Ferreira, Rafael <raf at io.com>:
> By the way, you can achieve the same benefits of uuid tokens (shorter
> tokens) with PKI by simply using a md5 hash of the PKI token for your
> X-Auth headers. This is poorly documented but it seems to work just fine.
>
> From: Adam Young <ayoung at redhat.com>
> Date: Tuesday, January 28, 2014 at 1:41 PM
> To: "openstack at lists.openstack.org" <openstack at lists.openstack.org>
> Subject: Re: [Openstack] [Barbican] Keystone PKI token too much long
>
> On 01/22/2014 12:21 PM, John Wood wrote:
>
> (Adding another member of our team Douglas)
>
> Hello Giuseppe,
>
> For questions about news or patches for Keystone's PKI vs UUID modes,
> you might reach out to the openstack-dev at lists.openstack.org mailing
> list, with the subject line prefixed with [openstack-dev] [keystone]
>
> Our observation has been that the PKI mode can generate large text
> blocks for tokens (esp. for large service catalogs) that cause http header
> errors.
>
> Regarding the specific barbican scripts you are running, we haven't run
> those in a while, so I'll investigate as we might need to update them.
> Please email back your /etc/barbican/barbican-api-paste.ini paste config
> file when you have a chance as well.
>
> Thanks,
> John
>
>
> ------------------------------
> *From:* Giuseppe Galeota [giuseppegaleota at gmail.com]
> *Sent:* Wednesday, January 22, 2014 7:36 AM
> *To:* openstack at lists.openstack.org
> *Cc:* John Wood
> *Subject:* [Openstack] [Barbican]
>
> Keystone PKI token too much long
>
> Dear all,
> I have configured Keystone for Barbican using this guide
> <https://github.com/cloudkeep/barbican/wiki/Developer-Guide-for-Keystone>.
>
> Is there any news or patch about the need to use a shorter token? I
> would not use a modified token.
>
> Its a known problem. You can request a token without the service catalog
> using an extension.
>
> One possible future enhancement is to compress the key.
>
>
>
> Following you can find an extract of the linked guide:
>
> - (Optional) Typical keystone setup creates PKI tokens that are long,
> do not fit easily into curl requests without splitting into components. For
> testing purposes suggest updating the keystone database with a shorter
> token-id. (An alternative is to set up keystone to generate uuid tokens.)
> From the above output grad the token expiry value, referred to as "x-y-z"
>
> mysql -u rootuse keystone;update token set id="foo" where expires="x-y-z" ;
>
>
> Thank you,
> Giuseppe
>
>
> _______________________________________________
> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to : openstack at lists.openstack.org
> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>
>
> The communication contained in this e-mail is confidential and is
> intended only for the named recipient(s) and may contain information that
> is privileged, proprietary, attorney work product or exempt from disclosure
> under applicable law. If you have received this message in error, or are
> not the named recipient(s), please note that any form of distribution,
> copying or use of this communication or the information in it is strictly
> prohibited and may be unlawful. Please immediately notify the sender of the
> error, and delete this communication including any attached files from your
> system. Thank you for your cooperation.
>
> _______________________________________________
> Mailing list:
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to : openstack at lists.openstack.org
> Unsubscribe :
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20140722/204edcc4/attachment.html>
More information about the OpenStack-dev
mailing list