[openstack-dev] [keystone][swift] Has anybody considered storing tokens in Swift?
Joshua Harlow
harlowja at outlook.com
Tue Sep 30 04:50:01 UTC 2014
+1 Lets not continue to expand the usage of persisted tokens :-/
We should be trying to move away from such types of persistence and its associated complexity IMHO. Most major websites don't need to have tokens that are saved around regions in there internal backend databases, just so people can use a REST webservice (or a website...) so I would hope that we don't need to (if it works for major websites why doesn't it work for us?).
My 2 cents is that we should really think about why this is needed and why we can't operate using signed-cookie like mechanisms (after all it works for everyone else). If cross-region tokens are a problem, then maybe we should solve the root of the issue (having a token that works across regions) so that no replication is needed at all...
On Sep 29, 2014, at 8:22 PM, Adam Young <ayoung at redhat.com> wrote:
> On 09/29/2014 12:12 PM, Jay Pipes wrote:
>> Hey Stackers,
>>
>> So, I had a thought this morning (uh-oh, I know...).
>>
>> What if we wrote a token driver in Keystone that uses Swift for backend storage?
>>
>> I have long been an advocate of the memcache token driver versus the SQL driver for performance reasons. However, the problem with the memcache token driver is that if you want to run multiple OpenStack regions, you could share the identity data in Keystone using replicated database technology (mysql galera/PXC, pgpool II, or even standard mysql master/slave), but each region needs to have its own memcache service for tokens. This means that tokens are not shared across regions, which means that users have to log in separately to each region's dashboard.
>>
>> I personally considered this a tradeoff worth accepting. But then, today, I thought... what about storing tokens in a globally-distributed Swift cluster? That would take care of the replication needs automatically, since Swift would do the needful. And, add to that, Swift was designed for storing lots of small objects, which tokens are...
>>
>> Thoughts? I think it would be a cool dogfooding effort if nothing else, and give users yet another choice in how they handle multi-region tokens.
>
> Um...I hate all persisted tokens. This takes them to a new level of badness.
>
> Do we really need this?
>
>
>
>>
>> Best,
>> -jay
>>
>> _______________________________________________
>> OpenStack-dev mailing list
>> OpenStack-dev at lists.openstack.org
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
More information about the OpenStack-dev
mailing list