[openstack-dev] 2 Minute tokens
Jay Pipes
jaypipes at gmail.com
Tue Sep 30 15:13:32 UTC 2014
On 09/30/2014 10:44 AM, Adam Young wrote:
> What is keeping us from dropping the (scoped) token duration to 5 minutes?
>
> If we could keep their lifetime as short as network skew lets us, we
> would be able to:
>
> Get rid of revocation checking.
> Get rid of persisted tokens.
>
> OK, so that assumes we can move back to PKI tokens, but we're working
> on that.
>
> What are the uses that require long lived tokens? Can they be replaced
> with a better mechanism for long term delegation (OAuth or Keystone
> trusts) as Heat has done?
I think you will find that most folks just don't know the intracacies of
non-UUID tokens in Keystone. I think we'd be open to any options that
are reliable, well-documented and don't produce 4K in each HTTP request.
Best,
-jay
More information about the OpenStack-dev
mailing list