[openstack-dev] [keystone] Flush expired tokens automatically ?
comnea.dani at gmail.com
Tue Jan 27 19:19:12 UTC 2015
Thanks Adam, Thierry!
On Tue, Jan 27, 2015 at 1:43 PM, Adam Young <ayoung at redhat.com> wrote:
> Short term answers:
> The amount of infrastructure we would have to build to replicate CRON is
> not worth it.
> Figuring out a CRON strategy for nontrivial deployment is part of a larger
> data management scheme.
> Long term answers:
> Tokens should not be persisted. We have been working toward ephemeral
> tokens for a long time, but the vision of how to get there is not uniformly
> shared among the team. We spent a lot of time arguing about AE tokens,
> which looked promising, but do not support federation.
> Where we are headed is a split of the data in the token into an ephemeral
> portion and a persisted portion. The persisted portion would be reused,
> and would represent the delegation of authority. The epehmeral portion will
> represent the time aspects of the token: when issued, when expired, etc.
> The ephemeral portion would refer to the persisted portion.
> The revocation events code is necessary for PKI tokens, and might be
> required depending on how we do the ephemeral/persisted split. With AE
> tokens it would have been necessary, but with a unified delegation
> mechanism, it would be less so.
> If anyone feels the need for ephemeral tokens strongly enough to
> contribute, please let me know. We've put a lot of design into where we
> are today, and I would encourage you to learn the issues before jumping in
> to the solutions. I'm more than willing to guide any new development along
> these lines.
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OpenStack-dev