[openstack-dev] [keystone] Flush expired tokens automatically ?

Daniel Comnea comnea.dani at gmail.com
Tue Jan 27 19:19:12 UTC 2015

Thanks Adam, Thierry!


On Tue, Jan 27, 2015 at 1:43 PM, Adam Young <ayoung at redhat.com> wrote:

> Short term answers:
> The amount of infrastructure we would have to build to replicate CRON is
> not worth it.
> Figuring out a CRON strategy for nontrivial deployment is part of a larger
> data management scheme.
> Long term answers:
> Tokens should not be persisted.  We have been working toward ephemeral
> tokens for a long time, but the vision of how to get there is not uniformly
> shared among the team.  We spent a lot of time arguing about AE tokens,
> which looked promising, but do not support federation.
> Where we are headed is a split of the data in the token into an ephemeral
> portion and a persisted portion.  The persisted portion would be reused,
> and would represent the delegation of authority. The epehmeral portion will
> represent the time aspects of the token: when issued, when expired, etc.
> The ephemeral portion would refer to the persisted portion.
> The revocation events code  is necessary for PKI tokens, and might be
> required depending on how we do the ephemeral/persisted split. With AE
> tokens it would have been necessary, but with a unified delegation
> mechanism, it would be less so.
> If anyone feels the need for ephemeral tokens strongly enough to
> contribute, please let me know.  We've put a lot of design into where we
> are today, and I would encourage you to learn the issues before jumping in
> to the solutions.  I'm more than willing to guide any new development along
> these lines.
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150127/4851f0d4/attachment.html>

More information about the OpenStack-dev mailing list