[openstack-dev] [Keystone][Token expiration]
lương hữu tuấn
tuantuluong at gmail.com
Mon Apr 10 15:05:08 UTC 2017
Thanks Dolph,
I now have a pretty clear picture about it.
Br,
Tuan/Nokia
On Mon, Apr 10, 2017 at 2:58 PM, Dolph Mathews <dolph.mathews at gmail.com>
wrote:
> The token itself is still expired, regardless of where it's persisted, if
> at all. Expired tokens are only considered valid when presented as an
> X-Auth-Token to keystonemiddleware.auth_token along with a valid
> X-Service-Token, or when validating an X-Subject-Token against keystone
> directly using either:
>
> HEAD /v3/auth/token?allow_expired
> GET /v3/auth/token?allow_expired
>
> No configuration is required in keystone.conf to enable the feature.
>
> More documentation is available in the release notes [1][2] and in the
> sample configuration file [3] (see [token] allow_expired_window).
>
> [1] https://docs.openstack.org/releasenotes/keystone/ocata.
> html#new-features
> [2] https://docs.openstack.org/releasenotes/keystone/ocata.
> html#upgrade-notes
> [3] https://docs.openstack.org/ocata/config-reference/
> identity/samples/keystone.conf.html
>
> On Mon, Apr 3, 2017 at 7:58 AM lương hữu tuấn <tuantuluong at gmail.com>
> wrote:
>
>> Hi Dolph,
>>
>> Thanks for reply, it means that from the db point of view, token is
>> expired but it is still passed to other service users in request (token
>> stored in memory?) and keystone allows this expired token? And to make this
>> feature working, we should apply the header of "X-Service-Token" and change
>> of "allow_expired" in keystone.conf.
>>
>> Br,
>>
>> Tuan/Nokia
>>
>> On Mon, Apr 3, 2017 at 2:36 PM, Dolph Mathews <dolph.mathews at gmail.com>
>> wrote:
>>
>> > does it mean that the token now will live forever
>>
>> No; it behaves as described in the document you linked. If you have any
>> specific security concerns, please raise them appropriately (such as a
>> security bug, if necessary).
>>
>> On Mon, Apr 3, 2017 at 5:27 AM lương hữu tuấn <tuantuluong at gmail.com>
>> wrote:
>>
>> Hi keystone folks,
>>
>> I have had a chance to take a look to this below patch for allowing the
>> expired token and it was merged in Octaka:
>>
>> https://specs.openstack.org/openstack/keystone-specs/
>> specs/keystone/ocata/allow-expired.html
>>
>> In our project, we also have problem with token expiration when running
>> mistral workflow. I have a concern that if this patch works as it does,
>> does it mean that the token now will live forever ("forever" seems so
>> sloppy, but it seems like the token is no longer expired). In this case, it
>> seems not good for security purpose.
>>
>> Br,
>>
>> Tuan/Nokia
>> ____________________________________________________________
>> ______________
>> OpenStack Development Mailing List (not for usage questions)
>> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:
>> unsubscribe
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>> --
>> -Dolph
>>
>> ____________________________________________________________
>> ______________
>> OpenStack Development Mailing List (not for usage questions)
>> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:
>> unsubscribe
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>>
>> ____________________________________________________________
>> ______________
>> OpenStack Development Mailing List (not for usage questions)
>> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:
>> unsubscribe
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
> --
> -Dolph
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20170410/8a3191c8/attachment.html>
More information about the OpenStack-dev
mailing list