[openstack-dev] [keystone]PKI token VS Fernet token

joehuang joehuang at huawei.com
Mon Feb 27 02:01:06 UTC 2017

Thank you all very much, the less data to be replicated, the better. 

Best Regards
Chaoyi Huang (joehuang)

From: Clint Byrum [clint at fewbar.com]
Sent: 26 February 2017 12:06
To: openstack-dev
Subject: Re: [openstack-dev] [keystone]PKI token VS Fernet token

Excerpts from Lance Bragstad's message of 2017-02-25 13:07:58 -0600:
> Since both token formats rebuild the authorization context at validation
> time, we can remove some revocation events that are no longer needed. This
> means we won't be storing as many revocation events on role removal from
> domains and projects. Instead we will only rely on the revocation API to
> invalidate tokens for cases like specific token revocation or password
> changes (the new design of validation does role assignment enforcement for
> us automatically). This should reduce the amount of data being replicated
> due to massive amounts of revocation events.

I didn't know that the work to make role removal non-event based was
even started much less done. Cool.

> We do still have some more work to do on this front, but I can dig into it
> and see what's left.

Indeed, the less revocation events, the better the Fernet story is
for scalability.

OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe

More information about the OpenStack-dev mailing list