Using os_token

Eric K. Miller emiller at genesishosting.com
Sat Aug 22 00:03:00 UTC 2020


> The problem though is that keystoneauth actually does fetch a new token
> every time even when you supply it with one, but that new token is based
> on the one you supply, and is a scoped token. It's likely the api for
> getting a token from an existing one is faster than password auth. I
> wish there was a way to  have the tools actually reuse a given scoped
> token rather than fetch a new one every time...

Interesting!  I was kinda wondering if that was actually what was happening.  It still seems like quite a bit of a delay compared to running the OpenStack Client and running commands on its command line repeatedly (as opposed to loading the OpenStack Client each time).  I assumed that there was still some work to load Python, etc., but using --debug does show a pull of the service catalog, which is slow.  It definitely would be nice to have a way to save/load the "session" that is created by the OpenStack Client to avoid all of the overhead, or, as you said, provide a scoped token.

I tested the performance again to be sure I wasn't going crazy, and with OS_TOKEN, it is definitely between 0.2 and 0.6 (most of the time at the higher end of this) seconds faster.  Any improvement is good.

> OS_TOKEN is also useful/important because of MFA, which otherwise
> wouldn't work unless you reuse a token. And I'm hoping that when someone
> has time to work MFA support properly into the cli tool they can
> hopefully also think about how to make the token reuse better.

You mentioned "MFA support properly".  What issue exists?  I'm interested since I was about to look into this next.

Thanks!

Eric


More information about the openstack-discuss mailing list