[Openstack] Signed Tokens
Adam Young
ayoung at redhat.com
Mon Jun 4 14:58:08 UTC 2012
On 06/01/2012 05:56 PM, Adam Young wrote:
> The signed tokens work has been updated. I think this is the final
> architecture.
>
> https://github.com/admiyo/keystone/commits/signed-tokens-5
>
> Not all of the unit tests run. Some of the Memcache tests are suspect,
> and I wonder if we even need memcache support for tokens in the middle
> ware. I think we don't.
>
> Also, the Diablo tokens are not supported. I think we can safely
> deprecate them for Folsom.
>
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to : openstack at lists.launchpad.net
> Unsubscribe : https://launchpad.net/~openstack
> More help : https://help.launchpad.net/ListHelp
Responses to Guang Yee's comments on Git hub:
keystone/config.py
line 156
gyee: Maybe "token_signing" instead of "signing"? Signing still sound
too generic:
ayoung: This is a generic signing cert, although it is only used for
tokens, it could be used for something else as well. I think signing
is appropriate
keystone/middleware/auth_token.p
line 146:
gyee:May want to do os.umask() to protect the signing dir.
ayoung: agreed.
line 597:
gyee: You are assuming openssl is available. May want to do a sanity
check first.
ayoung: the Packages will 'Require' Openssl, and we will put it into
the package list for Devstack as well.
gyee: May want to introduce some timeout logic to force process
termination in case it hangs or did not finish on time.
ayoung: We are not consuming entropy with the signing or verification
process, so hanging is likely not an issue. I don't think Eventlet
makes that kind of code easy to write, either. If we see signs of
hanging, then we will deal with it.
keystone/service.py
line 505:
gyee: certfile.close
ayoung: yes
More information about the Openstack
mailing list