[Openstack] Signed Tokens

Adam Young ayoung at redhat.com
Tue Jun 5 00:58:35 UTC 2012 

On 06/04/2012 07:15 PM, Nguyen, Liem Manh wrote:
> Looks good, Adam...  I have a couple comments/questions:
>
> 1) We probably want to maintain backward-compatibility with the old token auth.  So, PKI can be turned on or off, maybe via a middleware filter that sits in front of the old token auth (instead of a cache for example which does not make sense for PKI anymore).  While PKI comes with benefits, not everyone may want to deal with certificates, etc...  2-way SSL is configurable for this very same reason.
I don't think the SSL overhead is that great.  If there is a large hue 
and cry from the community,  I'll provide it as an option, but I am 
thinking that there is little benefit in backwards compatibility, and a 
large amount of code that then needs to be maintained.

This is different from 2 Way SSL,  which is implemented in the Python 
Layer, and is likely a performance bottleneck.  You don't want to do 
Crypto in Python.

I'm not sure that the cache should go.  I can see benefits to using it:  
it obviates the need for spawning a process for additional signed tokens 
checks.


>
> 2) I don't know if you have looked at pyopenssl yet?  Maybe a better alternative than spawning processes...

I'm pretty sure that any call into a native library is going to be more 
of an issue than spawning a process, unless that library has been 
specifically implemented with non-blocking code in mind,  and explicitly 
avoids taking the GIL.  However,  Since openssl doesn't seem to support 
CMS signing (the PKCS7 module is pretty much read only information)  I 
think the issue is moot.

>
> 3) Is PKI v3 or v2?  I assume v3, but just want to double-check.  /v2.0 should be /v3.0 if that's the case.
V2, as there is no change to the API, just the implementation.

>
>
>
> Thanks,
> Liem
> ________________________________________
> From: openstack-bounces+liem_m_nguyen=hp.com at lists.launchpad.net [openstack-bounces+liem_m_nguyen=hp.com at lists.launchpad.net] on behalf of Adam Young [ayoung at redhat.com]
> Sent: Friday, June 01, 2012 2:56 PM
> To: openstack
> Subject: [Openstack] Signed Tokens
>
> The signed tokens work has been updated.  I think this is the final
> architecture.
>
> https://github.com/admiyo/keystone/commits/signed-tokens-5
>
> Not all of the unit tests run. Some of the Memcache tests are suspect,
> and I wonder if we even need memcache support for tokens in the middle
> ware.  I think we don't.
>
> Also,  the Diablo tokens are not supported.  I think we can safely
> deprecate them for Folsom.
>
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to     : openstack at lists.launchpad.net
> Unsubscribe : https://launchpad.net/~openstack
> More help   : https://help.launchpad.net/ListHelp

More information about the Openstack mailing list