[Openstack] Signed Tokens Proof-of-concept
Adam Young
ayoung at redhat.com
Tue May 29 20:52:22 UTC 2012
I've gotten The PKI signed tokens code working, although not ready for
submission. Still needs some cleanup.
https://github.com/admiyo/keystone/tree/signed-tokens-2
Commit is here:
https://github.com/admiyo/keystone/commit/e566167f45d71f4e3e6cec7524e7097a86d68b80
Feel free to provide line level comments.
Configuration is still a little wonky. auth_token inherits the past
Config from the service that calls it. Thus, sign and verify are
hacked to use different conf systems. I don't think these config
values should be in past, but rather in the "good" config files for the
various services. I'd also like to provide decent defaults for them.
Guang and Liem talked me out of trying to piggy back on the SSL config
options, even though the CA certs will be the same, and the Signing keys
can be the same. We both agree that the certs should not be the same.
I can explain in depth why this is if anyone really cares.
This puts a new dependency into the system: The OpenSSL binary. Fropm
what I can tell, the only safe way to call OpenSSL is from the POpen
API, as Eventlet wraps it. This should work equally as well from
HTTPD. The signing is done without using any interim files or
directories: input and output are using the standard file descriptors.
I think this is an elegant solution.
Rafaduran had a good point about memory usage for KVS. Since the tokens
will be roughly 10 times the size they were previously, KVS might be
too expensive. An optimization in the future is to drop recording the
tokens into a datastore, and merely log them to an audit log. Even
Keystone can use the cryptographic approach to validate.
I'm going to avoid putting in a revocation mechanism for the first
approximation. I'll make sure that token time-out is a well documented
config option, and we'll go with the shortest time-frame that we can for
default expiry.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20120529/6fc81c93/attachment.html>
More information about the Openstack
mailing list