[Openstack] [Barbican] Keystone PKI token too much long

Adam Young ayoung at redhat.com
Mon Feb 3 18:17:16 UTC 2014 

On 01/31/2014 08:40 AM, Remo Mattei wrote:
> Hi Rafael
> Do you have the info on how that has been implemented.
It falls back to a Keystone server lookup to validate the tokens.  I 
would not recommend doing that.

>
> Thanks
> Remo
>
> Inviato da iPhone ()
>
> Il giorno Jan 31, 2014, alle ore 8:27, "Ferreira, Rafael" <raf at io.com 
> <mailto:raf at io.com>> ha scritto:
>
>> By the way, you can achieve the same benefits of uuid tokens (shorter 
>> tokens) with PKI by simply using a md5 hash of the PKI token for your 
>> X-Auth headers. This is poorly documented but it seems to work just 
>> fine.
>>
>> From: Adam Young <ayoung at redhat.com <mailto:ayoung at redhat.com>>
>> Date: Tuesday, January 28, 2014 at 1:41 PM
>> To: "openstack at lists.openstack.org 
>> <mailto:openstack at lists.openstack.org>" 
>> <openstack at lists.openstack.org <mailto:openstack at lists.openstack.org>>
>> Subject: Re: [Openstack] [Barbican] Keystone PKI token too much long
>>
>> On 01/22/2014 12:21 PM, John Wood wrote:
>>> (Adding another member of our team Douglas)
>>>
>>> Hello Giuseppe,
>>>
>>> For questions about news or patches for Keystone's PKI vs UUID 
>>> modes, you might reach out to the openstack-dev at lists.openstack.org 
>>> mailing list, with the subject line prefixed with [openstack-dev] 
>>> [keystone]
>>>
>>> Our observation has been that the PKI mode can generate large text 
>>> blocks for tokens (esp. for large service catalogs) that cause http 
>>> header errors.
>>>
>>> Regarding the specific barbican scripts you are running, we haven't 
>>> run those in a while, so I'll investigate as we might need to update 
>>> them. Please email back your /etc/barbican/barbican-api-paste.ini 
>>> paste config file when you have a chance as well.
>>>
>>> Thanks,
>>> John
>>>
>>>
>>> ------------------------------------------------------------------------
>>> *From:* Giuseppe Galeota [giuseppegaleota at gmail.com]
>>> *Sent:* Wednesday, January 22, 2014 7:36 AM
>>> *To:* openstack at lists.openstack.org
>>> *Cc:* John Wood
>>> *Subject:* [Openstack] [Barbican] Keystone PKI token too much long
>>>
>>> Dear all,
>>> I have configured Keystone for Barbican using this guide 
>>> <https://github.com/cloudkeep/barbican/wiki/Developer-Guide-for-Keystone>.
>>>
>>> Is there any news or patch about the need to use a shorter token? I 
>>> would not use a modified token.
>> Its a known problem.  You can request a token without the service 
>> catalog using an extension.
>>
>> One possible future enhancement is to compress the key.
>>
>>
>>>
>>> Following you can find an extract of the linked guide:
>>>
>>>   * (Optional) Typical keystone setup creates PKI tokens that are
>>>     long, do not fit easily into curl requests without splitting
>>>     into components. For testing purposes suggest updating the
>>>     keystone database with a shorter token-id. (An alternative is to
>>>     set up keystone to generate uuid tokens.) From the above output
>>>     grad the token expiry value, referred to as "x-y-z"
>>>
>>> mysql  -u  rootuse  keystone;update  token  set  id="foo"  where  expires="x-y-z"  ;
>>>
>>> Thank you,
>>> Giuseppe
>>>
>>>
>>> _______________________________________________
>>> Mailing list:http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>>> Post to     :openstack at lists.openstack.org
>>> Unsubscribe :http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>>
>> The communication contained in this e-mail is confidential and is 
>> intended only for the named recipient(s) and may contain information 
>> that is privileged, proprietary, attorney work product or exempt from 
>> disclosure under applicable law. If you have received this message in 
>> error, or are not the named recipient(s), please note that any form 
>> of distribution, copying or use of this communication or the 
>> information in it is strictly prohibited and may be unlawful. Please 
>> immediately notify the sender of the error, and delete this 
>> communication including any attached files from your system. Thank 
>> you for your cooperation. !DSPAM:1,52eba57b226891577754402!
>> _______________________________________________
>> Mailing list: 
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>> Post to     : openstack at lists.openstack.org 
>> <mailto:openstack at lists.openstack.org>
>> Unsubscribe : 
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>>
>>
>> !DSPAM:1,52eba57b226891577754402!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20140203/eb6d3a21/attachment.html>

More information about the Openstack mailing list