[Openstack] keystone with Ephemeral PKI tokens
Miller, Mark M (EB SW Cloud - R&D - Corvallis)
mark.m.miller at hp.com
Thu Feb 20 00:00:48 UTC 2014
Hello,
I read the following and want to register a disagreement:
"With token revocation events in place, we no longer have a need to store a token revocation list. The token revocation list is the primary reason why keystone bothers to persist PKI tokens, so without it, PKI tokens can become completely ephemeral."
One idea behind PKI tokens is to enable services to parse the token to retrieve role/project/domain data for a particular user without having to validate the token with Keystone each and every time. In order to make sure that the token has not been revoked, services need to check the expiration date and "check the token revocation list" to make sure that the token is still valid. That said, how will non-OpenStack services obtain token revocation information if the revocation list is removed? I thought maybe the new "Callbacks on internal events" might be something external services could use like listening in onto a Keystone message queue, but it apparently only applies to extensions.
This is one time I will be glad to be wrong.
Regards,
Mark
More information about the Openstack
mailing list