[Openstack] [Barbican] Keystone PKI token too much long

Adam Young ayoung at redhat.com
Tue Jan 28 20:41:15 UTC 2014 

On 01/22/2014 12:21 PM, John Wood wrote:
> (Adding another member of our team Douglas)
>
> Hello Giuseppe,
>
> For questions about news or patches for Keystone's PKI vs UUID modes, 
> you might reach out to the openstack-dev at lists.openstack.org mailing 
> list, with the subject line prefixed with [openstack-dev] [keystone]
>
> Our observation has been that the PKI mode can generate large text 
> blocks for tokens (esp. for large service catalogs) that cause http 
> header errors.
>
> Regarding the specific barbican scripts you are running, we haven't 
> run those in a while, so I'll investigate as we might need to update 
> them. Please email back your /etc/barbican/barbican-api-paste.ini 
> paste config file when you have a chance as well.
>
> Thanks,
> John
>
>
> ------------------------------------------------------------------------
> *From:* Giuseppe Galeota [giuseppegaleota at gmail.com]
> *Sent:* Wednesday, January 22, 2014 7:36 AM
> *To:* openstack at lists.openstack.org
> *Cc:* John Wood
> *Subject:* [Openstack] [Barbican] Keystone PKI token too much long
>
> Dear all,
> I have configured Keystone for Barbican using this guide 
> <https://github.com/cloudkeep/barbican/wiki/Developer-Guide-for-Keystone>.
>
> Is there any news or patch about the need to use a shorter token? I 
> would not use a modified token.
Its a known problem.  You can request a token without the service 
catalog using an extension.

One possible future enhancement is to compress the key.


>
> Following you can find an extract of the linked guide:
>
>   * (Optional) Typical keystone setup creates PKI tokens that are
>     long, do not fit easily into curl requests without splitting into
>     components. For testing purposes suggest updating the keystone
>     database with a shorter token-id. (An alternative is to set up
>     keystone to generate uuid tokens.) From the above output grad the
>     token expiry value, referred to as "x-y-z"
>
> mysql  -u  root
> use  keystone;
> update  token  set  id="foo"  where  expires="x-y-z"  ;
>
> Thank you,
> Giuseppe
>
>
> _______________________________________________
> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to     : openstack at lists.openstack.org
> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20140128/df8a58da/attachment.html>

More information about the Openstack mailing list