Open Stack

On 05/21/2014 10:48 AM, Michael Hearn wrote:
> Keystone gurus,
> Can you help put me straight on expected Authentication behaviour when 
> using an LDAP identity backend.
> In the scenario where a user is granted a token (keystone token-get) 
> should they not be able to make repeated API calls, e.g /glance 
> --os-auth-token xxxxxxx image-list / until the token expires?
>
> I ask as using /tcpdump/ I am seeing AuthN traffic between keystone 
> and LDAP each time I execute an API call - a call that includes an 
> unexpired token.
> I was assuming that by using an unexpired token a user avoids having 
> to make an AuthN call.  Is that not the case?

The glance CLI does not cache the token.  There was code in the Keystone 
client to cache the token in python-keyring.  If glance is not honoring 
the --os-auth-token  value then it might be going back to keystone.

However, if the token is a UUID token, then here is what happens: user 
goes to Keystone, gets a token (uuid) , and passes that to glance.  
Glance passes that back to Keystone and says "is this valid" and 
keystone responds "yep, and here is the service catalog."  Glance now 
has the option of caching this response in memcached.  If it does not, 
it needs to go back to Keystone every time.


But...now I see below that you are using pki and memcached.  Which means 
something is not behaving.  If glance honors the --debug flag, you can 
see if the CLI is going to Keystone, or if it is the server.

Curious.

>
> Cheers
> Mike.
>
> Am using icehouse with token format set to PKI , caching enabled 
> (memcached )
>
>
> _______________________________________________
> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to     : openstack at lists.openstack.org
> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20140521/b87dec49/attachment.html>