[Openstack] Keystone, LDAP & Token behaviour
ayoung at redhat.com
Wed May 21 15:19:01 UTC 2014
On 05/21/2014 10:48 AM, Michael Hearn wrote:
> Keystone gurus,
> Can you help put me straight on expected Authentication behaviour when
> using an LDAP identity backend.
> In the scenario where a user is granted a token (keystone token-get)
> should they not be able to make repeated API calls, e.g /glance
> --os-auth-token xxxxxxx image-list / until the token expires?
> I ask as using /tcpdump/ I am seeing AuthN traffic between keystone
> and LDAP each time I execute an API call - a call that includes an
> unexpired token.
> I was assuming that by using an unexpired token a user avoids having
> to make an AuthN call. Is that not the case?
The glance CLI does not cache the token. There was code in the Keystone
client to cache the token in python-keyring. If glance is not honoring
the --os-auth-token value then it might be going back to keystone.
However, if the token is a UUID token, then here is what happens: user
goes to Keystone, gets a token (uuid) , and passes that to glance.
Glance passes that back to Keystone and says "is this valid" and
keystone responds "yep, and here is the service catalog." Glance now
has the option of caching this response in memcached. If it does not,
it needs to go back to Keystone every time.
But...now I see below that you are using pki and memcached. Which means
something is not behaving. If glance honors the --debug flag, you can
see if the CLI is going to Keystone, or if it is the server.
> Am using icehouse with token format set to PKI , caching enabled
> (memcached )
> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to : openstack at lists.openstack.org
> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Openstack