On Fri, Aug 23, 2013 at 7:48 PM, Yongsheng Gong <gong...@unitedstack.com>wrote:
> Hi adam, > Can u explain more about 'In conjunction with the caching layer, it might > be the right approach: flush the old tokens upon revocation list > regeneration.'? > > when is the list_revoked_tokens called? > > In a PKI-token based deployment, auth_token periodically fetches a list of revoked tokens so that it knows which tokens to deny, even though they are otherwise valid. > thanks > > > On Sat, Aug 24, 2013 at 1:51 AM, Adam Young <ayo...@redhat.com> wrote: > >> On 08/23/2013 12:43 PM, Joe Gordon wrote: >> >> >> On Aug 23, 2013 12:24 PM, "Dolph Mathews" <dolph.math...@gmail.com> >> wrote: >> > >> > >> > On Fri, Aug 23, 2013 at 10:51 AM, Miller, Mark M (EB SW Cloud - R&D - >> Corvallis) <mark.m.mil...@hp.com> wrote: >> >> >> >> Hello, >> >> >> >> >> >> >> >> I would think you would want to reuse the same token but update the >> expiration time as if it were the first time the token had been generated. >> > >> > >> > That wouldn't work for PKI tokens, as the resulting signature would >> have to change. >> > >> >> >> >> >> >> >> >> Mark >> >> >> >> >> >> >> >> From: Yongsheng Gong [mailto:gong...@unitedstack.com] >> >> Sent: Friday, August 23, 2013 12:40 AM >> >> To: OpenStack Development Mailing List >> >> Subject: [openstack-dev] [keystone] Two BPs for managing the tokens >> >> >> >> >> >> >> >> Hi, >> >> >> >> Talked with Henry Nash and Jamie Lennox on IRC, I have created two BPs >> to manage the keystone tokens: >> >> >> >> 1. >> https://blueprints.launchpad.net/keystone/+spec/periodically-flush-expired-token >> >> >> Not sure that this is worth writing or maintaining. The system services >> for Cron are much more robust, and we don;t have to maintain them. >> >> I do have this review for your consideration, though: >> >> https://review.openstack.org/#/c/43510/ >> >> In conjunction with the caching layer, it might be the right approach: >> flush the old tokens upon revocation list regeneration. >> >> >> >> >> >> >> which is used to delete expired token >> >> >> >> 2. https://blueprints.launchpad.net/keystone/+spec/reuse-token >> >> >> >> which will re-use valid token >> >> >> >> >> >> >> >> These two BPs will help us to reduce the token records in token table >> enormously. >> >> >> >> >> >> >> >> I have put some ideas on the BP description. >> >> >> >> >> >> >> >> Any comments are welcome. >> >> >> >> What about Adam Young's vision for keystone, which I like, >> http://adam.younglogic.com/2013/07/a-vision-for-keystone/ >> These two blueprints don't appear to be in line with it. >> >> Also, instead of making keystone reuse tokens why not make the token >> reuse in the clients better (keyring based). Last I checked it was >> disabled and broken in nova (there was a patch to fix it, but keep it >> disabled) >> >> >> >> >> >> >> >> >> >> >> Regards, >> >> >> >> Yong Sheng Gong >> >> >> >> >> >> _______________________________________________ >> >> OpenStack-dev mailing list >> >> OpenStack-dev@lists.openstack.org >> >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >> >> >> > >> > >> > >> > -- >> > >> > -Dolph >> > >> > _______________________________________________ >> > OpenStack-dev mailing list >> > OpenStack-dev@lists.openstack.org >> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >> > >> >> >> _______________________________________________ >> OpenStack-dev mailing >> listOpenStack-dev@lists.openstack.orghttp://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >> >> >> >> _______________________________________________ >> OpenStack-dev mailing list >> OpenStack-dev@lists.openstack.org >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >> >> > > _______________________________________________ > OpenStack-dev mailing list > OpenStack-dev@lists.openstack.org > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > > -- -Dolph
_______________________________________________ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev