Thanks Dolph, I now have a pretty clear picture about it.
Br, Tuan/Nokia On Mon, Apr 10, 2017 at 2:58 PM, Dolph Mathews <[email protected]> wrote: > The token itself is still expired, regardless of where it's persisted, if > at all. Expired tokens are only considered valid when presented as an > X-Auth-Token to keystonemiddleware.auth_token along with a valid > X-Service-Token, or when validating an X-Subject-Token against keystone > directly using either: > > HEAD /v3/auth/token?allow_expired > GET /v3/auth/token?allow_expired > > No configuration is required in keystone.conf to enable the feature. > > More documentation is available in the release notes [1][2] and in the > sample configuration file [3] (see [token] allow_expired_window). > > [1] https://docs.openstack.org/releasenotes/keystone/ocata. > html#new-features > [2] https://docs.openstack.org/releasenotes/keystone/ocata. > html#upgrade-notes > [3] https://docs.openstack.org/ocata/config-reference/ > identity/samples/keystone.conf.html > > On Mon, Apr 3, 2017 at 7:58 AM lương hữu tuấn <[email protected]> > wrote: > >> Hi Dolph, >> >> Thanks for reply, it means that from the db point of view, token is >> expired but it is still passed to other service users in request (token >> stored in memory?) and keystone allows this expired token? And to make this >> feature working, we should apply the header of "X-Service-Token" and change >> of "allow_expired" in keystone.conf. >> >> Br, >> >> Tuan/Nokia >> >> On Mon, Apr 3, 2017 at 2:36 PM, Dolph Mathews <[email protected]> >> wrote: >> >> > does it mean that the token now will live forever >> >> No; it behaves as described in the document you linked. If you have any >> specific security concerns, please raise them appropriately (such as a >> security bug, if necessary). >> >> On Mon, Apr 3, 2017 at 5:27 AM lương hữu tuấn <[email protected]> >> wrote: >> >> Hi keystone folks, >> >> I have had a chance to take a look to this below patch for allowing the >> expired token and it was merged in Octaka: >> >> https://specs.openstack.org/openstack/keystone-specs/ >> specs/keystone/ocata/allow-expired.html >> >> In our project, we also have problem with token expiration when running >> mistral workflow. I have a concern that if this patch works as it does, >> does it mean that the token now will live forever ("forever" seems so >> sloppy, but it seems like the token is no longer expired). In this case, it >> seems not good for security purpose. >> >> Br, >> >> Tuan/Nokia >> ____________________________________________________________ >> ______________ >> OpenStack Development Mailing List (not for usage questions) >> Unsubscribe: [email protected]?subject: >> unsubscribe >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >> >> -- >> -Dolph >> >> ____________________________________________________________ >> ______________ >> OpenStack Development Mailing List (not for usage questions) >> Unsubscribe: [email protected]?subject: >> unsubscribe >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >> >> >> ____________________________________________________________ >> ______________ >> OpenStack Development Mailing List (not for usage questions) >> Unsubscribe: [email protected]?subject: >> unsubscribe >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >> > -- > -Dolph > > __________________________________________________________________________ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: [email protected]?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > >
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: [email protected]?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
