On Tue, Mar 8, 2016 at 10:58 AM, Adam Young <ayo...@redhat.com> wrote:
> On 03/08/2016 11:06 AM, Matt Fischer wrote: > > This would be complicated to setup. How would the Openstack services > validate the token? Which keystone node would they use? A better question > is why would you want to do this? > > On Tue, Mar 8, 2016 at 8:45 AM, rezroo <openst...@roodsari.us> wrote: > >> Keystone supports both tokens and ec2 credentials simultaneously, but as >> far as I can tell, will only do a single token format (uuid, pki/z, fernet) >> at a time. Is it possible or advisable to configure keystone to issue >> multiple token formats? For example, I could configure two keystone >> servers, each using a different token format, so depending on endpoint >> used, I could get a uuid or pki token. Each service can use either token >> format, so is there a conceptual or implementation issue with this setup? >> > We do have token-less authentication built into keystone, which was released in Liberty and might help with the service authentication case you described [0]. Having a keystone node validate multiple token formats is tough because it requires the token providers to know enough information about other token formats to confidently say "yes, this is a PKI token" or "no, this isn't a fernet token". Is the sole idea behind letting the client pick the token format to get around the service authentication situation? Is there another case you have that makes sense for a client to pick it's token format? [0] https://github.com/openstack/keystone-specs/blob/master/specs/liberty/keystone-tokenless-authz-with-x509-ssl-client-cert.rst > Thanks, >> Reza >> >> __________________________________________________________________________ >> OpenStack Development Mailing List (not for usage questions) >> Unsubscribe: >> openstack-dev-requ...@lists.openstack.org?subject:unsubscribe >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >> > > > > __________________________________________________________________________ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: > openstack-dev-requ...@lists.openstack.org?subject:unsubscribehttp://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > > Theoretically: > > Two different Keystone servers could independently issue different token > formats. They would need to share a common backend, so that they could all > be verified online. PKIZ could be issued from multiple servers, each > using different signing certs, so long as all the services got all the > certs. > > Practically: > > You'd be insane to do this in production > > __________________________________________________________________________ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > >
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
