On 06/04/2012 07:15 PM, Nguyen, Liem Manh wrote:
Looks good, Adam... I have a couple comments/questions:
1) We probably want to maintain backward-compatibility with the old token auth.
So, PKI can be turned on or off, maybe via a middleware filter that sits in
front of the old token auth (instead of a cache for example which does not make
sense for PKI anymore). While PKI comes with benefits, not everyone may want
to deal with certificates, etc... 2-way SSL is configurable for this very same
reason.
I don't think the SSL overhead is that great. If there is a large hue
and cry from the community, I'll provide it as an option, but I am
thinking that there is little benefit in backwards compatibility, and a
large amount of code that then needs to be maintained.
This is different from 2 Way SSL, which is implemented in the Python
Layer, and is likely a performance bottleneck. You don't want to do
Crypto in Python.
I'm not sure that the cache should go. I can see benefits to using it:
it obviates the need for spawning a process for additional signed tokens
checks.
2) I don't know if you have looked at pyopenssl yet? Maybe a better
alternative than spawning processes...
I'm pretty sure that any call into a native library is going to be more
of an issue than spawning a process, unless that library has been
specifically implemented with non-blocking code in mind, and explicitly
avoids taking the GIL. However, Since openssl doesn't seem to support
CMS signing (the PKCS7 module is pretty much read only information) I
think the issue is moot.
3) Is PKI v3 or v2? I assume v3, but just want to double-check. /v2.0 should
be /v3.0 if that's the case.
V2, as there is no change to the API, just the implementation.
Thanks,
Liem
________________________________________
From: openstack-bounces+liem_m_nguyen=hp....@lists.launchpad.net
[openstack-bounces+liem_m_nguyen=hp....@lists.launchpad.net] on behalf of Adam
Young [ayo...@redhat.com]
Sent: Friday, June 01, 2012 2:56 PM
To: openstack
Subject: [Openstack] Signed Tokens
The signed tokens work has been updated. I think this is the final
architecture.
https://github.com/admiyo/keystone/commits/signed-tokens-5
Not all of the unit tests run. Some of the Memcache tests are suspect,
and I wonder if we even need memcache support for tokens in the middle
ware. I think we don't.
Also, the Diablo tokens are not supported. I think we can safely
deprecate them for Folsom.
_______________________________________________
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help : https://help.launchpad.net/ListHelp
_______________________________________________
Mailing list: https://launchpad.net/~openstack
Post to : openstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openstack
More help : https://help.launchpad.net/ListHelp