Re: [openstack-dev] [Keystone][Token expiration]
Thanks Dolph, I now have a pretty clear picture about it. Br, Tuan/Nokia On Mon, Apr 10, 2017 at 2:58 PM, Dolph Mathews wrote: > The token itself is still expired, regardless of where it's persisted, if > at all. Expired tokens are only considered valid when presented as an > X-Auth-Token to keystonemiddleware.auth_token along with a valid > X-Service-Token, or when validating an X-Subject-Token against keystone > directly using either: > > HEAD /v3/auth/token?allow_expired > GET /v3/auth/token?allow_expired > > No configuration is required in keystone.conf to enable the feature. > > More documentation is available in the release notes [1][2] and in the > sample configuration file [3] (see [token] allow_expired_window). > > [1] https://docs.openstack.org/releasenotes/keystone/ocata. > html#new-features > [2] https://docs.openstack.org/releasenotes/keystone/ocata. > html#upgrade-notes > [3] https://docs.openstack.org/ocata/config-reference/ > identity/samples/keystone.conf.html > > On Mon, Apr 3, 2017 at 7:58 AM lương hữu tuấn > wrote: > >> Hi Dolph, >> >> Thanks for reply, it means that from the db point of view, token is >> expired but it is still passed to other service users in request (token >> stored in memory?) and keystone allows this expired token? And to make this >> feature working, we should apply the header of "X-Service-Token" and change >> of "allow_expired" in keystone.conf. >> >> Br, >> >> Tuan/Nokia >> >> On Mon, Apr 3, 2017 at 2:36 PM, Dolph Mathews >> wrote: >> >> > does it mean that the token now will live forever >> >> No; it behaves as described in the document you linked. If you have any >> specific security concerns, please raise them appropriately (such as a >> security bug, if necessary). >> >> On Mon, Apr 3, 2017 at 5:27 AM lương hữu tuấn >> wrote: >> >> Hi keystone folks, >> >> I have had a chance to take a look to this below patch for allowing the >> expired token and it was merged in Octaka: >> >> https://specs.openstack.org/openstack/keystone-specs/ >> specs/keystone/ocata/allow-expired.html >> >> In our project, we also have problem with token expiration when running >> mistral workflow. I have a concern that if this patch works as it does, >> does it mean that the token now will live forever ("forever" seems so >> sloppy, but it seems like the token is no longer expired). In this case, it >> seems not good for security purpose. >> >> Br, >> >> Tuan/Nokia >> >> __ >> OpenStack Development Mailing List (not for usage questions) >> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject: >> unsubscribe >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >> >> -- >> -Dolph >> >> >> __ >> OpenStack Development Mailing List (not for usage questions) >> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject: >> unsubscribe >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >> >> >> >> __ >> OpenStack Development Mailing List (not for usage questions) >> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject: >> unsubscribe >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >> > -- > -Dolph > > __ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > > __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [Keystone][Token expiration]
The token itself is still expired, regardless of where it's persisted, if at all. Expired tokens are only considered valid when presented as an X-Auth-Token to keystonemiddleware.auth_token along with a valid X-Service-Token, or when validating an X-Subject-Token against keystone directly using either: HEAD /v3/auth/token?allow_expired GET /v3/auth/token?allow_expired No configuration is required in keystone.conf to enable the feature. More documentation is available in the release notes [1][2] and in the sample configuration file [3] (see [token] allow_expired_window). [1] https://docs.openstack.org/releasenotes/keystone/ocata.html#new-features [2] https://docs.openstack.org/releasenotes/keystone/ocata.html#upgrade-notes [3] https://docs.openstack.org/ocata/config-reference/identity/samples/keystone.conf.html On Mon, Apr 3, 2017 at 7:58 AM lương hữu tuấn wrote: > Hi Dolph, > > Thanks for reply, it means that from the db point of view, token is > expired but it is still passed to other service users in request (token > stored in memory?) and keystone allows this expired token? And to make this > feature working, we should apply the header of "X-Service-Token" and change > of "allow_expired" in keystone.conf. > > Br, > > Tuan/Nokia > > On Mon, Apr 3, 2017 at 2:36 PM, Dolph Mathews > wrote: > > > does it mean that the token now will live forever > > No; it behaves as described in the document you linked. If you have any > specific security concerns, please raise them appropriately (such as a > security bug, if necessary). > > On Mon, Apr 3, 2017 at 5:27 AM lương hữu tuấn > wrote: > > Hi keystone folks, > > I have had a chance to take a look to this below patch for allowing the > expired token and it was merged in Octaka: > > > https://specs.openstack.org/openstack/keystone-specs/specs/keystone/ocata/allow-expired.html > > In our project, we also have problem with token expiration when running > mistral workflow. I have a concern that if this patch works as it does, > does it mean that the token now will live forever ("forever" seems so > sloppy, but it seems like the token is no longer expired). In this case, it > seems not good for security purpose. > > Br, > > Tuan/Nokia > __ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > > -- > -Dolph > > __ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > > > __ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > -- -Dolph __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [Keystone][Token expiration]
Hi Dolph, Thanks for reply, it means that from the db point of view, token is expired but it is still passed to other service users in request (token stored in memory?) and keystone allows this expired token? And to make this feature working, we should apply the header of "X-Service-Token" and change of "allow_expired" in keystone.conf. Br, Tuan/Nokia On Mon, Apr 3, 2017 at 2:36 PM, Dolph Mathews wrote: > > does it mean that the token now will live forever > > No; it behaves as described in the document you linked. If you have any > specific security concerns, please raise them appropriately (such as a > security bug, if necessary). > > On Mon, Apr 3, 2017 at 5:27 AM lương hữu tuấn > wrote: > >> Hi keystone folks, >> >> I have had a chance to take a look to this below patch for allowing the >> expired token and it was merged in Octaka: >> >> https://specs.openstack.org/openstack/keystone-specs/ >> specs/keystone/ocata/allow-expired.html >> >> In our project, we also have problem with token expiration when running >> mistral workflow. I have a concern that if this patch works as it does, >> does it mean that the token now will live forever ("forever" seems so >> sloppy, but it seems like the token is no longer expired). In this case, it >> seems not good for security purpose. >> >> Br, >> >> Tuan/Nokia >> >> __ >> OpenStack Development Mailing List (not for usage questions) >> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject: >> unsubscribe >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >> > -- > -Dolph > > __ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > > __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [Keystone][Token expiration]
> does it mean that the token now will live forever No; it behaves as described in the document you linked. If you have any specific security concerns, please raise them appropriately (such as a security bug, if necessary). On Mon, Apr 3, 2017 at 5:27 AM lương hữu tuấn wrote: > Hi keystone folks, > > I have had a chance to take a look to this below patch for allowing the > expired token and it was merged in Octaka: > > > https://specs.openstack.org/openstack/keystone-specs/specs/keystone/ocata/allow-expired.html > > In our project, we also have problem with token expiration when running > mistral workflow. I have a concern that if this patch works as it does, > does it mean that the token now will live forever ("forever" seems so > sloppy, but it seems like the token is no longer expired). In this case, it > seems not good for security purpose. > > Br, > > Tuan/Nokia > __ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > -- -Dolph __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
[openstack-dev] [Keystone][Token expiration]
Hi keystone folks, I have had a chance to take a look to this below patch for allowing the expired token and it was merged in Octaka: https://specs.openstack.org/openstack/keystone-specs/specs/keystone/ocata/allow-expired.html In our project, we also have problem with token expiration when running mistral workflow. I have a concern that if this patch works as it does, does it mean that the token now will live forever ("forever" seems so sloppy, but it seems like the token is no longer expired). In this case, it seems not good for security purpose. Br, Tuan/Nokia __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev