Re: [openstack-dev] [Keystone][Token expiration]
Thanks Dolph,
I now have a pretty clear picture about it.
Br,
Tuan/Nokia
On Mon, Apr 10, 2017 at 2:58 PM, Dolph Mathews
wrote:
> The token itself is still expired, regardless of where it's persisted, if
> at all. Expired tokens are only considered valid when presented as an
> X-Auth-Token to keystonemiddleware.auth_token along with a valid
> X-Service-Token, or when validating an X-Subject-Token against keystone
> directly using either:
>
> HEAD /v3/auth/token?allow_expired
> GET /v3/auth/token?allow_expired
>
> No configuration is required in keystone.conf to enable the feature.
>
> More documentation is available in the release notes [1][2] and in the
> sample configuration file [3] (see [token] allow_expired_window).
>
> [1] https://docs.openstack.org/releasenotes/keystone/ocata.
> html#new-features
> [2] https://docs.openstack.org/releasenotes/keystone/ocata.
> html#upgrade-notes
> [3] https://docs.openstack.org/ocata/config-reference/
> identity/samples/keystone.conf.html
>
> On Mon, Apr 3, 2017 at 7:58 AM lương hữu tuấn
> wrote:
>
>> Hi Dolph,
>>
>> Thanks for reply, it means that from the db point of view, token is
>> expired but it is still passed to other service users in request (token
>> stored in memory?) and keystone allows this expired token? And to make this
>> feature working, we should apply the header of "X-Service-Token" and change
>> of "allow_expired" in keystone.conf.
>>
>> Br,
>>
>> Tuan/Nokia
>>
>> On Mon, Apr 3, 2017 at 2:36 PM, Dolph Mathews
>> wrote:
>>
>> > does it mean that the token now will live forever
>>
>> No; it behaves as described in the document you linked. If you have any
>> specific security concerns, please raise them appropriately (such as a
>> security bug, if necessary).
>>
>> On Mon, Apr 3, 2017 at 5:27 AM lương hữu tuấn
>> wrote:
>>
>> Hi keystone folks,
>>
>> I have had a chance to take a look to this below patch for allowing the
>> expired token and it was merged in Octaka:
>>
>> https://specs.openstack.org/openstack/keystone-specs/
>> specs/keystone/ocata/allow-expired.html
>>
>> In our project, we also have problem with token expiration when running
>> mistral workflow. I have a concern that if this patch works as it does,
>> does it mean that the token now will live forever ("forever" seems so
>> sloppy, but it seems like the token is no longer expired). In this case, it
>> seems not good for security purpose.
>>
>> Br,
>>
>> Tuan/Nokia
>>
>> __
>> OpenStack Development Mailing List (not for usage questions)
>> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:
>> unsubscribe
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>> --
>> -Dolph
>>
>>
>> __
>> OpenStack Development Mailing List (not for usage questions)
>> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:
>> unsubscribe
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>>
>>
>> __
>> OpenStack Development Mailing List (not for usage questions)
>> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:
>> unsubscribe
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
> --
> -Dolph
>
> __
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [Keystone][Token expiration]
The token itself is still expired, regardless of where it's persisted, if
at all. Expired tokens are only considered valid when presented as an
X-Auth-Token to keystonemiddleware.auth_token along with a valid
X-Service-Token, or when validating an X-Subject-Token against keystone
directly using either:
HEAD /v3/auth/token?allow_expired
GET /v3/auth/token?allow_expired
No configuration is required in keystone.conf to enable the feature.
More documentation is available in the release notes [1][2] and in the
sample configuration file [3] (see [token] allow_expired_window).
[1] https://docs.openstack.org/releasenotes/keystone/ocata.html#new-features
[2]
https://docs.openstack.org/releasenotes/keystone/ocata.html#upgrade-notes
[3]
https://docs.openstack.org/ocata/config-reference/identity/samples/keystone.conf.html
On Mon, Apr 3, 2017 at 7:58 AM lương hữu tuấn wrote:
> Hi Dolph,
>
> Thanks for reply, it means that from the db point of view, token is
> expired but it is still passed to other service users in request (token
> stored in memory?) and keystone allows this expired token? And to make this
> feature working, we should apply the header of "X-Service-Token" and change
> of "allow_expired" in keystone.conf.
>
> Br,
>
> Tuan/Nokia
>
> On Mon, Apr 3, 2017 at 2:36 PM, Dolph Mathews
> wrote:
>
> > does it mean that the token now will live forever
>
> No; it behaves as described in the document you linked. If you have any
> specific security concerns, please raise them appropriately (such as a
> security bug, if necessary).
>
> On Mon, Apr 3, 2017 at 5:27 AM lương hữu tuấn
> wrote:
>
> Hi keystone folks,
>
> I have had a chance to take a look to this below patch for allowing the
> expired token and it was merged in Octaka:
>
>
> https://specs.openstack.org/openstack/keystone-specs/specs/keystone/ocata/allow-expired.html
>
> In our project, we also have problem with token expiration when running
> mistral workflow. I have a concern that if this patch works as it does,
> does it mean that the token now will live forever ("forever" seems so
> sloppy, but it seems like the token is no longer expired). In this case, it
> seems not good for security purpose.
>
> Br,
>
> Tuan/Nokia
> __
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
> --
> -Dolph
>
> __
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
> __
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
--
-Dolph
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [Keystone][Token expiration]
Hi Dolph,
Thanks for reply, it means that from the db point of view, token is expired
but it is still passed to other service users in request (token stored in
memory?) and keystone allows this expired token? And to make this feature
working, we should apply the header of "X-Service-Token" and change of
"allow_expired" in keystone.conf.
Br,
Tuan/Nokia
On Mon, Apr 3, 2017 at 2:36 PM, Dolph Mathews
wrote:
> > does it mean that the token now will live forever
>
> No; it behaves as described in the document you linked. If you have any
> specific security concerns, please raise them appropriately (such as a
> security bug, if necessary).
>
> On Mon, Apr 3, 2017 at 5:27 AM lương hữu tuấn
> wrote:
>
>> Hi keystone folks,
>>
>> I have had a chance to take a look to this below patch for allowing the
>> expired token and it was merged in Octaka:
>>
>> https://specs.openstack.org/openstack/keystone-specs/
>> specs/keystone/ocata/allow-expired.html
>>
>> In our project, we also have problem with token expiration when running
>> mistral workflow. I have a concern that if this patch works as it does,
>> does it mean that the token now will live forever ("forever" seems so
>> sloppy, but it seems like the token is no longer expired). In this case, it
>> seems not good for security purpose.
>>
>> Br,
>>
>> Tuan/Nokia
>>
>> __
>> OpenStack Development Mailing List (not for usage questions)
>> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:
>> unsubscribe
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
> --
> -Dolph
>
> __
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [Keystone][Token expiration]
> does it mean that the token now will live forever
No; it behaves as described in the document you linked. If you have any
specific security concerns, please raise them appropriately (such as a
security bug, if necessary).
On Mon, Apr 3, 2017 at 5:27 AM lương hữu tuấn wrote:
> Hi keystone folks,
>
> I have had a chance to take a look to this below patch for allowing the
> expired token and it was merged in Octaka:
>
>
> https://specs.openstack.org/openstack/keystone-specs/specs/keystone/ocata/allow-expired.html
>
> In our project, we also have problem with token expiration when running
> mistral workflow. I have a concern that if this patch works as it does,
> does it mean that the token now will live forever ("forever" seems so
> sloppy, but it seems like the token is no longer expired). In this case, it
> seems not good for security purpose.
>
> Br,
>
> Tuan/Nokia
> __
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
--
-Dolph
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
[openstack-dev] [Keystone][Token expiration]
Hi keystone folks,
I have had a chance to take a look to this below patch for allowing the
expired token and it was merged in Octaka:
https://specs.openstack.org/openstack/keystone-specs/specs/keystone/ocata/allow-expired.html
In our project, we also have problem with token expiration when running
mistral workflow. I have a concern that if this patch works as it does,
does it mean that the token now will live forever ("forever" seems so
sloppy, but it seems like the token is no longer expired). In this case, it
seems not good for security purpose.
Br,
Tuan/Nokia
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
