Excerpts from Lance Bragstad's message of 2017-02-25 13:07:58 -0600: > Since both token formats rebuild the authorization context at validation > time, we can remove some revocation events that are no longer needed. This > means we won't be storing as many revocation events on role removal from > domains and projects. Instead we will only rely on the revocation API to > invalidate tokens for cases like specific token revocation or password > changes (the new design of validation does role assignment enforcement for > us automatically). This should reduce the amount of data being replicated > due to massive amounts of revocation events. >
I didn't know that the work to make role removal non-event based was even started much less done. Cool. > We do still have some more work to do on this front, but I can dig into it > and see what's left. > Indeed, the less revocation events, the better the Fernet story is for scalability. __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
