Hi Dolph, Thanks for reply, it means that from the db point of view, token is expired but it is still passed to other service users in request (token stored in memory?) and keystone allows this expired token? And to make this feature working, we should apply the header of "X-Service-Token" and change of "allow_expired" in keystone.conf.
Br, Tuan/Nokia On Mon, Apr 3, 2017 at 2:36 PM, Dolph Mathews <[email protected]> wrote: > > does it mean that the token now will live forever > > No; it behaves as described in the document you linked. If you have any > specific security concerns, please raise them appropriately (such as a > security bug, if necessary). > > On Mon, Apr 3, 2017 at 5:27 AM lương hữu tuấn <[email protected]> > wrote: > >> Hi keystone folks, >> >> I have had a chance to take a look to this below patch for allowing the >> expired token and it was merged in Octaka: >> >> https://specs.openstack.org/openstack/keystone-specs/ >> specs/keystone/ocata/allow-expired.html >> >> In our project, we also have problem with token expiration when running >> mistral workflow. I have a concern that if this patch works as it does, >> does it mean that the token now will live forever ("forever" seems so >> sloppy, but it seems like the token is no longer expired). In this case, it >> seems not good for security purpose. >> >> Br, >> >> Tuan/Nokia >> ____________________________________________________________ >> ______________ >> OpenStack Development Mailing List (not for usage questions) >> Unsubscribe: [email protected]?subject: >> unsubscribe >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >> > -- > -Dolph > > __________________________________________________________________________ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: [email protected]?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > >
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: [email protected]?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
