​Dear all,
have you some good news about the problem related to
​the "
Keystone PKI token too much long​" for Barbican?

Thank you,
Giuseppe



2014-01-31 14:27 GMT+01:00 Ferreira, Rafael <r...@io.com>:

>  By the way, you can achieve the same benefits of uuid tokens (shorter
> tokens) with PKI by simply using a md5 hash of the PKI token for your
> X-Auth headers. This is poorly documented but it seems to work just fine.
>
>   From: Adam Young <ayo...@redhat.com>
> Date: Tuesday, January 28, 2014 at 1:41 PM
> To: "openst...@lists.openstack.org" <openst...@lists.openstack.org>
> Subject: Re: [Openstack] [Barbican] Keystone PKI token too much long
>
>   On 01/22/2014 12:21 PM, John Wood wrote:
>
>  (Adding another member of our team Douglas)
>
>  Hello Giuseppe,
>
>  For questions about news or patches for Keystone's PKI vs UUID modes,
> you might reach out to the openstack-dev@lists.openstack.org mailing
> list, with the subject line prefixed with [openstack-dev] [keystone]
>
>  Our observation has been that the PKI mode can generate large text
> blocks for tokens (esp. for large service catalogs) that cause http header
> errors.
>
>  Regarding the specific barbican scripts you are running, we haven't run
> those in a while, so I'll investigate as we might need to update them.
> Please email back your /etc/barbican/barbican-api-paste.ini paste config
> file when you have a chance as well.
>
>  Thanks,
> John
>
>
>  ------------------------------
> *From:* Giuseppe Galeota [giuseppegale...@gmail.com]
> *Sent:* Wednesday, January 22, 2014 7:36 AM
> *To:* openst...@lists.openstack.org
> *Cc:* John Wood
> *Subject:* [Openstack] [Barbican]
> ​​
> Keystone PKI token too much long
>
>  Dear all,
> I have configured Keystone for Barbican using this guide
> <https://github.com/cloudkeep/barbican/wiki/Developer-Guide-for-Keystone>.
>
>  Is there any news or patch about the need to use a shorter token? I
> would not use a modified token.
>
> Its a known problem.  You can request a token without the service catalog
> using an extension.
>
> One possible future enhancement is to compress the key.
>
>
>
>  Following you can find an extract of the linked guide:
>
>    - (Optional) Typical keystone setup creates PKI tokens that are long,
>    do not fit easily into curl requests without splitting into components. For
>    testing purposes suggest updating the keystone database with a shorter
>    token-id. (An alternative is to set up keystone to generate uuid tokens.)
>    From the above output grad the token expiry value, referred to as "x-y-z"
>
>  mysql -u rootuse keystone;update token set id="foo" where expires="x-y-z" ;
>
>
>  Thank you,
> Giuseppe
>
>
> _______________________________________________
> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to     : openst...@lists.openstack.org
> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>
>
>  The communication contained in this e-mail is confidential and is
> intended only for the named recipient(s) and may contain information that
> is privileged, proprietary, attorney work product or exempt from disclosure
> under applicable law. If you have received this message in error, or are
> not the named recipient(s), please note that any form of distribution,
> copying or use of this communication or the information in it is strictly
> prohibited and may be unlawful. Please immediately notify the sender of the
> error, and delete this communication including any attached files from your
> system. Thank you for your cooperation.
>
> _______________________________________________
> Mailing list:
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to     : openst...@lists.openstack.org
> Unsubscribe :
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>
>
_______________________________________________
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Reply via email to