On 09/30/2014 10:44 AM, Adam Young wrote:
What is keeping us from dropping the (scoped) token duration to 5 minutes?
If we could keep their lifetime as short as network skew lets us, we
would be able to:
Get rid of revocation checking.
Get rid of persisted tokens.
OK, so that assumes we can move back to PKI tokens, but we're working
on that.
What are the uses that require long lived tokens? Can they be replaced
with a better mechanism for long term delegation (OAuth or Keystone
trusts) as Heat has done?
I think you will find that most folks just don't know the intracacies of
non-UUID tokens in Keystone. I think we'd be open to any options that
are reliable, well-documented and don't produce 4K in each HTTP request.
Best,
-jay
_______________________________________________
OpenStack-dev mailing list
[email protected]
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
