Short term answers:

The amount of infrastructure we would have to build to replicate CRON is not worth it.

Figuring out a CRON strategy for nontrivial deployment is part of a larger data management scheme.

Long term answers:

Tokens should not be persisted. We have been working toward ephemeral tokens for a long time, but the vision of how to get there is not uniformly shared among the team. We spent a lot of time arguing about AE tokens, which looked promising, but do not support federation.

Where we are headed is a split of the data in the token into an ephemeral portion and a persisted portion. The persisted portion would be reused, and would represent the delegation of authority. The epehmeral portion will represent the time aspects of the token: when issued, when expired, etc. The ephemeral portion would refer to the persisted portion.

The revocation events code is necessary for PKI tokens, and might be required depending on how we do the ephemeral/persisted split. With AE tokens it would have been necessary, but with a unified delegation mechanism, it would be less so.

If anyone feels the need for ephemeral tokens strongly enough to contribute, please let me know. We've put a lot of design into where we are today, and I would encourage you to learn the issues before jumping in to the solutions. I'm more than willing to guide any new development along these lines.

OpenStack Development Mailing List (not for usage questions)

Reply via email to