Re: [Openstack] [Barbican] Keystone PKI token too much long

Tue, 28 Jan 2014 12:47:25 -0800 

On 01/22/2014 12:21 PM, John Wood wrote:

(Adding another member of our team Douglas)

Hello Giuseppe,
For questions about news or patches for Keystone's PKI vs UUID modes, you might reach out to the [email protected] mailing list, with the subject line prefixed with [openstack-dev] [keystone]
Our observation has been that the PKI mode can generate large text blocks for tokens (esp. for large service catalogs) that cause http header errors.
Regarding the specific barbican scripts you are running, we haven't run those in a while, so I'll investigate as we might need to update them. Please email back your /etc/barbican/barbican-api-paste.ini paste config file when you have a chance as well. 

Thanks,
John


------------------------------------------------------------------------
*From:* Giuseppe Galeota [[email protected]]
*Sent:* Wednesday, January 22, 2014 7:36 AM
*To:* [email protected]
*Cc:* John Wood
*Subject:* [Openstack] [Barbican] Keystone PKI token too much long

Dear all,
I have configured Keystone for Barbican using this guide <https://github.com/cloudkeep/barbican/wiki/Developer-Guide-for-Keystone>.
Is there any news or patch about the need to use a shorter token? I would not use a modified token.
Its a known problem. You can request a token without the service catalog using an extension. 

One possible future enhancement is to compress the key.




Following you can find an extract of the linked guide:

  * (Optional) Typical keystone setup creates PKI tokens that are
    long, do not fit easily into curl requests without splitting into
    components. For testing purposes suggest updating the keystone
    database with a shorter token-id. (An alternative is to set up
    keystone to generate uuid tokens.) From the above output grad the
    token expiry value, referred to as "x-y-z"

mysql  -u  root
use  keystone;
update  token  set  id="foo"  where  expires="x-y-z"  ;

Thank you,
Giuseppe


_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to     : [email protected]
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack



_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to     : [email protected]
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

Reply via email to