On 01/31/2014 08:40 AM, Remo Mattei wrote:
Hi Rafael
Do you have the info on how that has been implemented.
It falls back to a Keystone server lookup to validate the tokens. I
would not recommend doing that.
Thanks
Remo
Inviato da iPhone ()
Il giorno Jan 31, 2014, alle ore 8:27, "Ferreira, Rafael" <[email protected]
<mailto:[email protected]>> ha scritto:
By the way, you can achieve the same benefits of uuid tokens (shorter
tokens) with PKI by simply using a md5 hash of the PKI token for your
X-Auth headers. This is poorly documented but it seems to work just
fine.
From: Adam Young <[email protected] <mailto:[email protected]>>
Date: Tuesday, January 28, 2014 at 1:41 PM
To: "[email protected]
<mailto:[email protected]>"
<[email protected] <mailto:[email protected]>>
Subject: Re: [Openstack] [Barbican] Keystone PKI token too much long
On 01/22/2014 12:21 PM, John Wood wrote:
(Adding another member of our team Douglas)
Hello Giuseppe,
For questions about news or patches for Keystone's PKI vs UUID
modes, you might reach out to the [email protected]
mailing list, with the subject line prefixed with [openstack-dev]
[keystone]
Our observation has been that the PKI mode can generate large text
blocks for tokens (esp. for large service catalogs) that cause http
header errors.
Regarding the specific barbican scripts you are running, we haven't
run those in a while, so I'll investigate as we might need to update
them. Please email back your /etc/barbican/barbican-api-paste.ini
paste config file when you have a chance as well.
Thanks,
John
------------------------------------------------------------------------
*From:* Giuseppe Galeota [[email protected]]
*Sent:* Wednesday, January 22, 2014 7:36 AM
*To:* [email protected]
*Cc:* John Wood
*Subject:* [Openstack] [Barbican] Keystone PKI token too much long
Dear all,
I have configured Keystone for Barbican using this guide
<https://github.com/cloudkeep/barbican/wiki/Developer-Guide-for-Keystone>.
Is there any news or patch about the need to use a shorter token? I
would not use a modified token.
Its a known problem. You can request a token without the service
catalog using an extension.
One possible future enhancement is to compress the key.
Following you can find an extract of the linked guide:
* (Optional) Typical keystone setup creates PKI tokens that are
long, do not fit easily into curl requests without splitting
into components. For testing purposes suggest updating the
keystone database with a shorter token-id. (An alternative is to
set up keystone to generate uuid tokens.) From the above output
grad the token expiry value, referred to as "x-y-z"
mysql -u rootuse keystone;update token set id="foo" where
expires="x-y-z" ;
Thank you,
Giuseppe
_______________________________________________
Mailing list:http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to :[email protected]
Unsubscribe :http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
The communication contained in this e-mail is confidential and is
intended only for the named recipient(s) and may contain information
that is privileged, proprietary, attorney work product or exempt from
disclosure under applicable law. If you have received this message in
error, or are not the named recipient(s), please note that any form
of distribution, copying or use of this communication or the
information in it is strictly prohibited and may be unlawful. Please
immediately notify the sender of the error, and delete this
communication including any attached files from your system. Thank
you for your cooperation. !DSPAM:1,52eba57b226891577754402!
_______________________________________________
Mailing list:
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : [email protected]
<mailto:[email protected]>
Unsubscribe :
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
!DSPAM:1,52eba57b226891577754402!
_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : [email protected]
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
