Adam - can you comment if the status of ephemeral tokens. All commits for https://blueprints.launchpad.net/keystone/+spec/ephemeral-pki-tokens have been abandoned.
Thanks Subbu On Wed, Feb 19, 2014 at 8:50 PM, Adam Young <[email protected]> wrote: > On 02/19/2014 07:00 PM, Miller, Mark M (EB SW Cloud - R&D - Corvallis) > wrote: > >> Hello, >> >> I read the following and want to register a disagreement: >> >> "With token revocation events in place, we no longer have a need to store >> a token revocation list. The token revocation list is the primary reason >> why keystone bothers to persist PKI tokens, so without it, PKI tokens can >> become completely ephemeral." >> >> One idea behind PKI tokens is to enable services to parse the token to >> retrieve role/project/domain data for a particular user without having to >> validate the token with Keystone each and every time. In order to make sure >> that the token has not been revoked, services need to check the expiration >> date and "check the token revocation list" to make sure that the token is >> still valid. That said, how will non-OpenStack services obtain token >> revocation information if the revocation list is removed? >> > > Going to be replcaed with an API for listing revocation events. > > https://github.com/openstack/identity-api/blob/master/ > openstack-identity-api/v3/src/markdown/identity-api-v3-os-revoke-ext.md > > > I thought maybe the new "Callbacks on internal events" might be something >> external services could use like listening in onto a Keystone message >> queue, but it apparently only applies to extensions. >> > > Actually, it is just the opposite: internal events are callbacks that are > not shipped outside of Keystone, but rather from one infrastructure piece > to another. In this case, things that can trigger revoaction events, like > disable a domain. This event is published externally as an update event, > but the focused disable is internal only. > > > >> This is one time I will be glad to be wrong. >> >> Regards, >> >> Mark >> >> _______________________________________________ >> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/ >> openstack >> Post to : [email protected] >> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/ >> openstack >> > > > _______________________________________________ > Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/ > openstack > Post to : [email protected] > Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/ > openstack >
_______________________________________________ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : [email protected] Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
