Re: [openstack-dev] [keystone] Using multiple token formats in a one openstack cloud

2016-03-09 Thread Matt Fischer
uot; < > <openstack-dev@lists.openstack.org>openstack-dev@lists.openstack.org> > Date: Tuesday 8 March 2016 at 20:35 > To: "OpenStack Development Mailing List (not for usage questions)" < > <openstack-dev@lists.openstack.org>openstack-dev@lists.openstack.

Re: [openstack-dev] [keystone] Using multiple token formats in a one openstack cloud

2016-03-09 Thread Adam Young
On 03/09/2016 01:44 AM, Matt Fischer wrote: I don't think your example is right: "PKI will validate that token without going to any keystone server". How would it track revoked tokens? I'm pretty sure that they still get validated, they are stored in the DB

Re: [openstack-dev] [keystone] Using multiple token formats in a one openstack cloud

2016-03-09 Thread Adam Young
t;> Date: Tuesday 8 March 2016 at 20:35 To: "OpenStack Development Mailing List (not for usage questions)" <openstack-dev@lists.openstack.org <mailto:openstack-dev@lists.openstack.org>> Subject: Re: [openstack-dev] [keystone] Using multiple token formats in a one opensta

Re: [openstack-dev] [keystone] Using multiple token formats in a one openstack cloud

2016-03-08 Thread Matt Fischer
> > > I don't think your example is right: "PKI will validate that token > without going to any keystone server". How would it track revoked tokens? > I'm pretty sure that they still get validated, they are stored in the DB > even. > > I also disagree that there are different use cases. Just

Re: [openstack-dev] [keystone] Using multiple token formats in a one openstack cloud

2016-03-08 Thread Tim Bell
To: "OpenStack Development Mailing List (not for usage questions)" <openstack-dev@lists.openstack.org<mailto:openstack-dev@lists.openstack.org>> Subject: Re: [openstack-dev] [keystone] Using multiple token formats in a one openstack cloud I don't think your example is ri

Re: [openstack-dev] [keystone] Using multiple token formats in a one openstack cloud

2016-03-08 Thread Matt Fischer
I don't think your example is right: "PKI will validate that token without going to any keystone server". How would it track revoked tokens? I'm pretty sure that they still get validated, they are stored in the DB even. I also disagree that there are different use cases. Just switch to fernet and

Re: [openstack-dev] [keystone] Using multiple token formats in a one openstack cloud

2016-03-08 Thread Lance Bragstad
On Tue, Mar 8, 2016 at 10:58 AM, Adam Young wrote: > On 03/08/2016 11:06 AM, Matt Fischer wrote: > > This would be complicated to setup. How would the Openstack services > validate the token? Which keystone node would they use? A better question > is why would you want to do

Re: [openstack-dev] [keystone] Using multiple token formats in a one openstack cloud

2016-03-08 Thread Morgan Fainberg
This type of configuration is not supported as Matt highlighted. What problem are you trying to solve with having the multiple token formats? Before we discuss if it would be a good idea, we need to know what problem you are solving. On Tue, Mar 8, 2016 at 8:06 AM, Matt Fischer

Re: [openstack-dev] [keystone] Using multiple token formats in a one openstack cloud

2016-03-08 Thread Adam Young
On 03/08/2016 11:06 AM, Matt Fischer wrote: This would be complicated to setup. How would the Openstack services validate the token? Which keystone node would they use? A better question is why would you want to do this? On Tue, Mar 8, 2016 at 8:45 AM, rezroo

Re: [openstack-dev] [keystone] Using multiple token formats in a one openstack cloud

2016-03-08 Thread rezroo
The basic idea is to let the openstack clients decide what sort of token optimization to use - for example, while a normal client uses uuid tokens, some services like heat or magnum may opt for pki tokens for their operations. A service like nova, configured for PKI will validate that token

Re: [openstack-dev] [keystone] Using multiple token formats in a one openstack cloud

2016-03-08 Thread Matt Fischer
This would be complicated to setup. How would the Openstack services validate the token? Which keystone node would they use? A better question is why would you want to do this? On Tue, Mar 8, 2016 at 8:45 AM, rezroo wrote: > Keystone supports both tokens and ec2

[openstack-dev] [keystone] Using multiple token formats in a one openstack cloud

2016-03-08 Thread rezroo
Keystone supports both tokens and ec2 credentials simultaneously, but as far as I can tell, will only do a single token format (uuid, pki/z, fernet) at a time. Is it possible or advisable to configure keystone to issue multiple token formats? For example, I could configure two keystone