Re: [openstack-dev] 2 Minute tokens

2014-10-14 Thread Adam Young
On 10/13/2014 06:21 PM, Preston L. Bannister wrote: Too-short token expiration times are one of my concerns, in my current exercise. Working on a replacement for Nova backup. Basically creating backups jobs, writing the jobs into a queue, with a background worker that reads jobs from the

Re: [openstack-dev] 2 Minute tokens

2014-10-13 Thread Preston L. Bannister
Too-short token expiration times are one of my concerns, in my current exercise. Working on a replacement for Nova backup. Basically creating backups jobs, writing the jobs into a queue, with a background worker that reads jobs from the queue. Tokens could expire while the jobs are in the queue

Re: [openstack-dev] 2 Minute tokens

2014-10-01 Thread Chmouel Boudjnah
On Wed, Oct 1, 2014 at 3:47 AM, Adam Young ayo...@redhat.com wrote: 1. Identify the roles for the APIs that Cinder is going to be calling on swift based on Swifts policy.json FYI: there is no Swifts policy.json in mainline code, there is one external middleware available that provides it

Re: [openstack-dev] 2 Minute tokens

2014-10-01 Thread Steven Hardy
On Tue, Sep 30, 2014 at 10:44:51AM -0400, Adam Young wrote: What is keeping us from dropping the (scoped) token duration to 5 minutes? If we could keep their lifetime as short as network skew lets us, we would be able to: Get rid of revocation checking. Get rid of persisted tokens.

Re: [openstack-dev] 2 Minute tokens

2014-10-01 Thread Adam Young
On 10/01/2014 04:14 AM, Steven Hardy wrote: On Tue, Sep 30, 2014 at 10:44:51AM -0400, Adam Young wrote: What is keeping us from dropping the (scoped) token duration to 5 minutes? If we could keep their lifetime as short as network skew lets us, we would be able to: Get rid of revocation

[openstack-dev] 2 Minute tokens

2014-09-30 Thread Adam Young
What is keeping us from dropping the (scoped) token duration to 5 minutes? If we could keep their lifetime as short as network skew lets us, we would be able to: Get rid of revocation checking. Get rid of persisted tokens. OK, so that assumes we can move back to PKI tokens, but we're

Re: [openstack-dev] 2 Minute tokens

2014-09-30 Thread Louis Taylor
On Tue, Sep 30, 2014 at 10:44:51AM -0400, Adam Young wrote: What are the uses that require long lived tokens? Glance has operations which can take a long time, such as uploading and downloading large images. signature.asc Description: Digital signature

Re: [openstack-dev] 2 Minute tokens

2014-09-30 Thread Jay Pipes
On 09/30/2014 10:44 AM, Adam Young wrote: What is keeping us from dropping the (scoped) token duration to 5 minutes? If we could keep their lifetime as short as network skew lets us, we would be able to: Get rid of revocation checking. Get rid of persisted tokens. OK, so that assumes we can

Re: [openstack-dev] 2 Minute tokens

2014-09-30 Thread Jay Pipes
On 09/30/2014 11:37 AM, Adam Young wrote: On 09/30/2014 11:06 AM, Louis Taylor wrote: On Tue, Sep 30, 2014 at 10:44:51AM -0400, Adam Young wrote: What are the uses that require long lived tokens? Glance has operations which can take a long time, such as uploading and downloading large images.

Re: [openstack-dev] 2 Minute tokens

2014-09-30 Thread Sean Dague
On 09/30/2014 11:58 AM, Jay Pipes wrote: On 09/30/2014 11:37 AM, Adam Young wrote: On 09/30/2014 11:06 AM, Louis Taylor wrote: On Tue, Sep 30, 2014 at 10:44:51AM -0400, Adam Young wrote: What are the uses that require long lived tokens? Glance has operations which can take a long time, such

Re: [openstack-dev] 2 Minute tokens

2014-09-30 Thread Adam Young
On 09/30/2014 12:21 PM, Sean Dague wrote: On 09/30/2014 11:58 AM, Jay Pipes wrote: On 09/30/2014 11:37 AM, Adam Young wrote: On 09/30/2014 11:06 AM, Louis Taylor wrote: On Tue, Sep 30, 2014 at 10:44:51AM -0400, Adam Young wrote: What are the uses that require long lived tokens? Glance has

Re: [openstack-dev] 2 Minute tokens

2014-09-30 Thread Matthew Treinish
On Tue, Sep 30, 2014 at 04:23:37PM -0400, Adam Young wrote: On 09/30/2014 12:21 PM, Sean Dague wrote: On 09/30/2014 11:58 AM, Jay Pipes wrote: On 09/30/2014 11:37 AM, Adam Young wrote: On 09/30/2014 11:06 AM, Louis Taylor wrote: On Tue, Sep 30, 2014 at 10:44:51AM -0400, Adam Young wrote:

Re: [openstack-dev] 2 Minute tokens

2014-09-30 Thread Adam Young
On 09/30/2014 12:21 PM, Sean Dague wrote: On 09/30/2014 11:58 AM, Jay Pipes wrote: On 09/30/2014 11:37 AM, Adam Young wrote: On 09/30/2014 11:06 AM, Louis Taylor wrote: On Tue, Sep 30, 2014 at 10:44:51AM -0400, Adam Young wrote: What are the uses that require long lived tokens? Glance has

Re: [openstack-dev] 2 Minute tokens

2014-09-30 Thread Andrew Laski
On 09/30/2014 05:33 PM, Adam Young wrote: On 09/30/2014 12:21 PM, Sean Dague wrote: On 09/30/2014 11:58 AM, Jay Pipes wrote: On 09/30/2014 11:37 AM, Adam Young wrote: On 09/30/2014 11:06 AM, Louis Taylor wrote: On Tue, Sep 30, 2014 at 10:44:51AM -0400, Adam Young wrote: What are the uses

Re: [openstack-dev] 2 Minute tokens

2014-09-30 Thread Duncan Thomas
On Oct 1, 2014 12:37 AM, Adam Young ayo...@redhat.com wrote: On 09/30/2014 12:21 PM, Sean Dague wrote: On 09/30/2014 11:58 AM, Jay Pipes wrote: On 09/30/2014 11:37 AM, Adam Young wrote: On 09/30/2014 11:06 AM, Louis Taylor wrote: On Tue, Sep 30, 2014 at 10:44:51AM -0400, Adam Young

Re: [openstack-dev] 2 Minute tokens

2014-09-30 Thread Adam Young
This is comparable to the HEAT use case that Keystone Trusts were originally designed to solve. If the glance client knows the roles required to perform those operations, it could create the trust up front, with the Glance Service user as the trustee; the trustee execute the trust when it