Re: [openstack-dev] [keystone] Two BPs for managing the tokens
Hello, I would think you would want to reuse the same token but update the expiration time as if it were the first time the token had been generated. Mark From: Yongsheng Gong [mailto:gong...@unitedstack.com] Sent: Friday, August 23, 2013 12:40 AM To: OpenStack Development Mailing List Subject: [openstack-dev] [keystone] Two BPs for managing the tokens Hi, Talked with Henry Nash and Jamie Lennox on IRC, I have created two BPs to manage the keystone tokens: 1. https://blueprints.launchpad.net/keystone/+spec/periodically-flush-expired-token which is used to delete expired token 2. https://blueprints.launchpad.net/keystone/+spec/reuse-token which will re-use valid token These two BPs will help us to reduce the token records in token table enormously. I have put some ideas on the BP description. Any comments are welcome. Regards, Yong Sheng Gong ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [keystone] Two BPs for managing the tokens
On Fri, Aug 23, 2013 at 10:51 AM, Miller, Mark M (EB SW Cloud - RD - Corvallis) mark.m.mil...@hp.com wrote: Hello, ** ** I would think you would want to reuse the same token but update the expiration time as if it were the first time the token had been generated. That wouldn't work for PKI tokens, as the resulting signature would have to change. ** ** Mark ** ** *From:* Yongsheng Gong [mailto:gong...@unitedstack.com] *Sent:* Friday, August 23, 2013 12:40 AM *To:* OpenStack Development Mailing List *Subject:* [openstack-dev] [keystone] Two BPs for managing the tokens ** ** Hi, Talked with Henry Nash and Jamie Lennox on IRC, I have created two BPs to manage the keystone tokens: 1. https://blueprints.launchpad.net/keystone/+spec/periodically-flush-expired-token which is used to delete expired token 2. https://blueprints.launchpad.net/keystone/+spec/reuse-token which will re-use valid token ** ** These two BPs will help us to reduce the token records in token table enormously. ** ** I have put some ideas on the BP description. ** ** Any comments are welcome. ** ** ** ** Regards, Yong Sheng Gong ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev -- -Dolph ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [keystone] Two BPs for managing the tokens
On Aug 23, 2013 12:24 PM, Dolph Mathews dolph.math...@gmail.com wrote: On Fri, Aug 23, 2013 at 10:51 AM, Miller, Mark M (EB SW Cloud - RD - Corvallis) mark.m.mil...@hp.com wrote: Hello, I would think you would want to reuse the same token but update the expiration time as if it were the first time the token had been generated. That wouldn't work for PKI tokens, as the resulting signature would have to change. Mark From: Yongsheng Gong [mailto:gong...@unitedstack.com] Sent: Friday, August 23, 2013 12:40 AM To: OpenStack Development Mailing List Subject: [openstack-dev] [keystone] Two BPs for managing the tokens Hi, Talked with Henry Nash and Jamie Lennox on IRC, I have created two BPs to manage the keystone tokens: 1. https://blueprints.launchpad.net/keystone/+spec/periodically-flush-expired-token which is used to delete expired token 2. https://blueprints.launchpad.net/keystone/+spec/reuse-token which will re-use valid token These two BPs will help us to reduce the token records in token table enormously. I have put some ideas on the BP description. Any comments are welcome. What about Adam Young's vision for keystone, which I like, http://adam.younglogic.com/2013/07/a-vision-for-keystone/ These two blueprints don't appear to be in line with it. Also, instead of making keystone reuse tokens why not make the token reuse in the clients better (keyring based). Last I checked it was disabled and broken in nova (there was a patch to fix it, but keep it disabled) Regards, Yong Sheng Gong ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev -- -Dolph ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [keystone] Two BPs for managing the tokens
On 08/23/2013 12:43 PM, Joe Gordon wrote: On Aug 23, 2013 12:24 PM, Dolph Mathews dolph.math...@gmail.com mailto:dolph.math...@gmail.com wrote: On Fri, Aug 23, 2013 at 10:51 AM, Miller, Mark M (EB SW Cloud - RD - Corvallis) mark.m.mil...@hp.com mailto:mark.m.mil...@hp.com wrote: Hello, I would think you would want to reuse the same token but update the expiration time as if it were the first time the token had been generated. That wouldn't work for PKI tokens, as the resulting signature would have to change. Mark From: Yongsheng Gong [mailto:gong...@unitedstack.com mailto:gong...@unitedstack.com] Sent: Friday, August 23, 2013 12:40 AM To: OpenStack Development Mailing List Subject: [openstack-dev] [keystone] Two BPs for managing the tokens Hi, Talked with Henry Nash and Jamie Lennox on IRC, I have created two BPs to manage the keystone tokens: 1. https://blueprints.launchpad.net/keystone/+spec/periodically-flush-expired-token Not sure that this is worth writing or maintaining. The system services for Cron are much more robust, and we don;t have to maintain them. I do have this review for your consideration, though: https://review.openstack.org/#/c/43510/ In conjunction with the caching layer, it might be the right approach: flush the old tokens upon revocation list regeneration. which is used to delete expired token 2. https://blueprints.launchpad.net/keystone/+spec/reuse-token which will re-use valid token These two BPs will help us to reduce the token records in token table enormously. I have put some ideas on the BP description. Any comments are welcome. What about Adam Young's vision for keystone, which I like, http://adam.younglogic.com/2013/07/a-vision-for-keystone/ These two blueprints don't appear to be in line with it. Also, instead of making keystone reuse tokens why not make the token reuse in the clients better (keyring based). Last I checked it was disabled and broken in nova (there was a patch to fix it, but keep it disabled) Regards, Yong Sheng Gong ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org mailto:OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev -- -Dolph ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org mailto:OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [keystone] Two BPs for managing the tokens
Hi adam, Can u explain more about 'In conjunction with the caching layer, it might be the right approach: flush the old tokens upon revocation list regeneration.'? when is the list_revoked_tokens called? thanks On Sat, Aug 24, 2013 at 1:51 AM, Adam Young ayo...@redhat.com wrote: On 08/23/2013 12:43 PM, Joe Gordon wrote: On Aug 23, 2013 12:24 PM, Dolph Mathews dolph.math...@gmail.com wrote: On Fri, Aug 23, 2013 at 10:51 AM, Miller, Mark M (EB SW Cloud - RD - Corvallis) mark.m.mil...@hp.com wrote: Hello, I would think you would want to reuse the same token but update the expiration time as if it were the first time the token had been generated. That wouldn't work for PKI tokens, as the resulting signature would have to change. Mark From: Yongsheng Gong [mailto:gong...@unitedstack.com] Sent: Friday, August 23, 2013 12:40 AM To: OpenStack Development Mailing List Subject: [openstack-dev] [keystone] Two BPs for managing the tokens Hi, Talked with Henry Nash and Jamie Lennox on IRC, I have created two BPs to manage the keystone tokens: 1. https://blueprints.launchpad.net/keystone/+spec/periodically-flush-expired-token Not sure that this is worth writing or maintaining. The system services for Cron are much more robust, and we don;t have to maintain them. I do have this review for your consideration, though: https://review.openstack.org/#/c/43510/ In conjunction with the caching layer, it might be the right approach: flush the old tokens upon revocation list regeneration. which is used to delete expired token 2. https://blueprints.launchpad.net/keystone/+spec/reuse-token which will re-use valid token These two BPs will help us to reduce the token records in token table enormously. I have put some ideas on the BP description. Any comments are welcome. What about Adam Young's vision for keystone, which I like, http://adam.younglogic.com/2013/07/a-vision-for-keystone/ These two blueprints don't appear to be in line with it. Also, instead of making keystone reuse tokens why not make the token reuse in the clients better (keyring based). Last I checked it was disabled and broken in nova (there was a patch to fix it, but keep it disabled) Regards, Yong Sheng Gong ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev -- -Dolph ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing listOpenStack-dev@lists.openstack.orghttp://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [keystone] Two BPs for managing the tokens
On Fri, Aug 23, 2013 at 7:48 PM, Yongsheng Gong gong...@unitedstack.comwrote: Hi adam, Can u explain more about 'In conjunction with the caching layer, it might be the right approach: flush the old tokens upon revocation list regeneration.'? when is the list_revoked_tokens called? In a PKI-token based deployment, auth_token periodically fetches a list of revoked tokens so that it knows which tokens to deny, even though they are otherwise valid. thanks On Sat, Aug 24, 2013 at 1:51 AM, Adam Young ayo...@redhat.com wrote: On 08/23/2013 12:43 PM, Joe Gordon wrote: On Aug 23, 2013 12:24 PM, Dolph Mathews dolph.math...@gmail.com wrote: On Fri, Aug 23, 2013 at 10:51 AM, Miller, Mark M (EB SW Cloud - RD - Corvallis) mark.m.mil...@hp.com wrote: Hello, I would think you would want to reuse the same token but update the expiration time as if it were the first time the token had been generated. That wouldn't work for PKI tokens, as the resulting signature would have to change. Mark From: Yongsheng Gong [mailto:gong...@unitedstack.com] Sent: Friday, August 23, 2013 12:40 AM To: OpenStack Development Mailing List Subject: [openstack-dev] [keystone] Two BPs for managing the tokens Hi, Talked with Henry Nash and Jamie Lennox on IRC, I have created two BPs to manage the keystone tokens: 1. https://blueprints.launchpad.net/keystone/+spec/periodically-flush-expired-token Not sure that this is worth writing or maintaining. The system services for Cron are much more robust, and we don;t have to maintain them. I do have this review for your consideration, though: https://review.openstack.org/#/c/43510/ In conjunction with the caching layer, it might be the right approach: flush the old tokens upon revocation list regeneration. which is used to delete expired token 2. https://blueprints.launchpad.net/keystone/+spec/reuse-token which will re-use valid token These two BPs will help us to reduce the token records in token table enormously. I have put some ideas on the BP description. Any comments are welcome. What about Adam Young's vision for keystone, which I like, http://adam.younglogic.com/2013/07/a-vision-for-keystone/ These two blueprints don't appear to be in line with it. Also, instead of making keystone reuse tokens why not make the token reuse in the clients better (keyring based). Last I checked it was disabled and broken in nova (there was a patch to fix it, but keep it disabled) Regards, Yong Sheng Gong ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev -- -Dolph ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing listOpenStack-dev@lists.openstack.orghttp://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev -- -Dolph ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
