Reviewed: https://review.openstack.org/631110 Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=f471879b82d08316846e7e4a0ff75c4b3b90dabf Submitter: Zuul Branch: master
commit f471879b82d08316846e7e4a0ff75c4b3b90dabf Author: Kristi Nikolla <[email protected]> Date: Tue Jan 15 20:47:38 2019 -0500 Add documentation for service tokens Updated documentation to include explanation and configuration settings for service tokens. Change-Id: I8a518614302e17be6dfc8d88dee5efe27a89edb0 Closes-Bug: #1779889 ** Changed in: keystone Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1779889 Title: Lack of documentation for validating expired tokens with service users Status in OpenStack Identity (keystone): Fix Released Bug description: Keystone supports the ability for service users to validate expired user tokens. This solved an issue where a user would initiate a long- running operation (e.g. live migration, instance back-ups, uploading large images to glance), and by the time the operation finished the user's token would be invalid, causing the operation to fail. The solution to this problem is to use service users and configure them in such a way that they have the ability to validate expired user tokens. This keeps enforcement of the user's authorization valid when they start the operation but allows the operation to finish in the event it takes longer than the configured token expiration time. We don't supply any documentation for this process or setting it up outside of the original specification [0]. If deployers want to use it, they have to dig through code to figure out how it work. The lack of documentation was brought to our attention in IRC [1]. [0] https://specs.openstack.org/openstack/keystone-specs/specs/keystonemiddleware/implemented/service-tokens.html [1] http://eavesdrop.openstack.org/irclogs/%23openstack-keystone/%23openstack-keystone.2018-07-03.log.html#t2018-07-03T14:43:49 To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1779889/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
