Loading…
This event has ended. View the official site or create your own event → Check it out
This event has ended. Create your own
Please note: This schedule is for OpenStack Active Technical Contributors participating in the Icehouse Design Summit sessions in Hong Kong. These are working sessions to determine the roadmap of the Icehouse release and make decisions across the project. To see the full OpenStack Summit schedule, including presentations, panels and workshops, go to http://openstacksummitnovember2013.sched.org.
View analytic
Friday, November 8 • 1:30pm - 2:10pm
Token revocation

Sign up or log in to save this to your schedule and see who's attending!

https://etherpad.openstack.org/p/icehouse-token-revocation

A token may not be expired yet, but the authorization it presents may no longer be valid.

As a result, keystoneclient.middleware.auth_token constantly needs to ask "Is this token valid?" We've taken a couple different approaches to answering this question in the past, including:

- UUID tokens + online token validation
- PKI tokens + periodically fetching a list of revoked tokens

Both existing solutions require keystone to track issued tokens so that it can later know which to consider as "revoked," and both solutions result in an undesirable amount of network traffic and activity against the token backend.

I'd like to select and pursue a better approach (if any) to avoid the pitfalls described above. Proposed solutions include:

https://blueprints.launchpad.net/keystone/+spec/clock-for-revoke-tokens
https://blueprints.launchpad.net/keystone/+spec/revocation-events

(Session proposed by Dolph Mathews)


Friday November 8, 2013 1:30pm - 2:10pm
AWE Level 2, Room 201B

Attendees (34)