Re: [openstack-dev] FW: [Keystone][Folsom] Token re-use

Tue, 18 Jun 2013 18:44:15 -0700 

On 06/18/2013 09:13 PM, Kant, Arun wrote:



The issue with having un-managed number of tokens for same credential 
is that it can be easily exploited. Getting a token is one of initial 
step (gateway) to get access to services. A rogue client can keep 
creating unlimited number of tokens and possibly create denial of 
service attack on services. If there are somewhat limited number of 
tokens, then cloud provider can possibly use tokenId based 
rate-limiting approach.



Better here to rate limit, then.



Extending the expiry to some fixed interval might be okay as that can 
be considered as continuing user session similar to what is seen when 
a user keeps browsing an application while logged in.



Tokens are resources created by Keystone.  No reason to ask to create 
something new if it is not needed.



The caching needs to be done client side.  We have ongoing work using 
python-keyring to support that.



-Arun

*From: *Adam Young <[email protected] <mailto:[email protected]>>

*Reply-To: *OpenStack Development Mailing List 
<[email protected] 
<mailto:[email protected]>>

*Date: *Friday, June 14, 2013 3:33 PM

*To: *"[email protected] 
<mailto:[email protected]>" 
<[email protected] 
<mailto:[email protected]>>

*Subject: *Re: [openstack-dev] [Keystone][Folsom] Token re-use

On 06/13/2013 07:58 PM, Ravi Chunduru wrote:

    Hi,

    We are having Folsom setup and we find that our token table
    increases a lot. I understand client can re-use the token but why
    doesnt keystone reuse the token if client asks it with same
    credentials..

    I would like to know if there is any reason for not doing so.

    Thanks in advance,


    -- 
    Ravi





    _______________________________________________

    OpenStack-dev mailing list

    [email protected]  
<mailto:[email protected]>http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev


You can cache the token on the client side and reuse. Tokens have a an 
expiry, so if you request a new token, you extend the expiry.




_______________________________________________
OpenStack-dev mailing list
[email protected]
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev



_______________________________________________
OpenStack-dev mailing list
[email protected]
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev






















					Reply via email to