Looks good, Adam... I have a couple comments/questions: 1) We probably want to maintain backward-compatibility with the old token auth. So, PKI can be turned on or off, maybe via a middleware filter that sits in front of the old token auth (instead of a cache for example which does not make sense for PKI anymore). While PKI comes with benefits, not everyone may want to deal with certificates, etc... 2-way SSL is configurable for this very same reason.
2) I don't know if you have looked at pyopenssl yet? Maybe a better alternative than spawning processes... 3) Is PKI v3 or v2? I assume v3, but just want to double-check. /v2.0 should be /v3.0 if that's the case. Thanks, Liem ________________________________________ From: openstack-bounces+liem_m_nguyen=hp....@lists.launchpad.net [openstack-bounces+liem_m_nguyen=hp....@lists.launchpad.net] on behalf of Adam Young [ayo...@redhat.com] Sent: Friday, June 01, 2012 2:56 PM To: openstack Subject: [Openstack] Signed Tokens The signed tokens work has been updated. I think this is the final architecture. https://github.com/admiyo/keystone/commits/signed-tokens-5 Not all of the unit tests run. Some of the Memcache tests are suspect, and I wonder if we even need memcache support for tokens in the middle ware. I think we don't. Also, the Diablo tokens are not supported. I think we can safely deprecate them for Folsom. _______________________________________________ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp _______________________________________________ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
