Hi Rafael Do you have the info on how that has been implemented. Thanks Remo
Inviato da iPhone () > Il giorno Jan 31, 2014, alle ore 8:27, "Ferreira, Rafael" <r...@io.com> ha > scritto: > > By the way, you can achieve the same benefits of uuid tokens (shorter tokens) > with PKI by simply using a md5 hash of the PKI token for your X-Auth headers. > This is poorly documented but it seems to work just fine. > > From: Adam Young <ayo...@redhat.com> > Date: Tuesday, January 28, 2014 at 1:41 PM > To: "openstack@lists.openstack.org" <openstack@lists.openstack.org> > Subject: Re: [Openstack] [Barbican] Keystone PKI token too much long > >> On 01/22/2014 12:21 PM, John Wood wrote: >> (Adding another member of our team Douglas) >> >> Hello Giuseppe, >> >> For questions about news or patches for Keystone's PKI vs UUID modes, you >> might reach out to the openstack-...@lists.openstack.org mailing list, with >> the subject line prefixed with [openstack-dev] [keystone] >> >> Our observation has been that the PKI mode can generate large text blocks >> for tokens (esp. for large service catalogs) that cause http header errors. >> >> Regarding the specific barbican scripts you are running, we haven't run >> those in a while, so I'll investigate as we might need to update them. >> Please email back your /etc/barbican/barbican-api-paste.ini paste config >> file when you have a chance as well. >> >> Thanks, >> John >> >> >> From: Giuseppe Galeota [giuseppegale...@gmail.com] >> Sent: Wednesday, January 22, 2014 7:36 AM >> To: openstack@lists.openstack.org >> Cc: John Wood >> Subject: [Openstack] [Barbican] Keystone PKI token too much long >> >> Dear all, >> I have configured Keystone for Barbican using this guide. >> >> Is there any news or patch about the need to use a shorter token? I would >> not use a modified token. > Its a known problem. You can request a token without the service catalog > using an extension. > > One possible future enhancement is to compress the key. > > >> >> Following you can find an extract of the linked guide: >> (Optional) Typical keystone setup creates PKI tokens that are long, do not >> fit easily into curl requests without splitting into components. For >> testing purposes suggest updating the keystone database with a shorter >> token-id. (An alternative is to set up keystone to generate uuid tokens.) >> From the above output grad the token expiry value, referred to as "x-y-z" >> mysql -u rootuse keystone;update token set id="foo" where expires="x-y-z" ; >> >> Thank you, >> Giuseppe >> >> >> _______________________________________________ >> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack >> Post to : openstack@lists.openstack.org >> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack > > The communication contained in this e-mail is confidential and is intended > only for the named recipient(s) and may contain information that is > privileged, proprietary, attorney work product or exempt from disclosure > under applicable law. If you have received this message in error, or are not > the named recipient(s), please note that any form of distribution, copying or > use of this communication or the information in it is strictly prohibited and > may be unlawful. Please immediately notify the sender of the error, and > delete this communication including any attached files from your system. > Thank you for your cooperation. !DSPAM:1,52eba57b226891577754402! > _______________________________________________ > Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack > Post to : openstack@lists.openstack.org > Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack > > > !DSPAM:1,52eba57b226891577754402!
_______________________________________________ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : openstack@lists.openstack.org Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
