Thanks Mark, I am aware of the bug, the info that Rafael was saying is that he has it working and I wonder how. Hopefully he can spark his infrastructure configuration and all of us can take a peak to that.
Ciao On Jan 31, 2014, at 11:24, Miller, Mark M (EB SW Cloud - R&D - Corvallis) <mark.m.mil...@hp.com> wrote: > Hello, > > We ran into a problem when using Apache2 and WSGi as the web front end for > Keystone. Keystone v2.0 returns the token in the response body but v3 returns > the token in the response header. Apache has an internal limit of 8190 bytes > for the response header which means that you will get an error when you > request a token with includes an endpoint catalog that has more than about 12 > endpoints in it. We had to turn the catalog off. > > Mark > > From: Remo Mattei [mailto:r...@italy1.com] > Sent: Friday, January 31, 2014 5:41 AM > To: Ferreira, Rafael > Cc: openstack@lists.openstack.org > Subject: Re: [Openstack] [Barbican] Keystone PKI token too much long > > Hi Rafael > Do you have the info on how that has been implemented. > > Thanks > Remo > > Inviato da iPhone () > > Il giorno Jan 31, 2014, alle ore 8:27, "Ferreira, Rafael" <r...@io.com> ha > scritto: > > By the way, you can achieve the same benefits of uuid tokens (shorter tokens) > with PKI by simply using a md5 hash of the PKI token for your X-Auth headers. > This is poorly documented but it seems to work just fine. > > From: Adam Young <ayo...@redhat.com> > Date: Tuesday, January 28, 2014 at 1:41 PM > To: "openstack@lists.openstack.org" <openstack@lists.openstack.org> > Subject: Re: [Openstack] [Barbican] Keystone PKI token too much long > > On 01/22/2014 12:21 PM, John Wood wrote: > (Adding another member of our team Douglas) > > Hello Giuseppe, > > For questions about news or patches for Keystone's PKI vs UUID modes, you > might reach out to theopenstack-...@lists.openstack.org mailing list, with > the subject line prefixed with [openstack-dev] [keystone] > > Our observation has been that the PKI mode can generate large text blocks for > tokens (esp. for large service catalogs) that cause http header errors. > > Regarding the specific barbican scripts you are running, we haven't run those > in a while, so I'll investigate as we might need to update them. Please email > back your /etc/barbican/barbican-api-paste.ini paste config file when you > have a chance as well. > > Thanks, > John > > > From: Giuseppe Galeota [giuseppegale...@gmail.com] > Sent: Wednesday, January 22, 2014 7:36 AM > To: openstack@lists.openstack.org > Cc: John Wood > Subject: [Openstack] [Barbican] Keystone PKI token too much long > > Dear all, > I have configured Keystone for Barbican using this guide. > > Is there any news or patch about the need to use a shorter token? I would not > use a modified token. > Its a known problem. You can request a token without the service catalog > using an extension. > > One possible future enhancement is to compress the key. > > > > > Following you can find an extract of the linked guide: > (Optional) Typical keystone setup creates PKI tokens that are long, do not > fit easily into curl requests without splitting into components. For testing > purposes suggest updating the keystone database with a shorter token-id. (An > alternative is to set up keystone to generate uuid tokens.) From the above > output grad the token expiry value, referred to as "x-y-z" > mysql -u rootuse keystone;update token set id="foo" where expires="x-y-z" ; > > Thank you, > Giuseppe > > > > _______________________________________________ > Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack > Post to : openstack@lists.openstack.org > Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack > > The communication contained in this e-mail is confidential and is intended > only for the named recipient(s) and may contain information that is > privileged, proprietary, attorney work product or exempt from disclosure > under applicable law. If you have received this message in error, or are not > the named recipient(s), please note that any form of distribution, copying or > use of this communication or the information in it is strictly prohibited and > may be unlawful. Please immediately notify the sender of the error, and > delete this communication including any attached files from your system. > Thank you for your cooperation. > _______________________________________________ > Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack > Post to : openstack@lists.openstack.org > Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack > > > !DSPAM:1,52eba57b226891577754402! > !DSPAM:1,52ebcfed22133708519044!
_______________________________________________ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : openstack@lists.openstack.org Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
