Re: [Openstack] [Barbican] Keystone PKI token too much long

Mon, 03 Feb 2014 10:41:39 -0800 

On 01/31/2014 08:40 AM, Remo Mattei wrote:

Hi Rafael
Do you have the info on how that has been implemented.
It falls back to a Keystone server lookup to validate the tokens. I would not recommend doing that. 



Thanks
Remo

Inviato da iPhone ()


Il giorno Jan 31, 2014, alle ore 8:27, "Ferreira, Rafael" <r...@io.com 
<mailto:r...@io.com>> ha scritto:



By the way, you can achieve the same benefits of uuid tokens (shorter 
tokens) with PKI by simply using a md5 hash of the PKI token for your 
X-Auth headers. This is poorly documented but it seems to work just 
fine.


From: Adam Young <ayo...@redhat.com <mailto:ayo...@redhat.com>>
Date: Tuesday, January 28, 2014 at 1:41 PM

To: "openstack@lists.openstack.org 
<mailto:openstack@lists.openstack.org>" 
<openstack@lists.openstack.org <mailto:openstack@lists.openstack.org>>

Subject: Re: [Openstack] [Barbican] Keystone PKI token too much long

On 01/22/2014 12:21 PM, John Wood wrote:

(Adding another member of our team Douglas)

Hello Giuseppe,


For questions about news or patches for Keystone's PKI vs UUID 
modes, you might reach out to the openstack-...@lists.openstack.org 
mailing list, with the subject line prefixed with [openstack-dev] 
[keystone]



Our observation has been that the PKI mode can generate large text 
blocks for tokens (esp. for large service catalogs) that cause http 
header errors.



Regarding the specific barbican scripts you are running, we haven't 
run those in a while, so I'll investigate as we might need to update 
them. Please email back your /etc/barbican/barbican-api-paste.ini 
paste config file when you have a chance as well.


Thanks,
John


------------------------------------------------------------------------
*From:* Giuseppe Galeota [giuseppegale...@gmail.com]
*Sent:* Wednesday, January 22, 2014 7:36 AM
*To:* openstack@lists.openstack.org
*Cc:* John Wood
*Subject:* [Openstack] [Barbican] Keystone PKI token too much long

Dear all,

I have configured Keystone for Barbican using this guide 
<https://github.com/cloudkeep/barbican/wiki/Developer-Guide-for-Keystone>.



Is there any news or patch about the need to use a shorter token? I 
would not use a modified token.

Its a known problem.  You can request a token without the service 
catalog using an extension.


One possible future enhancement is to compress the key.




Following you can find an extract of the linked guide:

  * (Optional) Typical keystone setup creates PKI tokens that are
    long, do not fit easily into curl requests without splitting
    into components. For testing purposes suggest updating the
    keystone database with a shorter token-id. (An alternative is to
    set up keystone to generate uuid tokens.) From the above output
    grad the token expiry value, referred to as "x-y-z"

mysql  -u  rootuse  keystone;update  token  set  id="foo"  where  
expires="x-y-z"  ;

Thank you,
Giuseppe


_______________________________________________
Mailing list:http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to     :openstack@lists.openstack.org
Unsubscribe :http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack



The communication contained in this e-mail is confidential and is 
intended only for the named recipient(s) and may contain information 
that is privileged, proprietary, attorney work product or exempt from 
disclosure under applicable law. If you have received this message in 
error, or are not the named recipient(s), please note that any form 
of distribution, copying or use of this communication or the 
information in it is strictly prohibited and may be unlawful. Please 
immediately notify the sender of the error, and delete this 
communication including any attached files from your system. Thank 
you for your cooperation. !DSPAM:1,52eba57b226891577754402!

_______________________________________________

Mailing list: 
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to     : openstack@lists.openstack.org 
<mailto:openstack@lists.openstack.org>
Unsubscribe : 
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack



!DSPAM:1,52eba57b226891577754402!



_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to     : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

























					Reply via email to