On 05/21/2014 10:48 AM, Michael Hearn wrote:
Keystone gurus,
Can you help put me straight on expected Authentication behaviour when
using an LDAP identity backend.
In the scenario where a user is granted a token (keystone token-get)
should they not be able to make repeated API calls, e.g /glance
--os-auth-token xxxxxxx image-list / until the token expires?
I ask as using /tcpdump/ I am seeing AuthN traffic between keystone
and LDAP each time I execute an API call - a call that includes an
unexpired token.
I was assuming that by using an unexpired token a user avoids having
to make an AuthN call. Is that not the case?
The glance CLI does not cache the token. There was code in the Keystone
client to cache the token in python-keyring. If glance is not honoring
the --os-auth-token value then it might be going back to keystone.
However, if the token is a UUID token, then here is what happens: user
goes to Keystone, gets a token (uuid) , and passes that to glance.
Glance passes that back to Keystone and says "is this valid" and
keystone responds "yep, and here is the service catalog." Glance now
has the option of caching this response in memcached. If it does not,
it needs to go back to Keystone every time.
But...now I see below that you are using pki and memcached. Which means
something is not behaving. If glance honors the --debug flag, you can
see if the CLI is going to Keystone, or if it is the server.
Curious.
Cheers
Mike.
Am using icehouse with token format set to PKI , caching enabled
(memcached )
_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
