openstack team mailing list archive

[Adam Young <ayoung@xxxxxxxxxx>]

On 06/01/2012 05:56 PM, Adam Young wrote:
> The signed tokens work has been updated.  I think this is the final 
> architecture.
>
> https://github.com/admiyo/keystone/commits/signed-tokens-5
>
> Not all of the unit tests run. Some of the Memcache tests are suspect, 
> and I wonder if we even need memcache support for tokens in the middle 
> ware.  I think we don't.
>
> Also,  the Diablo tokens are not supported.  I think we can safely 
> deprecate them for Folsom.
>
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to     : openstack@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~openstack
> More help   : https://help.launchpad.net/ListHelp


Responses to Guang Yee's comments on Git hub:

keystone/config.py
line 156
gyee:  Maybe "token_signing" instead of "signing"? Signing still sound 
too generic:
ayoung:    This is a generic signing cert,  although it is only used for 
tokens,  it could be used for something else as well.  I think signing 
is appropriate

keystone/middleware/auth_token.p
line 146:
gyee:May want to do os.umask() to protect the signing dir.
ayoung: agreed.

line 597:
gyee: You are assuming openssl is available. May want to do a sanity 
check first.
ayoung:  the Packages will 'Require' Openssl, and we will put it into 
the package list for Devstack as well.

gyee: May want to introduce some timeout logic to force process 
termination in case it hangs or did not finish on time.
ayoung:  We are not consuming entropy  with the signing or verification 
process, so hanging is likely not an issue.  I don't think Eventlet 
makes that kind of code easy to write,  either.  If we see signs of 
hanging, then we will deal with it.


keystone/service.py
line 505:
gyee: certfile.close
ayoung: yes