← Back to team overview

openstack team mailing list archive

Re: Signed Tokens

 

Looks good, Adam...  I have a couple comments/questions:

1) We probably want to maintain backward-compatibility with the old token auth.  So, PKI can be turned on or off, maybe via a middleware filter that sits in front of the old token auth (instead of a cache for example which does not make sense for PKI anymore).  While PKI comes with benefits, not everyone may want to deal with certificates, etc...  2-way SSL is configurable for this very same reason.

2) I don't know if you have looked at pyopenssl yet?  Maybe a better alternative than spawning processes...

3) Is PKI v3 or v2?  I assume v3, but just want to double-check.  /v2.0 should be /v3.0 if that's the case.  


Thanks,
Liem   
________________________________________
From: openstack-bounces+liem_m_nguyen=hp.com@xxxxxxxxxxxxxxxxxxx [openstack-bounces+liem_m_nguyen=hp.com@xxxxxxxxxxxxxxxxxxx] on behalf of Adam Young [ayoung@xxxxxxxxxx]
Sent: Friday, June 01, 2012 2:56 PM
To: openstack
Subject: [Openstack] Signed Tokens

The signed tokens work has been updated.  I think this is the final
architecture.

https://github.com/admiyo/keystone/commits/signed-tokens-5

Not all of the unit tests run. Some of the Memcache tests are suspect,
and I wonder if we even need memcache support for tokens in the middle
ware.  I think we don't.

Also,  the Diablo tokens are not supported.  I think we can safely
deprecate them for Folsom.

_______________________________________________
Mailing list: https://launchpad.net/~openstack
Post to     : openstack@xxxxxxxxxxxxxxxxxxx
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp


Follow ups

References