openstack team mailing list archive

Thread
Date

PKI Token Generation

To: openstack <openstack@xxxxxxxxxxxxxxxxxxx>
From: Adam Young <ayoung@xxxxxxxxxx>
Date: Tue, 03 Jul 2012 17:55:10 -0400
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:13.0) Gecko/20120605 Thunderbird/13.0

The discussion during the Keystone meeting today had a couple of keypoints I'd like to address.



The Current token length is 32 characters long.  An example:
 e50d580692d644cfb8bec0246aede2c2

With PKI Signed tokens,  they will be much longer

MIICgAYJKoZIhvcNAQcCoIICcTCCAm0CAQExCTAHBgUrDgMCGjCCAWEGCSqGSIb3\
DQEHAaCCAVIEggFOeyJhY2Nlc3MiOiB7InRva2VuIjogeyJleHBpcmVzIjogIjIw\
MTItMDYtMDJUMTQ6NDc6MzRaIiwgImlkIjogInBsYWNlaG9sZGVyIiwgInRlbmFu\
dCI6IHsiZW5hYmxlZCI6IHRydWUsICJkZXNjcmlwdGlvbiI6IG51bGwsICJuYW1l\
IjogInRlbmFudF9uYW1lMSIsICJpZCI6ICJ0ZW5hbnRfaWQxIn19LCAidXNlciI6\
IHsidXNlcm5hbWUiOiAidXNlcl9uYW1lMSIsICJyb2xlc19saW5rcyI6IFsicm9s\
ZTEiLCJyb2xlMiJdLCAiaWQiOiAidXNlcl9pZDEiLCAicm9sZXMiOiBbeyJuYW1l\
IjogInJvbGUxIn0sIHsibmFtZSI6ICJyb2xlMiJ9XSwgIm5hbWUiOiAidXNlcl9u\
YW1lMSJ9fX0NCjGB9zCB9AIBATBUME8xFTATBgNVBAoTDFJlZCBIYXQsIEluYzER\
MA8GA1UEBxMIV2VzdGZvcmQxFjAUBgNVBAgTDU1hc3NhY2h1c2V0dHMxCzAJBgNV\
BAYTAlVTAgEBMAcGBSsOAwIaMA0GCSqGSIb3DQEBAQUABIGAUcweczLJw0SMQhli\
qVSFTWnPKzCnh9qaAxY+29YKFIGYmsX4x+Eh+3D4-xND0gqpdh-CD-Fe7dwsAP4K\
YHCj4W13Z0EyucgXiIbdY+XBaUInYowNmBqMRzOXMO8UGOjYMEgFvRJApb6sS4PN\
wlctpz0dJe2rTELD28EmckkApeU="

However, nothing in the API comments on the token length. You cannotassume that even under the current scheme they will be 32 characters long.

the code for just the token generation has been split from theauth_token changes. You can see it here:


https://github.com/admiyo/keystone/tree/pki-token-generation

It is not up for code review yet as there are still a few changes required.

Follow ups

Re: PKI Token Generation
From: Dolph Mathews, 2012-07-04