yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1454041] Re: misunderstanding caused by uuid token and pki token in install guide

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Dolph Mathews <1454041@xxxxxxxxxxxxxxxxxx>
Date: Wed, 13 May 2015 11:58:06 -0000
Reply-to: Bug 1454041 <1454041@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Keystone switched to UUID by default in Juno due to longstanding issues
with PKI that will likely never be resolved. At least in the stable/juno
or stable/kilo install guides, there is no token setup to do beyond
scheduling a cron job to run keystone-manage token_flush.

Setting the keystone token provider is unnecessary, as it's already UUID
in juno and kilo.

keystone-manage pki_setup is not useful if the token provider is not
PKI.

The install guide should not suggest all users switch to PKI tokens. If
they're mentioned at all, they should at least come with the caveat that
they do not improve security and that they will potentially exceed
header size limits in many pieces of software.

As of stable/kilo, the install guide could discuss switching to Fernet
tokens, but I think that's out of scope for this issue.

** Changed in: keystone
   Importance: Undecided => Medium

** Changed in: keystone
       Status: New => Confirmed

** Project changed: keystone => openstack-manuals

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1454041

Title:
  misunderstanding caused by uuid token and pki token in install guide

Status in OpenStack Manuals:
  Confirmed

Bug description:
  In released install guide, we can see the step to set token provider to uuid,  as following:
  [token]
  provider = keystone.token.providers.uuid.Provider

  but there are further steps to set pki token, as following:
  # keystone-manage pki_setup --keystone-user keystone --keystone-group
  keystone
  # chown -R keystone:keystone /var/log/keystone
  # chown -R keystone:keystone /etc/keystone/ssl
  # chmod -R o-rwx /etc/keystone/ssl

  
  I think pki token has been brought in from Grizzly，and the installation  guide should be use pki token provier, like below:
  [token]
  provider = keystone.token.providers.pki.Provider

To manage notifications about this bug go to:
https://bugs.launchpad.net/openstack-manuals/+bug/1454041/+subscriptions

References

[Bug 1454041] [NEW] misunderstanding caused by uuid token and pki token in install guide
From: brenda, 2015-05-12