← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #73653

[Bug 1779889] [NEW] Lack of documentation for validating expired tokens with service users

  Thread PreviousDate PreviousThread Next 
Public bug reported:

Keystone supports the ability for service users to validate expired user
tokens. This solved an issue where a user would initiate a long-running
operation (e.g. live migration, instance back-ups, uploading large
images to glance), and by the time the operation finished the user's
token would be invalid, causing the operation to fail.

The solution to this problem is to use service users and configure them
in such a way that they have the ability to validate expired user
tokens. This keeps enforcement of the user's authorization valid when
they start the operation but allows the operation to finish in the event
it takes longer than the configured token expiration time.

We don't supply any documentation for this process or setting it up
outside of the original specification [0]. If deployers want to use it,
they have to dig through code to figure out how it work.

The lack of documentation was brought to our attention in IRC [1].

[0] https://specs.openstack.org/openstack/keystone-specs/specs/keystonemiddleware/implemented/service-tokens.html
[1] http://eavesdrop.openstack.org/irclogs/%23openstack-keystone/%23openstack-keystone.2018-07-03.log.html#t2018-07-03T14:43:49

** Affects: keystone
     Importance: Medium
         Status: Triaged


** Tags: documentation low-hanging-fruit office-hours

** Description changed:

  Keystone supports the ability for service users to validate expired user
  tokens. This solved an issue where a user would initiate a long-running
  operation (e.g. live migration, instance back-ups, uploading large
  images to glance), and by the time the operation finished the user's
  token would be invalid, causing the operation to fail.
  
  The solution to this problem is to use service users and configure them
  in such a way that they have the ability to validate expired user
  tokens. This keeps enforcement of the user's authorization valid when
  they start the operation but allows the operation to finish in the event
  it takes longer than the configured token expiration time.
  
- We don't supply any documentation for this process or setting it up. If
- deployers want to use it, they have to dig through code to figure out
- how it work.
+ We don't supply any documentation for this process or setting it up
+ outside of the original specification [0]. If deployers want to use it,
+ they have to dig through code to figure out how it work.
  
- https://specs.openstack.org/openstack/keystone-
- specs/specs/keystonemiddleware/implemented/service-tokens.html
+ The lack of documentation was brought to our attention in IRC [1].
+ 
+ [0] https://specs.openstack.org/openstack/keystone-specs/specs/keystonemiddleware/implemented/service-tokens.html
+ [1] http://eavesdrop.openstack.org/irclogs/%23openstack-keystone/%23openstack-keystone.2018-07-03.log.html#t2018-07-03T14:43:49

** Changed in: keystone
       Status: New => Triaged

** Changed in: keystone
   Importance: Undecided => Medium

** Tags added: documentation low-hanging-fruit office-hours

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1779889

Title:
  Lack of documentation for validating expired tokens with service users

Status in OpenStack Identity (keystone):
  Triaged

Bug description:
  Keystone supports the ability for service users to validate expired
  user tokens. This solved an issue where a user would initiate a long-
  running operation (e.g. live migration, instance back-ups, uploading
  large images to glance), and by the time the operation finished the
  user's token would be invalid, causing the operation to fail.

  The solution to this problem is to use service users and configure
  them in such a way that they have the ability to validate expired user
  tokens. This keeps enforcement of the user's authorization valid when
  they start the operation but allows the operation to finish in the
  event it takes longer than the configured token expiration time.

  We don't supply any documentation for this process or setting it up
  outside of the original specification [0]. If deployers want to use
  it, they have to dig through code to figure out how it work.

  The lack of documentation was brought to our attention in IRC [1].

  [0] https://specs.openstack.org/openstack/keystone-specs/specs/keystonemiddleware/implemented/service-tokens.html
  [1] http://eavesdrop.openstack.org/irclogs/%23openstack-keystone/%23openstack-keystone.2018-07-03.log.html#t2018-07-03T14:43:49

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1779889/+subscriptions

Follow ups

  Thread PreviousDate PreviousThread Next