OpenStack Identity (keystone)

Use Keyring to store Tokens

Bug #1040361 reported by Adam Young on 2012-08-23

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Fix Released	Medium	Guang Yee	OpenStack Identity (keystone) 2013.1 "grizzly"

Bug Description

Tokens can be used more than juswt once, but right now, each CLI call fetches a new one. We can use Keyring to securely hold the token for a span of time and reduce the number of network round trips.

Tags:

Revision history for this message

Joseph Heck (heckj) wrote on 2012-08-24:

tagged as blueprint, as this is more of a feature request and probably ought to be tracked by a blueprint

Changed in keystone:
status:	New → Triaged
importance:	Undecided → Medium
tags:	added: blueprint

Revision history for this message

Bhuvan Arumugam (bhuvan) wrote on 2012-09-01:

Joe, Adam: Can you please let me know,
a) a sample call to create token?
b) a sample call to use/query for a token? I could retrieve token for a given user/tenant/service through curl. I'm looking for ways to retrieve the token, using a call. Looks like "token-get" call is broken due to bug 1002917.

I installed devstack and enabled keystone and nova services. I presume, i didn't execute any calls that would create a token. I could create user, tenant, service, etc.

The "token" table doesn't have any records yet:

mysql> \r keystone
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Connection id: 83
Current database: keystone

mysql> select count(*) from token;
+----------+
| count(*) |
+----------+
| 0 |
+----------+
1 row in set (0.04 sec)

mysql>

Joe, Adam: Can you please let me know,
  a) a sample call to create token?
  b) a sample call to use/query for a token? I could retrieve token for a given user/tenant/service through curl. I'm looking for ways to retrieve the token, using a call. Looks like "token-get" call is broken due to bug 1002917.

I installed devstack and enabled keystone and nova services. I presume, i didn't execute any calls that would create a token. I could create user, tenant, service, etc.

The "token" table doesn't have any records yet:

mysql> \r keystone
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Connection id:    83
Current database: keystone

mysql> select count(*) from token;
+----------+
| count(*) |
+----------+
|        0 |
+----------+
1 row in set (0.04 sec)

mysql>

Adam Young (ayoung) on 2012-10-30

Changed in keystone:
assignee:	nobody → Guang Yee (guang-yee)

Revision history for this message

Guang Yee (guang-yee) wrote on 2012-11-09:

https://review.openstack.org/#/c/15691/

I've added two more command line options

--no-keyring: do not use keyring
--force-new-token: request a new token and replace the one stored in keyring. This option is useful because Keystone stores token in KVS by default and it goes away when we bounce Keystone. This option will invalidate the one stored in keyring and replace it with the new one.

Adam Young (ayoung) on 2013-02-07

Changed in keystone:
status:	Triaged → Fix Committed

Thierry Carrez (ttx) on 2013-02-21

Changed in keystone:
milestone:	none → grizzly-3
status:	Fix Committed → Fix Released

Thierry Carrez (ttx) on 2013-04-04

Changed in keystone:
milestone:	grizzly-3 → 2013.1

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.