OpenStack Identity (keystone)

  1. Bug #1779889
  2. Activity log

Activity log for bug #1779889

Date Who What changed Old value New value Message
2018-07-03 15:23:03 Lance Bragstad bug added bug
2018-07-03 15:24:05 Lance Bragstad description Keystone supports the ability for service users to validate expired user tokens. This solved an issue where a user would initiate a long-running operation (e.g. live migration, instance back-ups, uploading large images to glance), and by the time the operation finished the user's token would be invalid, causing the operation to fail. The solution to this problem is to use service users and configure them in such a way that they have the ability to validate expired user tokens. This keeps enforcement of the user's authorization valid when they start the operation but allows the operation to finish in the event it takes longer than the configured token expiration time. We don't supply any documentation for this process or setting it up. If deployers want to use it, they have to dig through code to figure out how it work. https://specs.openstack.org/openstack/keystone-specs/specs/keystonemiddleware/implemented/service-tokens.html Keystone supports the ability for service users to validate expired user tokens. This solved an issue where a user would initiate a long-running operation (e.g. live migration, instance back-ups, uploading large images to glance), and by the time the operation finished the user's token would be invalid, causing the operation to fail. The solution to this problem is to use service users and configure them in such a way that they have the ability to validate expired user tokens. This keeps enforcement of the user's authorization valid when they start the operation but allows the operation to finish in the event it takes longer than the configured token expiration time. We don't supply any documentation for this process or setting it up outside of the original specification [0]. If deployers want to use it, they have to dig through code to figure out how it work. The lack of documentation was brought to our attention in IRC [1]. [0] https://specs.openstack.org/openstack/keystone-specs/specs/keystonemiddleware/implemented/service-tokens.html [1] http://eavesdrop.openstack.org/irclogs/%23openstack-keystone/%23openstack-keystone.2018-07-03.log.html#t2018-07-03T14:43:49
2018-07-03 15:24:09 Lance Bragstad keystone: status New Triaged
2018-07-03 15:24:30 Lance Bragstad keystone: importance Undecided Medium
2018-07-03 15:24:41 Lance Bragstad tags documentation low-hanging-fruit office-hours
2018-10-30 08:44:41 Irina Anyusheva keystone: assignee Irina Anyusheva (anyushevai)
2018-11-02 12:49:04 Irina Anyusheva keystone: status Triaged In Progress
2019-01-16 01:53:00 OpenStack Infra keystone: assignee Irina Anyusheva (anyushevai) Kristi Nikolla (knikolla)
2019-04-12 18:36:16 OpenStack Infra keystone: status In Progress Fix Released