OpenStack Identity (keystone)

UUID is a more friendly default token provider than PKI

Bug #1350000 reported by Dolph Mathews on 2014-07-29

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Fix Released	Wishlist	Morgan Fainberg	OpenStack Identity (keystone) 2014.2 "juno"

Bug Description

PKI has been the default token provider since Grizzly. Early in the Grizzly development cycle, PKI was established as the default, primarily to expose the implementation to a broad developer audience to work out any issues. Issues were immediately discovered that prevented PKI from becoming the default in production deployments, and that has been an ongoing theme ever since. As of the Juno development cycle, there are still unresolved issues that prevent PKI from being a reasonable production choice. The following etherpad summarizes the Keystone community's perspective on each technology:

https://etherpad.openstack.org/p/pki-vs-uuid

This was also discussed in the July 29th keystone meeting:

http://eavesdrop.openstack.org/meetings/keystone/2014/keystone.2014-07-29-18.01.log.html

It therefore follows that UUID, or a variant thereof, should become the default token provider for Juno.

Tags:

Dolph Mathews (dolph) on 2014-07-29

tags:

added: user-experience

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-07-29: Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/110488

Changed in keystone:
status:	Triaged → In Progress

OpenStack Infra (hudson-openstack) on 2014-07-30

Changed in keystone:
assignee:	Dolph Mathews (dolph) → Morgan Fainberg (mdrnstm)

Dolph Mathews (dolph) on 2014-07-30

tags:

added: pki

Thierry Carrez (ttx) on 2014-09-04

Changed in keystone:
milestone:	juno-3 → juno-rc1

Revision history for this message

Dolph Mathews (dolph) wrote on 2014-09-04:

This is now being tracked by a blueprint for feature freeze:

https://blueprints.launchpad.net/keystone/+spec/uuid-as-default-token-provider

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-09-05: Fix merged to keystone (master)

Reviewed: https://review.openstack.org/110488
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=60dc036b884f9b0994a693d52e97552ad21378b0
Submitter: Jenkins
Branch: master

commit 60dc036b884f9b0994a693d52e97552ad21378b0
Author: Dolph Mathews <email address hidden>
Date: Tue Jul 29 16:57:57 2014 -0500

Set default token provider to UUID

    This changes the default token provider to UUID, which affords a much
    better deployer experience (no external dependencies and no additional
    setup complexity) for deployers. It also provides a better end-user
    experience (smaller, more manageable tokens) and appears to be the more
    popular deployment option today, despite the current default to PKI.

DocImpact
Closes-Bug: 1350000

Change-Id: I7fb2b191cce7a9762c33fee09e7e8d48a71a297b

Changed in keystone:
status:	In Progress → Fix Committed

Thierry Carrez (ttx) on 2014-09-30

Changed in keystone:
status:	Fix Committed → Fix Released

Thierry Carrez (ttx) on 2014-10-16

Changed in keystone:
milestone:	juno-rc1 → 2014.2

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.