OpenStack Identity (keystone)

Bug #1215627
Comment #5

Comment 5 for bug 1215627

Revision history for this message

yong sheng gong (gongysh) wrote on 2013-08-23:

<henrynash> gongysh:hi
<gongysh> henrynash: what is your opinion of the bug https://bugs.launchpad.net/keystone/+bug/1215627
* morganfainberg is now known as morganfainberg|a
<uvirtbot> Launchpad bug 1215627 in keystone "Keystone Should re-use non-expired tokens, instead of generating new tokens." [Undecided,Confirmed]
<gongysh> it is nice if we can have it fixed since the nova is creating too much token during running.
* nshaikh (nshaikh@nat/redhat/x-qhxcxectchlfnsqc) has left #openstack-dev ("Quit")
* mrunge (~mrunge@fedora/mrunge) has joined #openstack-dev
* dstufft (~dstufft@django/committer/dstufft) has joined #openstack-dev
<gongysh> the nova will use the neutron client to flush the all instances IP information periodically, which will generate many tokens.
<gongysh> flush -> refresh, or get or query.
<henrynash> gongysh; I agree that the number of tokens is a probelm
* zodiak has quit (Ping timeout: 256 seconds)
* MaxV (~MaxV@90.24.240.225) has joined #openstack-dev
<gongysh> henrynash: then what is your advised solution? do u agree to the solution in the bug 1215627?
<uvirtbot> Launchpad bug 1215627 in keystone "Keystone Should re-use non-expired tokens, instead of generating new tokens." [Undecided,Confirmed] https://launchpad.net/bugs/1215627
<henrynash> gongysh: sp is the idea that we re-use the token ID with a new expiry time?
<henrynash> gongysh: (sorry slow to respond since I am on a call)
* mmagr (mmagr@nat/redhat/x-wrqxejdxwkdikfzr) has joined #openstack-dev
* dina_belova (~dina_belo@95-29-221-112.broadband.corbina.ru) has joined #openstack-dev
* vartom4 has quit (Ping timeout: 256 seconds)
<gongysh> henrynash: Yes, we can refresh the expiry time whenever the token is reused.
<gongysh> henrynash: or we can just return the token with old expiry time.
* SergeyLukjanov (~Frostman@95-29-221-112.broadband.corbina.ru) has joined #openstack-dev
<henrynash> gongysh: so I want to be clear of the user case: are we trying to optimise for when a user asks for a new token lists of times when they have a perfectly good one already, or when their token is expiring?
<gongysh> henrynash: we can add one configuration option to allow use the active token, such as reuse_valid_token = False
* dina_belova has quit (Read error: Operation timed out)
<jamielennox> gongysh: what is the scenario here? why is it filed as a keystone bug?
<jamielennox> it sounds like it is an issue with the way that services consume keystone tokens
<gongysh> keystone will always return a new token if user calls the authentication API even if the information given by user are the same.
* Mandell (~<email address hidden>) has joined #openstack-dev
<jamielennox> gongysh: i would consider that to be the expected behaviour
<henrynash> gongysh: and would we re-use the token even the scope/details of that token were different to the last one, or only if it has been requested for the same scope
<henrynash> gongysh: worried about auditing etc.
<gongysh> henrynash: I am expecting reuse token if the scope is the same.
* morganfainberg|a is now known as morganfainberg
* marios (~m@93-23-6.netrun.cytanet.com.cy) has joined #openstack-dev
<henrynash> gongysh: ok, so IF we do think that repeated requests for the same scoped token is a key cause of token bloat, then I can see this as a reasonable optimisation

<henrynash> gongysh:hi
<gongysh> henrynash: what is your opinion of the bug https://bugs.launchpad.net/keystone/+bug/1215627
* morganfainberg is now known as morganfainberg|a
<uvirtbot> Launchpad bug 1215627 in keystone "Keystone Should re-use non-expired tokens, instead of generating new tokens." [Undecided,Confirmed]
<gongysh> it is nice if we can have it fixed since the nova is creating too much token during running.
* nshaikh (nshaikh@nat/redhat/x-qhxcxectchlfnsqc) has left #openstack-dev ("Quit")
* mrunge (~mrunge@fedora/mrunge) has joined #openstack-dev
* dstufft (~dstufft@django/committer/dstufft) has joined #openstack-dev
<gongysh> the nova will use the neutron client to flush the all instances IP information periodically, which will generate many tokens.
<gongysh> flush -> refresh, or get or query.
<henrynash> gongysh; I agree that the number of tokens is  a probelm
* zodiak has quit (Ping timeout: 256 seconds)
* MaxV (~MaxV@90.24.240.225) has joined #openstack-dev
<gongysh> henrynash: then what is your advised solution? do u agree to the solution in the bug 1215627?
<uvirtbot> Launchpad bug 1215627 in keystone "Keystone Should re-use non-expired tokens, instead of generating new tokens." [Undecided,Confirmed] https://launchpad.net/bugs/1215627
<henrynash> gongysh: sp is the idea that we re-use the token ID with a new expiry time?
<henrynash> gongysh: (sorry slow to respond since I am on a call)
* mmagr (mmagr@nat/redhat/x-wrqxejdxwkdikfzr) has joined #openstack-dev
* dina_belova (~dina_belo@95-29-221-112.broadband.corbina.ru) has joined #openstack-dev
* vartom4 has quit (Ping timeout: 256 seconds)
<gongysh> henrynash:  Yes, we can refresh the expiry time whenever the token is reused.
<gongysh> henrynash: or we can just return the token with old expiry time.
* SergeyLukjanov (~Frostman@95-29-221-112.broadband.corbina.ru) has joined #openstack-dev
<henrynash> gongysh: so I want to be clear of the user case: are we trying to optimise for when a user asks for a new token lists of times when they have a perfectly good one already, or when their token is expiring?
<gongysh> henrynash: we can add one configuration option to allow use the active token, such as reuse_valid_token = False
* dina_belova has quit (Read error: Operation timed out)
<jamielennox> gongysh: what is the scenario here? why is it filed as a keystone bug?
<jamielennox> it sounds like it is an issue with the way that services consume keystone tokens
<gongysh>  keystone will always return a new token if user calls the authentication API even if the information given by user are the same.
* Mandell (~mandell@c-24-4-30-183.hsd1.ca.comcast.net) has joined #openstack-dev
<jamielennox> gongysh: i would consider that to be the expected behaviour
<henrynash> gongysh: and would we re-use the token even the scope/details of that token were different to the last one, or only if it has been requested for the same scope
<henrynash> gongysh: worried about auditing etc.
<gongysh> henrynash: I am expecting reuse token if the scope is the same.
* morganfainberg|a is now known as morganfainberg
* marios (~m@93-23-6.netrun.cytanet.com.cy) has joined #openstack-dev
<henrynash> gongysh: ok, so IF we do think that repeated requests for the same scoped token is a key cause of token bloat, then I can see this as a reasonable optimisation