OpenStack Identity (keystone)

Allow clients to opt-out of service catalog inclusion

Registered by Dolph Mathews

A service catalog is automatically included in a create token response (POST /v3/auth/tokens). While this behavior should not change, we should provide a method for clients to opt out of the catalog being included so that PKI tokens will be significantly smaller in a more complex deployment.

A create token request that opts out of the catalog could simply be accomplished via a query string:

  POST /v3/auth/tokens?nocatalog

(out of scope for this bp...) The catalog should also become independently available on a new endpoint, such as:

  GET /v3/catalog

Related Havana summit etherpad: https://etherpad.openstack.org/havana-endpoint-filtering

Blueprint information

Status:
Complete
Approver:
Adam Young
Priority:
High
Drafter:
Dolph Mathews
Direction:
Approved
Assignee:
Fabio Giannetti
Definition:
Review
Series goal:
Accepted for havana
Implementation:
Implemented
Milestone target:
milestone icon 2013.2
Started by
Dolph Mathews
Completed by
Thierry Carrez

Related branches

Sprints

Whiteboard

Increased the priority on this as it also represents a bug fix. Any progress on this? Definitely needs to land in m2 -dolph

Related discussion on the mailing list: http://lists.openstack.org/pipermail/openstack-dev/2013-June/010365.html

Related bug ("Token auth fails when token is larger than 8k"): https://bugs.launchpad.net/keystone/+bug/1190149

Dolph, we are actively working on it. Fabio (new HP engineer) should have a review ready by sometime next week (6/17 - 21) I think. (thanks! feel free to change the assignee on the bp appropriately -dolph)

(Fabio) Working on the bp. I need to have more details regarding the get /catalog behaviour:
Case 1) get /catalog has a X-subject-token in the request, the user-id and project-id are gathered from the token
Case 2) get /catalog does not have the X-subject-token but has two query params stating user-id and project-id
Case 3) get /catalog does not have token ref nor query params a 400 (bad request is returned)
Are those cases what we are looking for with this bp, please advice. Thanks, Fabio

Case 1 is the only one that needs to be handled (I don't see a use case for providing anything via query params, and that's a poor long term solution considering we'd like to remove that data from the catalog altogether). -dolph
+1 (gyee)
+1(topol) -- great to see this provide a way to reduce token size!

Gerrit topic: https://review.openstack.org/#q,topic:bp/catalog-optional,n,z

Addressed by: https://review.openstack.org/33188
    Implemented POST /v3/auth/tokens?no-catalog and GET /v3/catalog methods.

Gerrit topic: https://review.openstack.org/#q,topic:bp/authentication-tied-to-token,n,z

I'd like to introduce another implementation for this case https://blueprints.launchpad.net/keystone/+spec/compact-pki-token

Gerrit topic: https://review.openstack.org/#q,topic:bp/compact-pki-token,n,z

Addressed by: https://review.openstack.org/96725
    Keystone compact PKI token

(?)

Work Items

Nearby

This blueprint contains Public information 
Everyone can see this information.