OpenStack Identity (keystone)

HMAC Signature Based Token

Registered by Arvind Tiwari

HMAC Signature Based Token

Keystone supports UUID and PKI token format, both the tokens has its pros and cons. UUID tokens are persistent token and manageability is the biggest problem with such tokens. PKI tokens are non persistent, but they are heavy weight tokens proven to be overhead for network.

HMAC Signature Based Tokens are non persistent light weight tokens which will be utilizing best of UUID and PKI tokens.
The Keystone HMAC Tokens framework will produce tokens containing signature per endpoint in the service catalog. The HMAC signature will be generate based on known facts (AKA hmac_text it may contain endpoint URL, user roles, expiration time etc…). Validation process can build the hmac_text and can generate the signature by getting the HMAC key from Keystone. This HMAC keys are non persistent ephemeral keys, which can be queried and delivered to trusted services over secure network easily. HMAC keys can be easily replicated in case of HA keystone setup.

This techniques is already used in Swift for temp url use case and can be easily extend to auth tokens.

http://docs.openstack.org/juno/config-reference/content/object-storage-tempurl.html

The major benefit of these tokens are

 - Non persistent
 - Light weight
 - Supports revocation

Spec TBD

Blueprint information

Status:
Complete
Approver:
None
Priority:
Undefined
Drafter:
Arvind Tiwari
Direction:
Needs approval
Assignee:
Arvind Tiwari
Definition:
Obsolete
Series goal:
None
Implementation:
Unknown
Milestone target:
None
Completed by
Morgan Fainberg

Related branches

Sprints

Whiteboard

Gerrit topic: https://review.openstack.org/#q,topic:bp/hmac-signature-based-token,n,z

Addressed by: https://review.openstack.org/153803
    HMAC signature based token

(?)

Work Items

This blueprint contains Public information 
Everyone can see this information.
Edit subscription

Subscribers

No subscribers.