Keystone Lightweight Tokens

Registered by Lance Bragstad on 2015-02-24

KLWT tokens provide a way to represent a token, allowing for tokens to be non-persistent. KLWT tokens provide integrity and confidentiality, when optionally using encryption, by being signed by Keystone. KLWT tokens contain some amount of token information, including the user, the issued at time, the expiration time, and the digest of the signed information. Regardless if encryption is used, the tokens are authentic since they are signed and validated by Keystone.

Blueprint information

Status:
Complete
Approver:
None
Priority:
Medium
Drafter:
Lance Bragstad
Direction:
Approved
Assignee:
Lance Bragstad
Definition:
Approved
Series goal:
Accepted for kilo
Implementation:
Implemented
Milestone target:
milestone icon 2015.1.0
Started by
Steve Martinelli on 2015-02-24
Completed by
Morgan Fainberg on 2015-03-19

Related branches

Sprints

Whiteboard

Gerrit topic: https://review.openstack.org/#q,topic:ae-tokens,n,z

Addressed by: https://review.openstack.org/145317 (merged)
    Keystone Lightweight Tokens (KLWT)

Addressed by: https://review.openstack.org/158414 (merged)
    Use revocation events for lightweight tokens

Addressed by: https://review.openstack.org/159229
    Implement KLWT for v2.0 tokens

Gerrit topic: https://review.openstack.org/#q,topic:bp/klw-tokens,n,z

Gerrit topic: https://review.openstack.org/#q,topic:160980,n,z (merged)

Addressed by: https://review.openstack.org/160993 (merged)
    Convert audit_ids to bytes before msgpacking

Addressed by: https://review.openstack.org/161379 (merged)
    Add unscoped token formatter for Fernet tokens

Addressed by: https://review.openstack.org/161380 (merged)
    Federated token formatter

Addressed by: https://review.openstack.org/161793 (merged)
    Add Federation mixin for setting up data

Addressed by: https://review.openstack.org/161838 (merged)
    Refactor: rename the "standard" token formatter to "scoped"

Addressed by: https://review.openstack.org/161855 (merged)
    Refactor: don't require token formatters to understand "token_data"

Addressed by: https://review.openstack.org/161876 (merged)
    Refactor: remove Fernet formatter's dep on trust_api / v3 token helper

Addressed by: https://review.openstack.org/161897 (merged)
    Remove redundant creation timestamp from fernet tokens

Addressed by: https://review.openstack.org/161774 (abandoned)
    Remove the expiration timestamp from Fernet tokens

Addressed by: https://review.openstack.org/162031 (merged)
    Drop Fernet token prefixes & add domain-scoped Fernet tokens

Addressed by: https://review.openstack.org/162338 (merged)
    Refactor: make Fernet token creation/validation API agnostic

Addressed by: https://review.openstack.org/163601 (merged)
    Allow methods to be carried in Fernet tokens.

Addressed by: https://review.openstack.org/163683 (abandoned)
    Replace the expiration timestamp in Fernet tokens with a ttl

Gerrit topic: https://review.openstack.org/#q,topic:bug/1428717,n,z

Addressed by: https://review.openstack.org/164348
    Use existing token test for Fernet tokens.

Addressed by: https://review.openstack.org/165489
    Add inline comment and docstrings fixes for Fernet

Addressed by: https://review.openstack.org/165520
    Cleanup Fernet testcases and add comments.

(?)

Work Items

This blueprint contains Public information 
Everyone can see this information.