OpenStack Identity (keystone)

Non-persistent PKI tokens

Registered by Dolph Mathews

This blueprint has been superseded. See the newer blueprint "Keystone Lightweight Tokens" for updated plans.

With token revocation events in place, we no longer have a need to store a token revocation list. The token revocation list is the primary reason why keystone bothers to persist PKI tokens, so without it, PKI tokens can become completely ephemeral.

Two steps are required to make that happen:

1) revise code that validates tokens from the token backend to pull from context instead

2) allow deployers to opt out of token persistence (UUID tokens must still be persisted)

Blueprint information

Status:
Complete
Approver:
Dolph Mathews
Priority:
Low
Drafter:
None
Direction:
Needs approval
Assignee:
Morgan Fainberg
Definition:
Superseded
Series goal:
None
Implementation:
Good progress
Milestone target:
None
Started by
Dolph Mathews
Completed by
Dolph Mathews

Related branches

Sprints

Whiteboard

Spec: https://review.openstack.org/#/c/95976/

Gerrit topic: https://review.openstack.org/#q,topic:bp/ephemeral-pki-tokens,n,z

Addressed by: https://review.openstack.org/73477 (abandoned)
    Use CMS to decode PKI tokens

Addressed by: https://review.openstack.org/73768 (merged)
    Consolidate provider calls to token_api.create_token

Addressed by: https://review.openstack.org/73769 (abandoned)
    Pass token expiry to the .create_token() method

Gerrit topic: https://review.openstack.org/#q,topic:bp/non-persistent-tokens,n,z

Addressed by: https://review.openstack.org/103247 (merged)
    Do not support toggling key_manglers in cache layer

Addressed by: https://review.openstack.org/103417 (merged)
    Remove deprecated token_api.list_tokens

Addressed by: https://review.openstack.org/106917 (merged)
    Add the new KeystoneTokenModel

Bumping to j3 as discussed at the hackathon -dolph

Addressed by: https://review.openstack.org/107217 (merged)
    Sync with oslo-incubator

Addressed by: https://review.openstack.org/107218 (merged)
    Move token_api.unique_id to token_provider_api

Addressed by: https://review.openstack.org/107219 (merged)
    Move keystone.token.default_expire_time to token.provider

Addressed by: https://review.openstack.org/107220 (merged)
    Consolidate `assert_XXX_enabled` type calls to managers

Addressed by: https://review.openstack.org/107560 (merged)
    Mark the 'check_vX_token' methods deprecated

Addressed by: https://review.openstack.org/107561 (merged)
    Move token persistence classes to token.persistence module

Addressed by: https://review.openstack.org/109041 (merged)
    Make token_provider_api contain token persistence

Addressed by: https://review.openstack.org/109162 (merged)
    Remove assignment controller dependency on token_api

Addressed by: https://review.openstack.org/109170 (merged)
    Expose token revocation list via token_provider_api

Addressed by: https://review.openstack.org/109173 (merged)
    Remove ec2 contrib dependency on token_api

Addressed by: https://review.openstack.org/109462
    Remove trust dependency on token_api

Addressed by: https://review.openstack.org/109657 (merged)
    Sample config update

Addressed by: https://review.openstack.org/109760 (merged)
    Remove duplicated asserts

Addressed by: https://review.openstack.org/113429
    Update AuthContextMiddleware to not use token_api

Addressed by: https://review.openstack.org/113430
    Add __repr__ to KeystoneToken model

Addressed by: https://review.openstack.org/114103 (abandoned)
    Do not overwrite token expires with lower resolution

Addressed by: https://review.openstack.org/114104 (abandoned)
    Convert (for mysql) revocation events expires_at to varchar

Addressed by: https://review.openstack.org/114306
    Add audit ids to tokens

Addressed by: https://review.openstack.org/114863
    Sync with oslo-incubator

Addressed by: https://review.openstack.org/114864
    Revoke by Audit Id / Audit Id Chain instead of expires

Addressed by: https://review.openstack.org/115012
    Remove SAML2 plugin dependency on token_api

Addressed by: https://review.openstack.org/115045
    Remove identity_api dependency on token_api

Addressed by: https://review.openstack.org/115147
    Add extra guarding to revoke_by_audit_id methods

Gerrit topic: https://review.openstack.org/#q,topic:bug/1292283,n,z

Addressed by: https://review.openstack.org/115205
    Remove wsgi and base controller dependency on token_api

Addressed by: https://review.openstack.org/115337
    Notification Constant Cleanup and internal notify type

Addressed by: https://review.openstack.org/115338
    Remove assignment_api dependency on token_api

Addressed by: https://review.openstack.org/115343
    Remove oauth controller dependency on token_api

Addressed by: https://review.openstack.org/115347
    Mark methods on token_api deprecated

Addressed by: https://review.openstack.org/115355
    Non-persistent Token Driver

Addressed by: https://review.openstack.org/115707
    Fix Python3 issue with token data helper test

Addressed by: https://review.openstack.org/116961
    Make persistence manager in token_provider_api private

Addressed by: https://review.openstack.org/116962
    Update tests to not use token_api

Addressed by: https://review.openstack.org/117330
    Notification Cleanup: Objects for actions

Addressed by: https://review.openstack.org/117331
    Comments to docstrings for notification emit methods

Addressed by: https://review.openstack.org/129736
    Kilo version of non-persistent token specification

Addressed by: https://review.openstack.org/134314
    Token Provider Cleanup Spec

procedural change of milestone target, feel free to target to mitaka-2 or mitaka-3. also feel free to mark this as superseded by other blueprints (fernet or otherwise) or won't fix since it's PKI related (deprecated)

(?)

Work Items

Dependency tree

* Blueprints in grey have been implemented.

This blueprint contains Public information 
Everyone can see this information.