OpenStack Identity (keystone)

Pluggable token formats

Registered by Dolph Mathews

keystone.conf's token_format currently has two options, either 'UUID' or 'PKI'. These two options represent slightly different code paths, each with their own token generation and validation logic.

Both should be made pluggable, and the existing UUID and PKI code paths should be extracted into plugins.

  token_generator = keystone.token.uuid.generator
  token_validator = keystone.token.uuid.validator

  token_generator = keystone.token.pki.generator
  token_validator = keystone.token.pki.validator

Backwards compatibility should be maintained for overriding token_format such that if 'UUID' is specified, then the default UUID token generator & validator callables should be used, etc.

Additionally, the PKI token_validator should consume keystoneclient.

See related Havana summit etherpad: https://etherpad.openstack.org/havana-external-auth

Blueprint information

Status:
Complete
Approver:
Dolph Mathews
Priority:
Medium
Drafter:
Dolph Mathews
Direction:
Approved
Assignee:
Guang Yee
Definition:
Approved
Series goal:
Accepted for havana
Implementation:
Implemented
Milestone target:
milestone icon 2013.2
Started by
Thierry Carrez
Completed by
Dolph Mathews

Related branches

Sprints

Whiteboard

Gerrit topic: https://review.openstack.org/#q,topic:bp/pluggable-token-format,n,z

Addressed by: https://review.openstack.org/29021
    pluggable token management

Gerrit topic: https://review.openstack.org/#q,topic:bug/1186061,n,z

Addressed by: https://review.openstack.org/33858
    Pluggable Token Provider (Part 2)

Addressed by: https://review.openstack.org/34421
    Pluggable Token Provider (Part 2)

(?)

Work Items

Nearby

This blueprint contains Public information 
Everyone can see this information.
Edit subscription

Subscribers

No subscribers.