OpenStack Identity (keystone)

List Revocation Events

Registered by Adam Young

List the events that lead to revoked tokens instead of the revoked token ids

revocation events will be a tuple: UserId, ProjectId, time.
The list of revocation events will only last until the project has expired.
Revocation lists will be grouped by domain id or project id

As a consequence of this blueprint, GET /v3/auth/tokens/OS-PKI/revoked should be deprecated.

This will close bug 1242620.

Blueprint information

Status:
Complete
Approver:
None
Priority:
High
Drafter:
Adam Young
Direction:
Needs approval
Assignee:
Adam Young
Definition:
New
Series goal:
Accepted for icehouse
Implementation:
Implemented
Milestone target:
milestone icon 2014.1
Started by
Dolph Mathews
Completed by
Thierry Carrez

Related branches

Sprints

Whiteboard

https://bugs.launchpad.net/keystone/+bug/1219036

I like the concept of grouping by domain (vs. group by project). As long as we
collect the revocation events for a given domain (if we don't know about the
domain yet, aka no events on the notification bus, no record of revocation
events). If an event for a (never before seen) domain comes across the bus,
we should request the full list of events for that domain. Would you expect a
complete refresh of the list on a domain for an event? --morganfainberg

Advantages
==========

- we can drop token persistence completely for PKI tokens (revocation list is
  the only reason we need it today)

Alternative

OCSP - Online certificate status protocol

Disadvantages
============

- tokens MUST be re-issued with the exact same expires_at to support explicit token revocation. issuing tokens with shorter expiration is no longer a valid option in the future.

To be Addressed:
===========

Similar to other service we need to provide links in the events packet. Primarily we need to know the location of the bus from which to receive deltas.

Gerrit topic: https://review.openstack.org/#q,topic:bp/revocation-events,n,z

Addressed by: https://review.openstack.org/#/c/59546/ (merged)
   API

Gerrit topic: https://review.openstack.org/#q,topic:(detached,n,z

Addressed by: https://review.openstack.org/68235 (abandoned)
    Token Revocation Extension

Addressed by: https://review.openstack.org/69083 (merged)
    append extension name to trust notifications

Addressed by: https://review.openstack.org/68233 (merged)
    Don't duplicate the existing config file list

Addressed by: https://review.openstack.org/68234 (merged)
    initialize environment for tests that call popen

Addressed by: https://review.openstack.org/68470 (merged)
    Allow event callback registration for arbitrary resource types

Addressed by: https://review.openstack.org/68548 (merged)
    Notifications upon disable

Addressed by: https://review.openstack.org/69084 (merged)
    Additional notifications for revocations

Addressed by: https://review.openstack.org/55908
    revocation events

Gerrit topic: https://review.openstack.org/#q,topic:additional-notifications-for-revocation,n,z

Gerrit topic: https://review.openstack.org/#q,topic:bp/efficient-revocation-check,n,z

Addressed by: https://review.openstack.org/67372 (abandoned)
    SQL Backend for Revocation Events

Addressed by: https://review.openstack.org/169399
    Revocation events for keystonemiddleware

(?)

Work Items

Work items:
[ayoung] Define format for reporting items: TODO
[ayoung] spec out tool to determine if a token matches revocation criteria: TODO
[ayoung] determine how to report revoking a specific token: TODO
[ayoung] determine how to report token chain of allocation: TODO

Dependency tree

* Blueprints in grey have been implemented.

Nearby

This blueprint contains Public information 
Everyone can see this information.