What is revoked mean in keystone

asked 2013-06-04 08:14:17 -0500

chen-li gravatar image

When I run command "nova image-list", I get some info from /var/log/keystone/keystone.log:

2013-06-04 15:31:46 INFO [access] 192.168.11.130 - - [04/Jun/2013:07:31:46 +0000] "POST http://keystone:5000/v2.0/tokens HTTP/1.0" 200 5143 2013-06-04 15:31:46 INFO [access] 192.168.11.10 - - [04/Jun/2013:07:31:46 +0000] "GET http://keystone:35357/v2.0/tokens/rev... HTTP/1.0" 200 504 2013-06-04 15:31:46 INFO [access] 192.168.11.10 - - [04/Jun/2013:07:31:46 +0000] "GET http://keystone:35357/v2.0/tokens/rev... HTTP/1.0" 200 504

What is glance try to get from URL http://keystone:35357/v2.0/tokens/rev... HTTP/1.0 ? What is revoked means for token ?

Thanks. -chen

edit retag flag offensive close merge delete

4 answers

Sort by ยป oldest newest most voted
0

answered 2013-06-06 10:13:12 -0500

chen-li gravatar image

Thanks xyj, that solved my question.

edit flag offensive delete link more
0

answered 2013-06-05 15:46:31 -0500

revoked token means invalid token, indicating tokens which are not expired, but the valid field is set to False.

glance fetch the revoked token list and store them in local file(signing_dir/revoked.pem). If you token id(pki format) in revoked token list, glance will reject it.

edit flag offensive delete link more
0

answered 2013-06-06 05:58:30 -0500

chen-li gravatar image

sorry, can you explain more ? I'm still confusing.

Why would a token not expired, but the valid field is set to False ?

Why glance reject these token?

Do glance revoked every time or at some certain operation?

Will this operation happen in other components ?

Thanks. -chen

edit flag offensive delete link more
0

answered 2013-06-06 09:20:11 -0500

keystone provides api for deleting token:

DELETE: /token/{token_id}

actually, this api set the valid field of token to false in db.Then the token is so called revoked token

The code result in getting revoked token list nest in keystoneclient.middleware.auth_token.

It has sth to do with the verify mechanism of pki format token.

All components interact with keystone(if keystone's token format is set to PKI) will result in it.

Maybe you would like to read the code of keystoneclient.middleware.auth_token,if you want to know the details.

edit flag offensive delete link more

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2013-06-04 08:14:17 -0500

Seen: 27 times

Last updated: Jun 06 '13