Ask Your Question
0

What is revoked mean in keystone

asked 2013-06-04 08:14:17 -0600

chen-li gravatar image

When I run command "nova image-list", I get some info from /var/log/keystone/keystone.log:

2013-06-04 15:31:46 INFO [access] 192.168.11.130 - - [04/Jun/2013:07:31:46 +0000] "POST http://keystone:5000/v2.0/tokens HTTP/1.0" 200 5143 2013-06-04 15:31:46 INFO [access] 192.168.11.10 - - [04/Jun/2013:07:31:46 +0000] "GET http://keystone:35357/v2.0/tokens/rev... HTTP/1.0" 200 504 2013-06-04 15:31:46 INFO [access] 192.168.11.10 - - [04/Jun/2013:07:31:46 +0000] "GET http://keystone:35357/v2.0/tokens/rev... HTTP/1.0" 200 504

What is glance try to get from URL http://keystone:35357/v2.0/tokens/rev... HTTP/1.0 ? What is revoked means for token ?

Thanks. -chen

edit retag flag offensive close merge delete
add a comment

4 answers

Sort by » oldest newest most voted
0

answered 2013-06-06 10:13:12 -0600

chen-li gravatar image

Thanks xyj, that solved my question.

edit flag offensive delete link more
add a comment
0

answered 2013-06-05 15:46:31 -0600

xyj-asmy gravatar image

revoked token means invalid token, indicating tokens which are not expired, but the valid field is set to False.

glance fetch the revoked token list and store them in local file(signing_dir/revoked.pem). If you token id(pki format) in revoked token list, glance will reject it.

edit flag offensive delete link more
add a comment
0

answered 2013-06-06 05:58:30 -0600

chen-li gravatar image

sorry, can you explain more ? I'm still confusing.

Why would a token not expired, but the valid field is set to False ?

Why glance reject these token?

Do glance revoked every time or at some certain operation?

Will this operation happen in other components ?

Thanks. -chen

edit flag offensive delete link more
add a comment
0

answered 2013-06-06 09:20:11 -0600

xyj-asmy gravatar image

keystone provides api for deleting token:

DELETE: /token/{token_id}

actually, this api set the valid field of token to false in db.Then the token is so called revoked token

The code result in getting revoked token list nest in keystoneclient.middleware.auth_token.

It has sth to do with the verify mechanism of pki format token.

All components interact with keystone(if keystone's token format is set to PKI) will result in it.

Maybe you would like to read the code of keystoneclient.middleware.auth_token,if you want to know the details.

edit flag offensive delete link more
add a comment

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2013-06-04 08:14:17 -0600

Seen: 32 times

Last updated: Jun 06 '13

Related questions

How to use keystone API extenstion to send a JSON format request “add global role to user ”?

Global and private endpoints on 2012.1

how to get an openstack token and validate it?

Glance Scrubber not running

Openstack resource integration

Savanna - Floating IP not able to access

Keystone-manage command not found.

How to run unit test?

Devstack installation failure

authorization failed (keystone logs)