Ask Your Question
0

What is revoked mean in keystone

asked 2013-06-04 08:14:17 -0500

chen-li gravatar image

When I run command "nova image-list", I get some info from /var/log/keystone/keystone.log:

2013-06-04 15:31:46 INFO [access] 192.168.11.130 - - [04/Jun/2013:07:31:46 +0000] "POST http://keystone:5000/v2.0/tokens HTTP/1.0" 200 5143 2013-06-04 15:31:46 INFO [access] 192.168.11.10 - - [04/Jun/2013:07:31:46 +0000] "GET http://keystone:35357/v2.0/tokens/rev... HTTP/1.0" 200 504 2013-06-04 15:31:46 INFO [access] 192.168.11.10 - - [04/Jun/2013:07:31:46 +0000] "GET http://keystone:35357/v2.0/tokens/rev... HTTP/1.0" 200 504

What is glance try to get from URL http://keystone:35357/v2.0/tokens/rev... HTTP/1.0 ? What is revoked means for token ?

Thanks. -chen

edit retag flag offensive close merge delete
add a comment

4 answers

Sort by ยป oldest newest most voted
0

answered 2013-06-06 10:13:12 -0500

chen-li gravatar image

Thanks xyj, that solved my question.

edit flag offensive delete link more
add a comment
0

answered 2013-06-05 15:46:31 -0500

xyj-asmy gravatar image

revoked token means invalid token, indicating tokens which are not expired, but the valid field is set to False.

glance fetch the revoked token list and store them in local file(signing_dir/revoked.pem). If you token id(pki format) in revoked token list, glance will reject it.

edit flag offensive delete link more
add a comment
0

answered 2013-06-06 05:58:30 -0500

chen-li gravatar image

sorry, can you explain more ? I'm still confusing.

Why would a token not expired, but the valid field is set to False ?

Why glance reject these token?

Do glance revoked every time or at some certain operation?

Will this operation happen in other components ?

Thanks. -chen

edit flag offensive delete link more
add a comment
0

answered 2013-06-06 09:20:11 -0500

xyj-asmy gravatar image

keystone provides api for deleting token:

DELETE: /token/{token_id}

actually, this api set the valid field of token to false in db.Then the token is so called revoked token

The code result in getting revoked token list nest in keystoneclient.middleware.auth_token.

It has sth to do with the verify mechanism of pki format token.

All components interact with keystone(if keystone's token format is set to PKI) will result in it.

Maybe you would like to read the code of keystoneclient.middleware.auth_token,if you want to know the details.

edit flag offensive delete link more
add a comment

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2013-06-04 08:14:17 -0500

Seen: 27 times

Last updated: Jun 06 '13

Related questions

The resource could not be found

What's the requirements to get keystone-all to work?

How to run an especial keystone testcase seperately?

Unable to authorize user

nova-instancemonitor libvirt issue

keystone is not working after moving to v2 from v3.

Can I set tenant-id programmatically?

How to get a domain scoped token

pica8 switch integration?

glance return uploaded image size 0