What does "revoked" mean in keystone

asked 2013-06-04 03:26:52 -0500

chen-li

updated 2013-12-17 14:26:07 -0500

smaffulli

When I run command nova image-list, I get some info from /var/log/keystone/keystone.log:

2013-06-04 15:31:46 INFO [access] - - [04/Jun/2013:07:31:46 +0000] "POST http://keystone:5000/v2.0/tokens HTTP/1.0" 200 5143
2013-06-04 15:31:46 INFO [access] - - [04/Jun/2013:07:31:46 +0000] "GET http://keystone:35357/v2.0/tokens/revoked HTTP/1.0" 200 504
2013-06-04 15:31:46 INFO [access] - - [04/Jun/2013:07:31:46 +0000] "GET http://keystone:35357/v2.0/tokens/revoked HTTP/1.0" 200 504

What is glance trying to get from URL http://keystone:35357/v2.0/tokens/revoked HTTP/1.0? What does revoked means in the context of tokens?

answered 2013-06-08 23:01:23 -0500

fifieldt

Tokens have an expiry time, before which they need to be renewed, or they can be manually revoked. A 'revoked' token means that it is no longer able to be used for one of these reasons. Instead, a new token should be requested.

Thanks. Then, what is GET http://keystone:35357/v2.0/tokens/revoked HTTP/1.0 doing ?

chen-li ( 2013-06-08 23:13:27 -0500 )

This will return the list of revoked tokens, which can be used to check whether the token is still valid or not.

fifieldt ( 2013-06-09 02:41:32 -0500 )

o, understand. Another question, use command "nova list" as the example, I used to think when a user run command "nova list", keystone will accept three access, from user,nova, and nova. But now, only one access is need, do you know why? Because I guess this is related with revoked tokens.

chen-li ( 2013-06-09 02:46:00 -0500 )

To help with indexing, please create a new question entry for this one :)

fifieldt ( 2013-06-09 02:47:01 -0500 )

