Why "nova list" only access keystone once

asked 2013-06-09 02:52:42 -0600

chen-li gravatar image

For command "nova list". I used to think, it need access keystone three times, First, user need to get a new token. Then nova receive the request, nova need to get a new token too. At last, nova would use its own token to keystone to verify user's token. But, currently, when I working with Grizzly, I found this command actually only access keystone once, only user need to get a new token. Then, my question is, how nova to verify user's token ?

Thanks -chen

edit retag flag offensive close merge delete

3 answers

Sort by ยป oldest newest most voted

answered 2013-06-09 05:35:26 -0600

RomilGupta gravatar image

Hi Chen,

First,Keystone authenticate the credentials and generate & send back auth-token which will be used for sending request to other Components through REST-call.Second ,nova-api receive the request and sends the request for validation auth-token and access permission to keystone.Third, Keystone validates the token and sends updated auth headers with roles and permissions. Fourth,nova-api interacts with nova-database and display the list of instances.

edit flag offensive delete link more


Yes, that's exactly what I think the process is too. But, based on this, three keystone access will happen, right ? When I check keystone's log, I only observed one access. Why ?

chen-li gravatar imagechen-li ( 2013-06-10 03:33:45 -0600 )edit

answered 2014-03-20 00:30:06 -0600

Did you check the default token format for keystone in Grizzly? If it is PKI, it won't go to keystone for verification

edit flag offensive delete link more

answered 2014-03-20 04:33:48 -0600

9lives gravatar image

From this blog http://www.mirantis.com/blog/understa...

From Grizzly the keystone will use the PKI token as default token provider, the reason for this is to enhance the performance, if we use uuid token provider, when you run nova list , 3 api call will be invoked to keystone.

If we use PKI token provider, only 1 API call to keystone is needed to get the keystone Signing certificate and the keystone CA certificate, the token validation will be handled offline.

Hope that helps!


edit flag offensive delete link more

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower


Asked: 2013-06-09 02:52:42 -0600

Seen: 159 times

Last updated: Mar 20 '14