Ask Your Question
3

Why "nova list" only access keystone once

asked 2013-06-09 02:52:42 -0500

chen-li gravatar image

For command "nova list". I used to think, it need access keystone three times, First, user need to get a new token. Then nova receive the request, nova need to get a new token too. At last, nova would use its own token to keystone to verify user's token. But, currently, when I working with Grizzly, I found this command actually only access keystone once, only user need to get a new token. Then, my question is, how nova to verify user's token ?

Thanks -chen

edit retag flag offensive close merge delete

3 answers

Sort by ยป oldest newest most voted
0

answered 2014-03-20 04:33:48 -0500

9lives gravatar image

From this blog http://www.mirantis.com/blog/understa...

From Grizzly the keystone will use the PKI token as default token provider, the reason for this is to enhance the performance, if we use uuid token provider, when you run nova list , 3 api call will be invoked to keystone.

If we use PKI token provider, only 1 API call to keystone is needed to get the keystone Signing certificate and the keystone CA certificate, the token validation will be handled offline.

Hope that helps!

Vic

edit flag offensive delete link more
0

answered 2014-03-20 00:30:06 -0500

Did you check the default token format for keystone in Grizzly? If it is PKI, it won't go to keystone for verification

edit flag offensive delete link more
0

answered 2013-06-09 05:35:26 -0500

RomilGupta gravatar image

Hi Chen,

First,Keystone authenticate the credentials and generate & send back auth-token which will be used for sending request to other Components through REST-call.Second ,nova-api receive the request and sends the request for validation auth-token and access permission to keystone.Third, Keystone validates the token and sends updated auth headers with roles and permissions. Fourth,nova-api interacts with nova-database and display the list of instances.

edit flag offensive delete link more

Comments

Yes, that's exactly what I think the process is too. But, based on this, three keystone access will happen, right ? When I check keystone's log, I only observed one access. Why ?

chen-li gravatar imagechen-li ( 2013-06-10 03:33:45 -0500 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2013-06-09 02:52:42 -0500

Seen: 113 times

Last updated: Mar 20 '14