Ask Your Question
2

Is there a REST API to retrieve token id (id column from token table) of an PKI token?

asked 2014-03-27 14:32:38 -0500

priti-desai gravatar image

updated 2014-03-27 16:28:04 -0500

smaffulli gravatar image

When a PKI token is generated while authenticating user with his credentials, the HTTP response does not contain token id as it appears in Token table in Keystone database. When token format is UUID, token id is exactly similar to token so this use case is only applicable in case of PKI token format. This information is needed when authenticating keystone user based on preexisting token. Thanks

edit retag flag offensive close merge delete

2 answers

Sort by ยป oldest newest most voted
0

answered 2014-03-27 17:51:16 -0500

priti-desai gravatar image

I am using Havana Stable where keystone does not encode token_id if token is in PKI. Havana is missing this if statement:

if isinstance(token_id, six.text_type):
            token_id = token_id.encode('utf-8')

https://github.com/openstack/keystone...

if is_ans1_token(token_id):
        hasher = hashlib.md5()
        hasher.update(token_id)
        return hasher.hexdigest()

Is it possible to backport these changes into Havana?

edit flag offensive delete link more

Comments

If that fix was part of single commit, then it is easy backport. You can file a defect,

Haneef Ali gravatar imageHaneef Ali ( 2014-03-27 21:46:26 -0500 )edit
priti-desai gravatar imagepriti-desai ( 2014-03-28 12:41:09 -0500 )edit
0

answered 2014-03-27 17:17:31 -0500

Why do you need token_id field for PKI token? There is no API to retrive it

Wherever you have used token_id , you can use PKI token. So in your case, you can pass PKI token as you have done before with UUID token

BTW this is how it was generated

if is_ans1_token(token_id):
        hasher = hashlib.md5()
        if isinstance(token_id, six.text_type):
            token_id = token_id.encode('utf-8')
        hasher.update(token_id)
        return hasher.hexdigest()
edit flag offensive delete link more

Comments

Hi Haneef,

But token api has following request type to send a token id and generate token. What should we use in such cases? Yes, you are correct we token is there in the header. Does that mean we can ignore this token section in the body?

The token authentication method ( http://docs.openstack.org/api/openstack-identity-service/3/content/authentication-authentication.html (http://docs.openstack.org/api/opensta...) )

If the authenticating user is already in possession of a valid token, then that token is sufficient to identity the user. This method is typically used in combination with request to change authorization scope.

{
    "auth": {
        "identity": {
            "methods": [
                "token"
            ],
            "token": {
                "id": "e80b74"
            }
        }
    }
}
Kasun Dilunika gravatar imageKasun Dilunika ( 2014-07-22 01:03:46 -0500 )edit

This api is for differnet purpose. It is called rescope. You get a token for a tenant/project. Now you want a token for some other project. In that case you can rescpe your old token to a new project instead of getting a new token

Haneef Ali gravatar imageHaneef Ali ( 2014-07-22 16:00:25 -0500 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2014-03-27 14:32:38 -0500

Seen: 324 times

Last updated: Mar 27 '14