Bug 1041856

Summary: [RFE][keystone]: Ephemeral PKI tokens
Product: Red Hat OpenStack Reporter: RHOS Integration <rhos-integ>
Component: openstack-keystoneAssignee: RHOS Maint <rhos-maint>
Status: CLOSED NOTABUG QA Contact: yeylon <yeylon>
Severity: low Docs Contact:
Priority: medium    
Version: unspecifiedCC: ayoung, markmc, nbarcet, nkinder, srevivo, yeylon
Target Milestone: ---Keywords: FutureFeature, Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
URL: https://blueprints.launchpad.net/keystone/+spec/non-persistent-tokens
Whiteboard: upstream_milestone_none upstream_status_good-progress upstream_definition_superseded
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-01-09 03:25:05 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1041858    
Bug Blocks:    

Description RHOS Integration 2013-12-12 19:44:22 UTC 
Cloned from launchpad blueprint https://blueprints.launchpad.net/keystone/+spec/ephemeral-pki-tokens.

Description:

With token revocation events in place, we no longer have a need to store a token revocation list. The token revocation list is the primary reason why keystone bothers to persist PKI tokens, so without it, PKI tokens can become completely ephemeral.

Two steps are required to make that happen:

1) revise code that validates tokens from the token backend to pull from context instead

2) allow deployers to opt out of token persistence (UUID tokens must still be persisted)

Specification URL (additional information):

None
Comment 3 Adam Young 2014-04-22 20:20:13 UTC 
This has been bumped upstream to the Juno release.
Comment 4 Nathan Kinder 2014-10-08 22:19:39 UTC 
This was not implemented in Juno upstream.
Comment 7 Adam Young 2016-01-09 03:25:05 UTC 
OKI tokens are being replaced by Fernet tokens, which are ephemeral.  They should be default in the 'N' release.