Bug 1041856 - [RFE][keystone]: Ephemeral PKI tokens
Summary: [RFE][keystone]: Ephemeral PKI tokens
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-keystone
Version: unspecified
Hardware: Unspecified
OS: Unspecified
medium
low
Target Milestone: ---
: ---
Assignee: RHOS Maint
QA Contact: yeylon@redhat.com
URL: https://blueprints.launchpad.net/keys...
Whiteboard: upstream_milestone_none upstream_stat...
Depends On: 1041858
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-12-12 19:44 UTC by RHOS Integration
Modified: 2016-04-26 15:06 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-01-09 03:25:05 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description RHOS Integration 2013-12-12 19:44:22 UTC 
Cloned from launchpad blueprint https://blueprints.launchpad.net/keystone/+spec/ephemeral-pki-tokens.

Description:

With token revocation events in place, we no longer have a need to store a token revocation list. The token revocation list is the primary reason why keystone bothers to persist PKI tokens, so without it, PKI tokens can become completely ephemeral.

Two steps are required to make that happen:

1) revise code that validates tokens from the token backend to pull from context instead

2) allow deployers to opt out of token persistence (UUID tokens must still be persisted)

Specification URL (additional information):

None
Comment 3 Adam Young 2014-04-22 20:20:13 UTC 
This has been bumped upstream to the Juno release.
Comment 4 Nathan Kinder 2014-10-08 22:19:39 UTC 
This was not implemented in Juno upstream.
Comment 7 Adam Young 2016-01-09 03:25:05 UTC 
OKI tokens are being replaced by Fernet tokens, which are ephemeral.  They should be default in the 'N' release.
Note You need to log in before you can comment on or make changes to this bug.