OpenStack Identity (keystone)

What is revoked mean in keystone

Asked by li,chen

When I run command "nova image-list", I get some info from /var/log/keystone/keystone.log:

2013-06-04 15:31:46 INFO [access] 192.168.11.130 - - [04/Jun/2013:07:31:46 +0000] "POST http://keystone:5000/v2.0/tokens HTTP/1.0" 200 5143
2013-06-04 15:31:46 INFO [access] 192.168.11.10 - - [04/Jun/2013:07:31:46 +0000] "GET http://keystone:35357/v2.0/tokens/revoked HTTP/1.0" 200 504
2013-06-04 15:31:46 INFO [access] 192.168.11.10 - - [04/Jun/2013:07:31:46 +0000] "GET http://keystone:35357/v2.0/tokens/revoked HTTP/1.0" 200 504

What is glance try to get from URL http://keystone:35357/v2.0/tokens/revoked HTTP/1.0 ?
What is revoked means for token ?

Thanks.
-chen

Question information

Language:
English Edit question
Status:
Solved
For:
OpenStack Identity (keystone) Edit question
Assignee:
No assignee Edit question
Solved by:
xyj
Solved:
Last query:
Last reply:
Revision history for this message
xyj (xyj-asmy) said : 		#1

revoked token means invalid token, indicating tokens which are not expired, but the valid field is set to False.

glance fetch the revoked token list and store them in local file(signing_dir/revoked.pem). If you token id(pki format) in revoked token list, glance will reject it.

Revision history for this message
li,chen (chen-li) said : 		#2

sorry, can you explain more ? I'm still confusing.

Why would a token not expired, but the valid field is set to False ?

Why glance reject these token?

Do glance revoked every time or at some certain operation?

Will this operation happen in other components ?

Thanks.
-chen

Revision history for this message
Best xyj (xyj-asmy) said : 		#3

keystone provides api for deleting token:

DELETE: /token/{token_id}

actually, this api set the **valid** field of token to false in db.Then the token is so called **revoked token**

The code result in getting revoked token list nest in keystoneclient.middleware.auth_token.

It has sth to do with the verify mechanism of pki format token.

All components interact with keystone(if keystone's token format is set to PKI) will result in it.

Maybe you would like to read the code of keystoneclient.middleware.auth_token,if you want to know the details.

Revision history for this message
li,chen (chen-li) said : 		#4

Thanks xyj, that solved my question.