Behavior of Clients w/PKI
I am trying to verify how various clients behave when Keystone uses PKI to offload verification to clients. I created a stable/havana devstack and observed the following:
1. stable/havana devstack configures token_format=PKI in the [signing] section of keystone.conf;
2. during the configuration of Keystone by devstack I saw that keystone-manage pki_setup was invoked and found the requisite certs in /etc/keystone/ssl;
3. in the keystone access log I saw GET requests to v2.0/certificat
4. I then ran nova list and observed the following calls made to Keystone:
POST v2.0/tokens
GET v2.0/tokens/revoked
Is this behavior correct? How do I keep Nova (and any other client from requesting tokens directly from Keystone). Thanks in advance.
Question information
- Language:
- English Edit question
- Status:
- Solved
- Assignee:
- No assignee Edit question
- Solved by:
- Haneef Ali
- Solved:
- Last query:
- Last reply: