OpenStack Identity (keystone)

Behavior of Clients w/PKI

Asked by Conrad Mukai

I am trying to verify how various clients behave when Keystone uses PKI to offload verification to clients. I created a stable/havana devstack and observed the following:

1. stable/havana devstack configures token_format=PKI in the [signing] section of keystone.conf;
2. during the configuration of Keystone by devstack I saw that keystone-manage pki_setup was invoked and found the requisite certs in /etc/keystone/ssl;
3. in the keystone access log I saw GET requests to v2.0/certificates/signing and v2.0/certificates/ca;
4. I then ran nova list and observed the following calls made to Keystone:
POST v2.0/tokens
GET v2.0/tokens/revoked

Is this behavior correct? How do I keep Nova (and any other client from requesting tokens directly from Keystone). Thanks in advance.

Question information

Language:
English Edit question
Status:
Solved
For:
OpenStack Identity (keystone) Edit question
Assignee:
No assignee Edit question
Solved by:
Haneef Ali
Solved:
Last query:
Last reply:
Revision history for this message
Haneef Ali (haneef) said : 		#1

That is correct. You can't keep nova and other clients from requesting token from keystone. Only way they can get token is from keystone. What PKI token does is it to prevent nova and other services from calling keystone to validate the token. Since they have the certs they can validate the token without hitting keystone. If you don't use PKI token you will see GET /v2.0/tokens call to validate the token

Revision history for this message
Conrad Mukai (cmukai) said : 		#2

Thank you for the quick response. I just want to clarify a few points. According to the documentation token validation uses the following REST call:

GET v2.0/tokens/{token_id}{?tenant_id}

to confirm that a token belongs to tenant. Correct? So the absence of such calls means the client is using PKI.

Also, does the POST call I observed generate a token for the subsequent call to GET v2.0/tokens/revoked? Is this because the nova client chooses not to cache a revocation list, or do all clients have to do this? Thanks.

Revision history for this message
Best Haneef Ali (haneef) said : 		#3

Yes , GET v2.0/tokens/{token_id}{?tenant_id} is used to validate the token.

Since we are not hitting keystone for token validation how does the client know if the token is revoked. Keystone maintains revoked tokens. Clients are supposed to perodically get the current revocation list and check whether the token is revoked. Thiis the general concept.

This token revocation list apis has changed a lot, and keystone client does this properly ( I believe it gets it once a minute). I'm assuming all the clients ( nova client , swift client) will have the same behavior once they start using the current keystoneclient.

Revision history for this message
Conrad Mukai (cmukai) said : 		#4

Thanks Haneef Ali, that solved my question.