deep dive into keystone tokens and lessons learned

Deep Dive into Keystone Tokens and Lessons Learned

Priti Desai & Brad Pokorny


Who are we?

Priti DesaiAdvisory Software Engineer, IBM

Brad PokornyPrincipal Software Engineer, Symantec

What token format should we configure in our OpenStack Deployment?


Token Formats

UUID

PKI

PKIZ

Fernet


UUID


UUID

• Simplest and Most Light Weight

• Version 4 UUID

• Configuration in keystone.conf :

[token]

provider = keystone.token.providers.uuid.Provider

UUID – Token Generation Workflow

Keystone

KVS

Request Token with:• User Name• Password• Project Name

Identity Resources Assignment Catalog

User ValidationRetrieves User ID

Token

Project ValidationRetrieves Project ID and

Domain ID

Retrieves Roles for this User on the Project or

DomainReturns Failure if the

User does not have any Role

Retrieves Services and Endpoints for all the

services

Bundles Identity, Resource, Assignment, and Catalog

information into Token PayloadCreates Token ID :

uuid.uuid4().hex

Store them in SQL/KVS:• Token ID• Expiration• Valid• User ID• Extra

Token Generation Workflow


Sample UUID Token in SQL Backend

id: f10700e71ff045cbb850072a0bd6a4e6expires: 2015-10-08 21:18:43extra: {"token_data": {"token": {"methods": ["password"], "roles": [{"id": "1688449cf1df44839b10a41e3d9b09dd", "name": "admin"}], "expires_at": "2015-10-08T21:18:43.995255Z", "project": {"domain": {"id": "default", "name": "Default"}, "id": "423d45cddec84170be365e0b31a1b15f", "name": "admin"}, "extras": {}, "user": {"domain": {"id": "default", "name": "Default"}, "id": "1334f3ed7eb2483b91b8192ba043b580", "name": "admin"}, "audit_ids": ["bI1EMzqUQM2sqFimOtIPpQ"], "issued_at": "2015-10-08T20:18:43.995284Z"}}, "user": {"domain": {"id": "default", "name": "Default"}, "id": "1334f3ed7eb2483b91b8192ba043b580", "name": "admin"}, "key": "f10700e71ff045cbb850072a0bd6a4e6", "token_version": "v3.0", "tenant": {"domain": {"id": "default", "name": "Default"}, "id": "423d45cddec84170be365e0b31a1b15f", "name": "admin"}, "metadata": {"roles": ["1688449cf1df44839b10a41e3d9b09dd"]}}valid: 1trust_id: NULLuser_id: 1334f3ed7eb2483b91b8192ba043b580

UUID – Keystone Token Validation Workflow

Parse Token and Retrieve Metadata

Validate Token with:

GET v3/auth/tokens• X-Subject-Token• X-Auth-Token Retrieves Token

payload from token backend KVS/SQL

Read cached token reference and parse:• User ID• Project ID• Audit ID• Token Expiry

TokenKVS

Valid?

Current Time < Expiry Time

Token Not Found

Token Not Found

Is Revoked?

Token Not Found

HTTP/1.1 200 OK

Yes

No

No

No

Yes

Yes

Check if a token matches any revocation events

Check if a token is expired, current time is

calculated in UTC

Token Validation Workflow

UUID – Keystone Token Revocation Workflow

Revoke by Audit ID

Revoke Token with:

DELETE v3/auth/tokens• X-Subject-Token• X-Auth-Token Before revoking

a token, validate it based on Token Validation Workflow

ValidateX-Subject-Token

Audit ID?

Revoke by Token Expiry

Create Revoke Event with:Audit ID

Revoke AtIssued Before

Prune Expired Events

Set valid to False

Yes

No

Filter existing revocation events based on Revoke At

Sample Revocation Event:{ "audit_id": "HVvI0d-cTD21yatAfQc4IQ", "issued_before”: "2015-10-24T21:20:45.000000Z" },

Token Revocation Workflow

Create Revoke Event with:User ID

Project IDRevoke At

Issued BeforeToken Expiry

TokenKVS

UUID Across Multiple Data Centers

UsersGroups

DomainsProjects

RolesCatalog

Assignments

UsersGroups

DomainsProjectsRolesCatalogAssignments

MySQL Replication(Database is always in sync)

LDAP Replication(Directory Tree is always in sync)Tokens

KVS

UUID Tokens

TokensKVS

UUID Tokens

Keystone

UUID - Multiple Data Centers

NovaKeystone Middleware

Keystone


US-EASTUS-WEST

Request Token

UUID Token

nova boot

with UUID

Token Validation

VM Instance

nova boot with UUID

Token Validation

Token Not Found

Token Found Token Not Found


Pros and cons

• Pros

– Simplest and Smallest Token Format

– Recommended for Simple OpenStack Deployment

• Cons

– Persistent Token Format

– Token validation can only be done by Identity service

– Not feasible for multiple OpenStack deployments


PKI/PKIZ


PKI

• Cryptographically Encrypted

Signed Document using X509

Standards

• CMS

• Converted to custom URL-

Safe format

• Compressed PKI

• Prefixed with “PKIZ”

PKIZ


PKI/PKIZ Configuration - Certificates

• Signing Key (signing_key.pem) :

• Generate private key in PEM format

• Signing Certificate (signing_cert.pem) :

• Generate CSR using Signing Key

• Submit CSR to CA

• Receive Certificate from CA

• Certificate Authority Certificate (ca.pem)


PKI/PKIZ Configuration


[token]

provider = keystone.token.providers.[pki|pkiz].Provider

[signing]

certfile = /etc/keystone/ssl/certs/signing_cert.pem

keyfile = /etc/keystone/ssl/private/signing_key.pem

ca_certs = /etc/keystone/ssl/certs/ca.pem

PKI/PKIZ – Token Generation Workflow

Validate Identity, Resource, and Assignment

Request Token with:• User Name• Password• Project Name


Create JSON Token Payload

Sign JSON Payload with Signing Key and Signing Certificateopenssl cms –sign –outform PEM

Convert it to UTF-8

Convert CMS Signed Token in PEM format to custom URL Safe format:

• “/” replaced with “-”• Deleted: “\n”, “----BEGIN

CMS----”,“----END CMS----”

Compress using zlib

Convert it to UTF-8

Base64 URL Safe

Append Prefix PKIZ

PKI PKIZ

Store Token into SQL/KVS


Sample PKI Token in SQL Backend

id: b460fec2efcd0d803e2baf48d3bcd72bexpires: 2015-10-09 20:07:36extra: {"token_data": {"token": {"methods": ["password"], "roles": [{"id": "1688449cf1df44839b10a41e3d9b09dd", "name": "admin"}], "expires_at": "2015-10-09T20:07:36.656431Z", "project": {"domain": {"id": "default", "name": "Default"}, "id": "423d45cddec84170be365e0b31a1b15f", "name": "admin"}, "extras": {}, "user": {"domain": {"id": "default", "name": "Default"}, "id": "1334f3ed7eb2483b91b8192ba043b580", "name": "admin"}, "audit_ids": ["8dh07HudSh6rHoU1G9bs-Q"], "issued_at": "2015-10-09T19:07:36.656460Z"}}, "user": {"domain": {"id": "default", "name": "Default"}, "id": "1334f3ed7eb2483b91b8192ba043b580", "name": "admin"}, "key": "MIIDiwYJKoZIhvcNAQcCoIIDfDCCA3gCAQExDTALBglghkgBZQMEAgEwggHZBgkqhkiG9w0BBwGgggHKBIIBxnsidG9rZW4iOnsibWV0aG9kcyI6WyJwYXNzd29yZCJdLCJyb2xlcyI6W3siaWQiOiIxNjg4NDQ5Y2YxZGY0NDgzOWIxMGE0MWUzZDliMDlkZCIsIm5hbWUiOiJhZG1pbiJ9XSwiZXhwaXJlc19hdCI6IjIwMTUtMTAtMDlUMjA6MDc6MzYuNjU2NDMxWiIsInByb2plY3QiOnsiZG9tYWluIjp7ImlkIjoiZGVmYXVsdCIsIm5hbWUiOiJEZWZhdWx0In0sImlkIjoiNDIzZDQ1Y2RkZWM4NDE3MGJlMzY1ZTBiMzFhMWIxNWYiLCJuYW1lIjo…", "token_version": "v3.0", "tenant": {"domain": {"id": "default", "name": "Default"}, "id": "423d45cddec84170be365e0b31a1b15f", "name": "admin"}, "metadata": {"roles": ["1688449cf1df44839b10a41e3d9b09dd"]}}valid: 1trust_id: NULLuser_id: 1334f3ed7eb2483b91b8192ba043b580


Sample PKIZ Token in SQL Backend

id: c48321ac51a903b07c264ac3e80809c6expires: 2015-10-12 18:45:23extra: {"token_data": {"token": {"methods": ["password"], "roles": [{"id": "1688449cf1df44839b10a41e3d9b09dd", "name": "admin"}], "expires_at": "2015-10-12T18:45:23.806229Z", "project": {"domain": {"id": "default", "name": "Default"}, "id": "423d45cddec84170be365e0b31a1b15f", "name": "admin"}, "extras": {}, "user": {"domain": {"id": "default", "name": "Default"}, "id": "1334f3ed7eb2483b91b8192ba043b580", "name": "admin"}, "audit_ids": ["kKmQzTuxSnCN9vo3bzxErw"], "issued_at": "2015-10-12T17:45:23.806257Z"}}, "user": {"domain": {"id": "default", "name": "Default"}, "id": "1334f3ed7eb2483b91b8192ba043b580", "name": "admin"}, "key": "PKIZ_eJxtlMtyqzgQhvc8xexTqcPFdsLiLCQEWCSCgAGBdgZscbVxDOHy9CMnc6mpGlWpSmqpW39_Uuv5WTRo2tj9wyCHxiN35dqjqybi9eb6DuE7ZLd7_WxtAd6MtR1wP7PT5PxJE2F7U53WYH5D5qZbc53OSkeWPoo3hdrU7VQwhe5JBReo71GWv72WT2vLPRk62_XuDmt_T9sZku-veT-xPfUaEk…", "token_version": "v3.0", "tenant": {"domain": {"id": "default", "name": "Default"}, "id": "423d45cddec84170be365e0b31a1b15f", "name": "admin"}, "metadata": {"roles": ["1688449cf1df44839b10a41e3d9b09dd"]}}valid: 1trust_id: NULLuser_id: 1334f3ed7eb2483b91b8192ba043b580

PKI/PKIZ – Token Validation Workflow

Parse Token and Retrieve Metadata


GET v3/auth/tokens• X-Subject-Token• X-Auth-Token

Retrieves Token reference from token backend KVS/SQL

Read cached token reference and parse:• User ID• Project ID• Audit ID• Token Expiry

TokenKVS

Valid?


Token Not Found

Token Not Found

Is Revoked?

Token Not Found

HTTP/1.1 200 OK

Yes

No

No

No

Yes

Yes


Check if a token is expired, current time is calculated in UTC


Unique ID of X-Subject-Token

Hash PKI Token with the pre-configured hashing algorithm

SAME AS

UUID

PKI/PKIZ – Keystone Token Revocation Workflow

Revoke by Audit ID

Revoke Token with:




Audit ID?





Set valid to False

Yes

No





Project IDRevoke At


SAME AS

UUIDTokenKVS

PKI/PKIZ - Across Multiple Data Centers

UsersGroups

DomainsProjects

RolesCatalog

Assignments

UsersGroups



LDAP Replication(Directory Tree is always in sync)Tokens

KVS

PKI/PKIZTokens

TokensKVS

PKI/PKIZTokens

Keystone

PKI/PKIZ - Multiple Data Centers


Keystone


US-EASTUS-WEST

Request Token

PKI/PKIZ Token

nova boot with

PKI/PKIZ

Token Validation

VM Instancenova boot with

PKI/PKIZ

Token Validation

VM Instance


Pros and Cons

PKI

• Pros

– Token validation without a request to Keystone

• Cons

– Larger than standard HTTP Header Size

– Complex configuration

– base64 –d <pki_token

– Not truly feasible for multiple OpenStack

Deployments

PKIZ

• Pros

– Token validation without a request to

Keystone

• Cons

– Still Larger than standard HTTP Header

Size

– Similar to PKI


FERNET


Fernet

• Cryptographic Authentication Method – Fernet

• Symmetric Key Encryption

• Fernet Keys stored in /etc/keystone/fernet-keys/

– Encrypted with Primary Fernet Key

– Decrypted with a list of Fernet Keys



[token]

provider = keystone.token.providers.fernet.Provider

[fernet_tokens]

key_repository = /etc/keystone/fernet-keys/

max_active_keys = <number of keys> # default is 3

Fernet Configuration


Fernet Keys

• Fernet Key File - 256 bits83b4sCF0Q4pb3aNWJYtSdtdaH8PMA_5dlN7OswXKbvE=

\xf3v\xf8\xb0!tC\x8a[\xdd\xa3V%\x8bRv\xd7Z\x1f\xc3\xcc\x03\xfe]\x94\xde\xce\xb3\x05\xcan\xf1SHA256 HMAC Signing Key

(128 bits)AES Encrypting Key

(128 bits)


Fernet Keys• Fernet Key File Name - Integers starting from 0

• ls /etc/keystone/fernet-keys => 0 1 2 3 4

• Type 1: Primary Key

– Encrypt and Decrypt

– Key file named with the highest index

• Type 2: Secondary Key

– Only Decrypt

– Lowest Index < Secondary Key File Name < Highest Index

• Type 3: Staged Key

– Decrypt and Next In Line to become Primary Key

– Key file named with lowest index (of 0)

Fernet Key Rotation

0 1 Primary KeyStaged Key No Secondary Key

2 Primary Key0Staged Key 1Secondary Key

3 Primary Key21Secondary Key

0Staged Key

Secondary Key

Rotate

Rotate

Fernet – Token Generation Workflow


HMACFernet Token Version Current Timestamp IV Cipher Text

Token Payload:VersionUser ID

MethodsProject ID

Expiry TimeAudit ID

Padding

Encrypted using Encrypting Key

Signed using Signing Key


Sample Fernet Token in SQL Backend

?gAAAAABWLUzy0dxSNo2--K-3trDutnX7LpUpv3us0crQIl8BDHLLd3lR3F243VwnYpNJHIaUiPEE2roYJJNA-SwBe1swDcr6MYaFR1t9ZYcYF4GRqDm3N9_1EGgXgICbzE_GuUVidG4gky0Cv8f1nwD7XM26NRh59VEnt2iVTAxlnvAICJDeK5k

Fernet – Keystone Token Validation Workflow

Determine the Version from the Token Payload


GET v3/auth/tokens• X-Subject-Token• X-Auth-Token Re-inflate token

with “=” and return token with correct padding

Version: Fixed Versioning by Keystone:• Unscoped Payload : 0• Domain Scoped Payload : 1• Project Scoped Payload : 2

Restore Padding

Is Revoked?

Token Not Found

HTTP/1.1 200 OK

No

No

Yes

Yes


Check if a token is expired, current time is

calculated in UTC


Decrypt using Fernet Keys to retrieve Token Payload

Disassemble payload to determine validation fields

For Project Scoped Token:• User ID Project

ID• Methods Token

Expiry• Audit ID


Token Not FoundNo

Fernet – Keystone Token Revocation Workflow

Revoke by Audit ID

Revoke Token with:




Audit ID?





Set valid to False

Yes

No





Project IDRevoke At


SAME AS

UUID/PKI/PKIZTokenKVS

Fernet - Across Multiple Data Centers

UsersGroups

DomainsProjects

RolesCatalog

Assignments

UsersGroups



LDAP Replication(Directory Tree is always in sync)

Keystone

Fernet - Multiple Data Centers


Keystone


US-EASTUS-WEST

Request Token

Fernet Token

nova boot

with Fernet

Token Validation

VM Instance

nova boot with Fernet

Token Validation

VM Instance

Validate Fernet Token Validate Fernet Token


Pros and cons

• Pros

– No persistence

– Reasonable Token Size

– Multiple Data Center

• Cons

– Token validation impacted by the number of revocation events


Fernet Token Validation

0100

200300

400500

600700

800900

10001100

12001300

14001500

20003000

40000

100

200

300

400

500

600

11.1746.406

83.654124.974

163.529

234.398

376.604

510.058

Revocation Events Impact on Validation Time

Response Time (ms)

Revocation Events

Tim

e (m

s)


Fernet Token Validation

020

040

060

080

010

0012

0014

0020

0040

000

20

40

60

80

10089.46

21.5511.95

8 5.77 1.96

Revocation Events Impact on Validation Requests

Token Validation Requests

Revocation Events

Val

idat

ions

Per

Sec

ond


What token format should we configure in our OpenStack Deployment?

Fernet for Multiple OpenStack Deployments

with minimal Revocation Events Depends


HORIZON AND TOKENS


How horizon uses tokens• Tokens for each logged in user• Unscoped token and project scoped token• Token reuse

• Reduced transaction load on Keystone• Stored in the session

• Configurable token storage methods• Local memory cache• Cookie backend• Memcache• Database• Cached Database


Cookie backend

• Currently the devstack default• Token stored in browser cookie

• Secure cookies in production, use https• CSRF_COOKIE_SECURE = True• SESSION_COOKIE_SECURE = True• http://docs.openstack.org/developer/horizon/topics/settings.html• http://docs.openstack.org/security-guide/dashboard/cookies.html

• Highly scalable• The dreaded boot back to login

http://docs.openstack.org/developer/horizon/topics/settings.html

http://docs.openstack.org/developer/horizon/topics/settings.html

http://docs.openstack.org/security-guide/dashboard/cookies.html

http://docs.openstack.org/security-guide/dashboard/cookies.html


Cookie backend

• The dreaded boot back to login

• Now sign in…


Cookie backend

• And you see…

• Cookie overflow!


memcache backend

• Allows storage of larger token sizes• Tokens stored on server side• Requires memcached• Can be used with backing DB

• http://docs.openstack.org/developer/horizon/topics/deployment.html


Token hashing

• Hashed in Django OpenStack Auth (DOA)• Keeps stored token data small• Currently not working for PKI tokens• New config in Liberty to disable

• OPENSTACK_TOKEN_HASH_ENABLED• PKI - Will increase memcache storage requirement


Multiregion and tokens• Service regions vs. Authentication regions

• Service regions in Keystone catalog• Auth regions specified in AVAILABLE_REGIONS

• UUID, PKI, and PKIZ Tokens don’t work across auth regions• Token replication is infeasible

• But Fernet tokens work between Authentication regions!

Service Region Authentication Region


Horizon and Fernet

• Yes, Fernet tokens work with Horizon• Liberty and beyond – No patches necessary• Kilo – Needs a patch for DOA

• https://review.openstack.org/#/c/169994/

https://review.openstack.org/%23/c/169994/



V3 domains

Domain Scoped Token Project Scoped Token

"auth": { "identity": { }, “scope”: { ”domain": { “name”: “Default” } }}

"auth": { "identity": { }, “scope”: { “project”: { ”domain": { “name”: “Default” }, “name”: “ProjectA” } }}

• Extra token for Horizon


V3 domains

• Requires changes in Django OpenStack Auth and Horizon• Planned for Mitaka• Info on usage (a bit out of date):

• http://www.symantec.com/connect/blogs/how-use-horizon-keystone-v3• Domains patches:

• https://review.openstack.org/#/c/148082/• https://review.openstack.org/#/c/141153/• https://review.openstack.org/#/c/196328/

http://www.symantec.com/connect/blogs/how-use-horizon-keystone-v3

http://www.symantec.com/connect/blogs/how-use-horizon-keystone-v3








Will fernet tokens solve all our problems?

• Smaller token size• No persistence for tokens• Seamless authentication across regions• Performance issues with token revocation

Thank You !!!

Questions ?


References

• Token: https://clubpenguincheatscitya4.files.wordpress.com/2011/08/1_token.jpg

• Key to Cloud: https

://www.hc1.com/wp-content/uploads/2013/10/14916002_cloud_computing_and_storage_security_concept_blue_glossy_cloud_ico

n_with_with_golden_key_in_keyhole_.

jpg

• User Icon: http://findicons.com/files/icons/1075/scrap/300/user_2.png

• Password: http://icons.iconarchive.com/icons/sbstnblnd/plateau/512/Apps-password-icon.png

• UUID: https://plugins.qgis.org/static/cache/21/c0/21c0d3fedb5bf42ff8a6a11712595124.png

• PKI: http://www.zaheerspeaks.com/wp-content/uploads/2009/10/PKI-Certificate.gif

• PKIZ: http://i571.photobucket.com/albums/ss153/rijal_abror/pun170-winzip-file-compress-icon59.gif

• Identity: https://www.innopay.com/assets/Uploads/icon-digitalidentity-232x232.png

https://clubpenguincheatscitya4.files.wordpress.com/2011/08/1_token.jpg

https://clubpenguincheatscitya4.files.wordpress.com/2011/08/1_token.jpg

https://www.hc1.com/wp-content/uploads/2013/10/14916002_cloud_computing_and_storage_security_concept_blue_glossy_cloud_icon_with_with_golden_key_in_keyhole_.jpg




http://findicons.com/files/icons/1075/scrap/300/user_2.png

http://findicons.com/files/icons/1075/scrap/300/user_2.png

http://icons.iconarchive.com/icons/sbstnblnd/plateau/512/Apps-password-icon.png

http://icons.iconarchive.com/icons/sbstnblnd/plateau/512/Apps-password-icon.png

https://plugins.qgis.org/static/cache/21/c0/21c0d3fedb5bf42ff8a6a11712595124.png

https://plugins.qgis.org/static/cache/21/c0/21c0d3fedb5bf42ff8a6a11712595124.png

http://www.zaheerspeaks.com/wp-content/uploads/2009/10/PKI-Certificate.gif

http://www.zaheerspeaks.com/wp-content/uploads/2009/10/PKI-Certificate.gif

http://i571.photobucket.com/albums/ss153/rijal_abror/pun170-winzip-file-compress-icon59.gif

http://i571.photobucket.com/albums/ss153/rijal_abror/pun170-winzip-file-compress-icon59.gif

https://www.innopay.com/assets/Uploads/icon-digitalidentity-232x232.png

https://www.innopay.com/assets/Uploads/icon-digitalidentity-232x232.png


EXTRA


What is an Openstack Token?

Key to OpenStack Cloud

How can I generate a token?


Keystone

curl -s POST https://keystone.com/v3/auth/tokens

"auth": { "identity": { "methods": [ "password" ], "password": { "user": { ”domain": { ”name": ”MyDomain.com” }, ”name": ”PritiDesai", "password": "secretsecret” }

How can I generate a token?


Keystone

curl -s POST https://keystone.com/v3/auth/tokens

"auth": { "identity": { "methods": [ ”token" ], ”token": { ”id": ”e8079ab…” } }


Token generated using password

Header:X-Subject-Token: a740dcd6f3fc404aaaf556b9cbd2f994

Body:{ "token": { "methods": [ "password" ], "expires_at": "2015-10-05T20:25:03.180741Z", "extras": {}, "user": { "domain": { "id": "default", "name": "Default" }, "id": "1334f3ed7eb2483b91b8192ba043b580", "name": ”smith" }, "audit_ids": [ "NnYd94BERb-y1GQulr54tg" ], "issued_at": "2015-10-05T19:25:03.180758Z" }}

"auth": { "identity": { "methods": [ "password" ], "password": { "user": { ”domain": { ”name": ”Default” }, ”name": ”Smith", "password": "secretsecret” }


Token generated using token

Header:X-Subject-Token: 3fb7b3b0a0a8489882f07fdb9cd2a990

Body:{ "token": { "issued_at": "2015-10-05T19:40:38.943250Z", "audit_ids": [ "4vNgmP5cQk6sMpPiw7EnCg", "HFwMKdDrSCOq-MAtkXKTlw" ], "user": { "name": ”smith", "id": "1334f3ed7eb2483b91b8192ba043b580", "domain": { "name": "Default", "id": "default" } }, "extras": {}, "expires_at": "2015-10-05T20:31:26.727283Z", "methods": [ "token", "password" ]

"auth": { "identity": { "methods": [ ”token" ], ”token": { “id”: “a7409b” } }}

Identity Token Path

User OpenStack Service

Step 1: Obtain unscoped token with credentialsPOST v3/auth/tokens

Keystone

Step 2: Discover projects you have access toGET v3/users/<user_id>/projects

Step 3: Obtain project scoped token either with your credentials or unscoped token from step 1.

Step 4: Invoke the target service by sending requests to endpoints in token from step 3

Step 5: Validate roles and access metadata in token with Keystone service or Keystone Middleware

Step 6: Serve APIrequest

Step 7: Return response


Token Creation

UUID PKI PKIZ Fernet0

102030405060708090

Time Per Request

Time Per Request


101214161820

Requests Per Sec

Requests Per Sec


Token Validation


2

4

6

8

10

12

14

Time Per Request

Time Per Request


102030405060708090

100

Requests Per Sec

Requests Per Sec


Configurable token hashing

https://github.com/openstack/django_openstack_auth/blob/master/openstack_auth/user.py

deep dive into keystone tokens and lessons learned

Engineering