75abc21ecf
The RevokeTree was built out of an attempt to optimize the search for a match between a candidate token and the list of revocation events. The performance proved to be poor, mostly due to the cost of creating and checking hash values. The RevokeTree code is also so complex that most of the team could not understand it or troubleshoot it. There are some subtle bugs due to race conditions with revocation events, and it is impossible to track them down due to the code complexity. This change replaces the tree based search with a linear search through the list of revocation events. A failure-to-match will pass through the entire list. A revoked token should match on O(n/2) comparisons. With the past year of Fernet tokens in deployment, the feedback is that the number of revocation events is small, and they only are kept for the lifetime of the tokens (usually 1-8 hours) so the linear search is not expected to slow down token validations in live deployments. Future work will also reduce the number of revocation events. Change-Id: Ib6a686494e897840b09d134ecf1ca50ce712f281 |
||
---|---|---|
config-generator | ||
doc | ||
etc | ||
examples/pki | ||
httpd | ||
keystone | ||
keystone_tempest_plugin | ||
rally-jobs | ||
releasenotes | ||
tools | ||
.coveragerc | ||
.gitignore | ||
.gitreview | ||
.mailmap | ||
.testr.conf | ||
CONTRIBUTING.rst | ||
HACKING.rst | ||
LICENSE | ||
MANIFEST.in | ||
README.rst | ||
babel.cfg | ||
other-requirements.txt | ||
requirements.txt | ||
setup.cfg | ||
setup.py | ||
test-requirements.txt | ||
tox.ini |
README.rst
OpenStack Keystone
Keystone provides authentication, authorization and service discovery mechanisms via HTTP primarily for use by projects in the OpenStack family. It is most commonly deployed as an HTTP interface to existing identity systems, such as LDAP.
Developer documentation, the source of which is in
doc/source/
, is published at:
The API specification and documentation are available at:
The canonical client library is available at:
https://git.openstack.org/cgit/openstack/python-keystoneclient
Documentation for cloud administrators is available at:
The source of documentation for cloud administrators is available at:
Information about our team meeting is available at:
Bugs and feature requests are tracked on Launchpad at:
Future design work is tracked at:
http://specs.openstack.org/openstack/keystone-specs/#identity-program-specifications
Contributors are encouraged to join IRC
(#openstack-keystone
on freenode):
For information on contributing to Keystone, see
CONTRIBUTING.rst
.