PKI for Keystone

A recent discussion on the Openstack mailing list brought to light the high load that the Keystone server has due to each server having to authenticate each and every request against Keystone.

While appropriate caching will obviously limit some aspect of the traffic,  there is another approach that will remove  it altogether. If each token issued by the Keystone server is a document that is cryptographically signed by a private key, its authenticity can be verified by a public key published by the Keystone server.  This transfers the burden from Network traffic to CPU for decrypting.

The public keys should have a relatively short lifespan,  probably being updated no less frequently than once a day,  the current lifespan of a ticket.

The public key should be published as an X509 certificate, signed by a local Certificate Authority.

Keystone should be able to publish a  revocation list in case a user loses privileges.  Since the lifespan of tokens is short, the revocation lists should be minimal, and do not need to be kept past the lifespan of the associated tokens.

Both Kerberos and Dogtag PKI  have all of the capabilities listed above.


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.