openstack
/
keystone
Code Issues Proposed changes

Remove references to UUID from token documentation 

Support for the UUID token provider was removed when the Rocky cycle
opened for development:

  I76d5c29f6b1572ee3ec7f2b1af63ff31572de2ce

This commit removes references to the UUID token provider from the
token provider documentation.

Change-Id: I85aa4eac1098628f090b3e95a9234bc5777d274d
Partial-Bug: 1757151
This commit is contained in:
Lance Bragstad 2018-03-20 15:00:15 +00:00
parent ac4baf99f0
commit c402691371
1 changed files with 4 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
doc/source/admin/identity-tokens.rst
View File

@ -3,10 +3,8 @@ Keystone tokens
===============
Tokens are used to authenticate and authorize your interactions with the
various OpenStack APIs. Tokens come in many flavors, representing various
authorization scopes and sources of identity. There are also several different
"token providers", each with their own user experience, performance, and
deployment characteristics.
various OpenStack APIs. Tokens come in many scopes, representing various
authorization and sources of identity.
Authorization scopes
--------------------
@ -79,32 +77,8 @@ Token providers
---------------
The token type issued by keystone is configurable through the
``/etc/keystone/keystone.conf`` file. Currently, there are two supported
token types, ``UUID`` and ``fernet``.
UUID tokens
~~~~~~~~~~~
UUID was the first token type supported but was deprecated in Pike. UUID tokens
are 32 bytes in length and must be persisted in a back end. Clients must pass
their UUID token to the Identity service in order to validate it.
As mentioned above, UUID tokens must be persisted. By default, keystone
persists UUID tokens using a SQL backend. An unfortunate side-effect is that
the size of the database will grow over time regardless of the token's
expiration time. Expired UUID tokens can be pruned from the backend using
keystone's command line utility:
.. code-block:: bash
$ keystone-manage token_flush
We recommend invoking this command periodically using ``cron``.
.. NOTE::
It is not required to run this command at all if using Fernet tokens. Fernet
tokens are not persisted and do not contribute to database bloat.
``/etc/keystone/keystone.conf`` file. Currently, the only supported token
provider is ``fernet``.
Fernet tokens
~~~~~~~~~~~~~