With the addition of the revocation events system it is now possible to implement a token provider that does not require the ability to lookup a token ID based upon data contained within the token (e.g. revoking all tokens issued to a specific User ID). The new revocation event uses data values from a class of tokens (e.g. User ID, Domain ID, Project ID) to determine if a token is revoked instead of relying on an explicit list of token IDs generated by Keystone. The new revocation matching is performed within the auth_token middleware on each token instead of within Keystone to generate the list of token IDs that are revoked.
Currently there is significant overhead in managing the persistence backend for the Token data. This administrative and performance overhead manifests in a number of ways:
The change will be to eliminate the need to persist tokens to any form of stable storage. When using the new non-persistent token provider, UUID and short-hashed versions of PKI tokens will not be supported. The UUID and standard PKI token providers will not be deprecated in the Juno development cycle. Deprecation of the original PKI token providers (PKI and PKIZ) will occur as early as the K cycle; this delay in deprecation allows for operators and deployers to adopt the new non-persistent tokens before it becomes the default deployment model. The UUID token provider will be evaluated for deprecation based upon how many deployments continue to utilize UUID over PKI tokens.
The general data model for the token (in-memory) will change to be a token version agnostic memory construct. This will be a departure from the current Python dictionary that is used (and varies in structure based upon token version). This change will eliminate some of the more complex conditional code that is used to support the different token versions now. This change to the in-memory structure for tokens is to ensure ease of understanding code rather than having an ever expanding set of conditional code to handle the variations on token structure across an increasing number of versions. Both v2 and v3 tokens have significant structural differences that will add significant complications to the code-base when eliminating the calls to .get_token.
The new in-memory token model will be serialized as closely as possible to the SQL token backend’s schema to eliminate the need for a DB migration. Other token persistence backends will do in-place (seamless) handling of the differing token-formats. The persistence backend changes are required for a seamless upgrade path to non-persistent tokens.
JSON Schema for each token version will need to be developed for complete validation as part of the conversion from the versioned-token-format to the internal token object.
When the new provider is used (non-persistent-token-provider) only PKI tokens will be issued, and the short-hash version of the token cannot be used to interact with Keystone.
REST APIs that deal directly with the token resource will be modified:
The internal token format will be changed to be consistent. Externally facing use and format of the token should not be impacted.
All cases of PKI tokens will be decoded (in a similar fashion to auth_token middleware) in memory instead of referencing data stored in the token DB persistence store. The ability to use the token backend for auditing will no longer be available. Instead audit will rely exclusively on the CADF authentication notifications.
Generally speaking this change should reduce load on the system and resource consumption by not requiring persistence of token data. Tokens will need to be decoded via CMS, raising the CPU cost of handling GET and HEAD (validate and check) mechanisms on tokens in the v2.0 Idenity API. This change is due to the data not being stored outside of the PKI signed token data.
To leverage the non-persistent tokens deployers will need to do the following:
No new configuration options will be added.
All references to token_api.get_token (excluding use in the UUID token provider) will need to be removed. Direct lookup of token data without decoding the PKI token (when PKI tokens are used) will not be available.
Any interaction with token data will be done in a consistent manner through the new uniform token object, eliminating the need for specific code handling a versioned token dictionary.
Documentation on deploying with revocation events and non-persistent PKI token provider will need to be included (configuration changes).