Posted on Tue 02 June 2015

Reducing Keystone PKI token size

For those using the PKI token provider in Keystone, the PKI token size is a known problem: it proportionally increases as you add regions and services to the catalog.

Multiple solutions have been proposed to reduce its size, one is to use the Multi-Attribute Endpoint Grouping extension as proposed in the One Keystone to Rule them all presentation by Priti Desai at the OpenStack Summit 2015 in Vancouver.

As explained by Priti Desai, the downside of this solution is that it significantly increases the project provisioning workflow. As a public cloud provider operator, this is not viable as it adds a lot of unneeded overhead and risk of errors. It also requires your catalog to be backed by the SQL backend. (we use the templated backend)

We came up with a different solution which doesn't affect the project provisioning workflow. We managed to significantly reduced the token size by stripping the catalog from the token itself. This means the token size won't dramatically increase as you add regions and services anymore.

You can find the source code (tested against OpenStack Keystone Icehouse) here:

Some services however relies on the catalog embedded in the PKI token to retrieve other service endpoints. For example, Nova uses the token catalog to find the Cinder endpoint.

Fortunately, you will find that you can configure those services to use an endpoint template in their configurations so they no longer rely on the PKI token to provide the catalog.

Here is the list of available configurations related to endpoint templates:

Project Config name
Cinder DEFAULT/nova_endpoint_admin_template
Cinder DEFAULT/nova_endpoint_template
Glance DEFAULT/cinder_endpoint_template
Nova cinder/endpoint_template

© Mathieu Gagné. Built using Pelican. Theme by Giulio Fidente on github.