diff options
author | Simo Sorce <simo@redhat.com> | 2013-06-27 22:16:25 -0400 |
---|---|---|
committer | Simo Sorce <simo@redhat.com> | 2013-08-20 11:54:39 -0400 |
commit | 86cf469e4feed55f5b6dfc8ab0f139b39afb75b8 (patch) | |
tree | 0f067718c9bb1ca7e4e80ce8bfd7406b78c6821f /keystone/middleware | |
parent | ffa55f7a8cbc824b03cec8cbfbb380b42f9c3e70 (diff) | |
download | keystone-86cf469e4feed55f5b6dfc8ab0f139b39afb75b8.tar.gz keystone-86cf469e4feed55f5b6dfc8ab0f139b39afb75b8.tar.xz keystone-86cf469e4feed55f5b6dfc8ab0f139b39afb75b8.zip |
Add group key support
A requestor asking for a key for a target identified as a group object
will receive a group_key ticket.
Group keys are temporary keys with a limited timelife and are released
together with a generation number. Multiple keys with different generation
numbers may exist at the same time.
When no valid keys are found or if the only valid key has less than 10 minutes
of lifetime a new key is generated using the next available generation number.
Generation numbers grow monotonically.
Group keys can be retrieved using the get_group_key call only by
requestors belonging to the group. A requestor is considered as belonging
to a group if the first part of the name is the same as the group.
Requestors must specify a valid generation number when requesting a group
key. The generation number is used to create the destination name by
postfixing it to the group name after a colon.
Example:
requestor: scheduler.xyz.example.com
destination: scheduler:123
The requestor is considered part of the scheduler group and asks for
a key of generation number 123. If that key exist it will be returned
encrypted with the requestor's key.
blueprint key-distribution-server
Change-Id: I013ae466d626c0a4737d475e1b42b183a88dbe83
Signed-off-by: Simo Sorce <simo@redhat.com>
Diffstat (limited to 'keystone/middleware')
0 files changed, 0 insertions, 0 deletions