PKI Token tests for Openstack Keystone

[Adam Young]

Unfortunately,  the test day scheduled for Tuesday happens to fall 
during my Family vacation.  There are a couple of things I would love to 
have tested.


In Foslom, my largest feature is PKI Tokens and their revocation.  I am 
not sure if the revocation code will land in the Fedora repo yet, as it 
was committed after the F3 milestone was cut.
To check that is has been merged, look in the  Keystone config file 
under the section
  [signing]

you should see a commented out value:

#token_format = PKI


To activate the PKI tokens, uncomment this value and restart Keystone.


When you run keystone token-get,  the tokens should now be several lines 
long.

By default,  the services like glance, nova, and the like store their 
cached version of certificates etc in  ~/keystone-signing/.  I tend to 
test against glance so after running

glance image-list

you will see:

$ ls ~/keystone-signing/
cacert.pem  revoked.pem  signing_cert.pem

To modify the place that these files get saved, to put them in the more 
correct location of /var/cache,  create a directory /var/cache/$USER  
where $USER is glance, etc. Modify the config file for the appropriate 
service to set:

[signing]
signing_dir = /var/cache/glance


This should also test Alan Pevec's change that configuration should be 
read from the paste-config file of the application, as opposed to 
Keystone's config file.

I just realized that the Revocation code made the cut, but the fix to 
make the request for the revocation list as admin did not.  If the PKI 
token test fails with 401s it is probably due to the request for the 
revocation list being denied by Keystone.  This is a known issue, and 
disregard the failure for now, as the fix is committed upstream, but not 
in the Fedora RPMS yet.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/cloud/attachments/20120825/87a6942e/attachment.html>