One issue to keep in mind with Keystone is that it requires nss to work efficiently. With nss both presigned (pki) tokens and token revocation work. Without it, the following happens: - we go to the keystone server for every non-cached token, even if it's presigned - when we fail to decode the revocation list we clear the tokens cache So essentially it affects performance. Not sure whether it's that big of a deal, as there's still the cache window, but we should keep it in mind. Yehuda -- To unsubscribe from this list: send the line "unsubscribe ceph-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
