PKI-Revoke
Changes to support revocation of PKI tokens
1. Revoked tokens must be recorded, no merely removed from the tokens backend.
2. The Keystone server to have a list of revoked tokens exposed in an URL. Then, as service like Glance or Nova can query the Revocation list on a simple schedule. The time out would be configurable, of course. This will be exposed as a signed CMS document, just like the tokens, in order to prove revokation.
3. Once revoked, a token cannot be unrevoked.
4. If a token authentication request comes in to the auth_token middle and the service does not have a recent revocation list, it is fetched from keystone. If the Keystone server cannot be reached, authentication will fail. A future enhancement: wait a random amount of time and then requery the Keystone server.
5. In the future, I would like to make the set of Keystone servers a configurable list, and the policy for revocation checking should be able to vary per server: some Keystone servers in a federated approach might not be accessible. In those cases, it might be necessary for one Keystone server to proxy the revocation list for another server.