OpenStack Identity (keystone)

Document Memcache server needed system time setting

Bug #1022614 reported by Maru Newby on 2012-07-09

6

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Fix Released	Wishlist	Maru Newby	OpenStack Identity (keystone) 2012.2 "folsom"

Bug Description

Using python-memcached, memcache get() calls do not appear to respect the expiry time submitted to set(). The memcache token backend appears to assume that keys will not be returned after the expiry passed to set, so token life is effectively unlimited when using this backend.

The fake memcache client in test_backend_memcache honours the expiry provided to set(), so this bug is effectively masked in testing.

See original description

Maru Newby (maru) on 2012-07-09

description:

updated

Revision history for this message

Joseph Heck (heckj) wrote on 2012-07-09:

#1

Maru - Is this a bug in keystone, a bug in python-memcache, or a bug in how we're using python-memcache?

Changed in keystone:
status:	New → Triaged
importance:	Undecided → Medium

Joseph Heck (heckj) on 2012-07-09

Changed in keystone:
importance:	Medium → High
assignee:	nobody → Maru Newby (maru)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2012-07-09: Fix proposed to keystone (master)

#2

Fix proposed to branch: master
Review: https://review.openstack.org/9525

Changed in keystone:
status:	Triaged → In Progress

Revision history for this message

Maru Newby (maru) wrote on 2012-07-09: Re: Memcache token backend does not expire tokens

#3

I've discovered that the problem I was seeing with memcache returning keys that should be expired is due to a timezone issue. Setting token expiry to 20m and then repeatedly checking if keystone would report a token as expired discovered that expiry occurred after 5 hours 20m, consistent with a -5h UTC offset - EST. It appears that memcache is configured to use the system timezone, and if that timezone is not utc (what keystone uses), the skew will result in tokens not expiring as expected.

This bug is still valid, though documenting the requirement that the memcache server's system clock be set to utc might be preferable to the proposed fix.

Joseph Heck (heckj) on 2012-09-04

Changed in keystone:
milestone:	none → folsom-rc1

Revision history for this message

Maru Newby (maru) wrote on 2012-09-07:

#4

I've submitted a doc patch, but after consideration I would like to see the code change go in (if not now, in the future). auth_token is already performing explicit expiry checks rather than relying on implicit memcache expiry, and it would seem to make sense that the token backend rely on implicit expiry as well.

The complication is that anybody using the memcache token backend will have to bounce their memcache host(s) before upgrading to the token backend updated to use explicit expiry.

Joe: Thoughts? I suppose the doc change can go in for Folsom and the code change can follow eventually.

Revision history for this message

Thierry Carrez (ttx) wrote on 2012-09-11:

#5

Doc change is under review at: https://review.openstack.org/#/c/12605/

Maru: could you create a separate bug to track the additional change ? Then we can target it speraately from the doc fix...

Changed in keystone:
importance:	High → Wishlist
summary:	- Memcache token backend does not expire tokens + Document Memcache server needed system time setting

Thierry Carrez (ttx) on 2012-09-13

Changed in keystone:
status:	In Progress → Fix Committed

Thierry Carrez (ttx) on 2012-09-14

Changed in keystone:
status:	Fix Committed → Fix Released

Thierry Carrez (ttx) on 2012-09-27

Changed in keystone:
milestone:	folsom-rc1 → 2012.2

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.