OpenStack Identity (keystone)

PKI support breaks memcache token backend

Bug #1119641 reported by Devin Carlen
16
This bug affects 3 people
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Fix Released
Medium
Adam Young
OpenStack Identity (keystone) 2013.2 "havana"
Grizzly
Fix Released
Medium
Adam Gandelman
OpenStack Identity (keystone) 2013.1.1
python-keystoneclient
Invalid
Undecided
Unassigned

Bug Description

When using PKI support, the memcache backend breaks. It appears to be attempting to place the entire token as the key?

(root): 2013-02-08 01:14:03,404 ERROR wsgi __call__ Key length is > 250
Traceback (most recent call last):
  File "/opt/stack/keystone/keystone/common/wsgi.py", line 228, in __call__
    result = method(context, **params)
  File "/opt/stack/keystone/keystone/token/controllers.py", line 470, in validate_token
    token_ref = self._get_token_ref(context, token_id, belongs_to)
  File "/opt/stack/keystone/keystone/token/controllers.py", line 432, in _get_token_ref
    self.assert_admin(context)
  File "/opt/stack/keystone/keystone/common/wsgi.py", line 261, in assert_admin
    context=context, token_id=context['token_id'])
  File "/opt/stack/keystone/keystone/common/manager.py", line 47, in _wrapper
    return f(*args, **kw)
  File "/opt/stack/keystone/keystone/token/backends/memcache.py", line 58, in get_token
    token = self.client.get(ptk)
  File "/usr/lib/python2.7/dist-packages/memcache.py", line 862, in get
    return self._get('get', key)
  File "/usr/lib/python2.7/dist-packages/memcache.py", line 813, in _get
    self.check_key(key)
  File "/usr/lib/python2.7/dist-packages/memcache.py", line 1023, in check_key
    % self.server_max_key_length)
MemcachedKeyLengthError: Key length is > 250

Revision history for this message
Davanum Srinivas (DIMS) (dims-v) wrote :

Looks like we need something similar to this here as well - https://review.openstack.org/#/c/15116/

Revision history for this message
Mehdi Abaakouk (sileht) wrote :

I'm using keystone 2013.1~rc1 and I have the same king of backtrace:

Traceback (most recent call last):
  File "/usr/lib/python2.7/dist-packages/keystone/common/wsgi.py", line 236, in __call__
    result = method(context, **params)
  File "/usr/lib/python2.7/dist-packages/keystone/token/controllers.py", line 142, in authenticate
    token_id=token_id)
  File "/usr/lib/python2.7/dist-packages/keystone/common/manager.py", line 47, in _wrapper
    return f(*args, **kw)
  File "/usr/lib/python2.7/dist-packages/keystone/token/backends/memcache.py", line 58, in get_token
    token = self.client.get(ptk)
  File "/usr/lib/python2.7/dist-packages/memcache.py", line 862, in get
    return self._get('get', key)
  File "/usr/lib/python2.7/dist-packages/memcache.py", line 813, in _get
    self.check_key(key)
  File "/usr/lib/python2.7/dist-packages/memcache.py", line 1023, in check_key
    % self.server_max_key_length)
MemcachedKeyLengthError: Key length is > 250

Adam Young (ayoung)
Changed in keystone:
assignee: nobody → Adam Young (ayoung)
Revision history for this message
Adam Young (ayoung) wrote :

The logic from https://review.openstack.org/#/c/15116/ is already performed in the memcached backend.

In line
https://github.com/openstack/keystone/blob/master/keystone/token/backends/memcache.py#L66

the call to token.unique_id(token_id) performs the hash function. but looks like it was missed on the get function.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/25537

Changed in keystone:
status: New → In Progress
Dolph Mathews (dolph)
tags: added: grizzly-backport-potential
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.openstack.org/25537
Committed: http://github.com/openstack/keystone/commit/a62d3afae43ebe191fe86f8d1ebed3e8bfaeba17
Submitter: Jenkins
Branch: master

commit a62d3afae43ebe191fe86f8d1ebed3e8bfaeba17
Author: Adam Young <email address hidden>
Date: Wed Mar 27 12:10:08 2013 -0400

    Fix token ids for memcached

    Bug 1119641

    Change-Id: Ia22764acc69a272b37364193d10c553a48679b9a

Changed in keystone:
status: In Progress → Fix Committed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (stable/grizzly)

Fix proposed to branch: stable/grizzly
Review: https://review.openstack.org/27979

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (stable/grizzly)

Reviewed: https://review.openstack.org/27979
Committed: http://github.com/openstack/keystone/commit/2b5b24ed833ad32e78a72ebd421ec2607a0d375b
Submitter: Jenkins
Branch: stable/grizzly

commit 2b5b24ed833ad32e78a72ebd421ec2607a0d375b
Author: Adam Young <email address hidden>
Date: Wed Mar 27 12:10:08 2013 -0400

    Fix token ids for memcached

    Bug 1119641

    Change-Id: Ia22764acc69a272b37364193d10c553a48679b9a
    (cherry picked from commit a62d3afae43ebe191fe86f8d1ebed3e8bfaeba17)

Alan Pevec (apevec)
Changed in keystone:
importance: Undecided → Medium
Adam Gandelman (gandelman-a)
tags: removed: grizzly-backport-potential
Revision history for this message
Sam Morrison (sorrison) wrote :

This also affects the auth_token middleware in keystoneclient

Revision history for this message
Adam Young (ayoung) wrote :

If it does it is a different problem. This was an error storing tokens and was specific to the memcached backend.

Changed in python-keystoneclient:
status: New → Invalid
Thierry Carrez (ttx)
Changed in keystone:
milestone: none → havana-1
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in keystone:
milestone: havana-1 → 2013.2
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.