Identity V3 tokens too long for neutron

Keystone had the same issue: https://bugs.launchpad.net/keystone/+bug/1186177

Fix proposed to branch: master
Review: https://review.openstack.org/56511

This is output of my following test program, so this issue can be indirectly resolved by using v3/auth/tokens?nocatalog to instead of v3/auth/tokens, pls mark it as "Won't Fix", thanks.

TOKEN_LEN: 1196 when using http://pubnode:5000/v3/auth/tokens?nocatalog
TOKEN_LEN: 10220 when using http://pubnode:5000/v3/auth/tokens

import urllib2
import json

user = 'admin'
password = 'password'
project = 'demo'

def token_v3(auth_url = 'http://pubnode:5000/v3/auth/tokens?nocatalog'):
    auth_request = urllib2.Request(auth_url)
    auth_request.add_header('Content-Type', 'application/json;charset-utf8')
    auth_request.add_header('Accept', 'application/json')
    auth_request.add_header('User-Agent', 'python-client')
    auth_data = {
    "auth": {
        "identity": {
            "methods": [
                "password"
            ],
            "password": {
                "user": {
                    "name": user,
                    "password": password,
                    "domain": {
                       "name": "default"
                    }
                }
            }
        },
        "scope": {
            "project": {
                "domain": {
                    "name": "default"
                },
                "name": project
            }
        }
    }
}
    auth_request.add_data(json.dumps(auth_data))
    auth_response = urllib2.urlopen(auth_request)
    token = auth_response.info().getheader('X-Subject-Token')
    return token

if __name__ == '__main__':
    url = 'http://pubnode:5000/v3/auth/tokens?nocatalog'
    token = token_v3(url)
    print "TOKEN_LEN: ", len(token), " when using ", url
    url = 'http://pubnode:5000/v3/auth/tokens'
    token = token_v3(url)
    print "TOKEN_LEN: ", len(token), " when using ", url

This workaround is unacceptable. Tokens issued by OpenStack should be accepted by other OpenStack services. These long tokens are accepted by other services. There is no reason neutron should not accept them as well.

hi Evan, I will restore the patch https://review.openstack.org/56511, thanks.

This bug has been reported for other openstack projects there:
https://bugs.launchpad.net/keystone/+bug/1190149

Patches that increase the eventlet.wsgi.MAX_HEADER_LINE to 16384, allowing up to 14 entries in the catalog to be transmitted through the token have been released/merged in Keystone, Nova, Cinder and Glance.

As I understand, the feature provided by Keystone to include the catalog in the v3 PKI Token (which is currently the default behavior) aims at reducing the charge (amout of requests done) on the Identity server.

The patch should IMHO be included in Neutron too.

Seems Bug 1190149 is addressing the issue, and it added config field for max header line length.
neutron not fix it yet.

I am out of the office until 02/14/2014.

ZhangHua will leave for Spring Festival from Jan 29 to Feb 14, any argent
can reach me via 158-110-220-56, Hope everyone a happy holiday.

Note: This is an automated response to your message "[Bug 1251026] Re:
Identity V3 tokens too long for neutron" sent on 02/11/2014 13:14:46.

This is the only notification you will receive while this person is away.

Reviewed: https://review.openstack.org/56511
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=b22442a6b80c22f6e31d086263cdb77de10d92ef
Submitter: Jenkins
Branch: master

commit b22442a6b80c22f6e31d086263cdb77de10d92ef
Author: zhhuabj <email address hidden>
Date: Fri Jan 17 18:21:01 2014 +0800

    Raise max header size to accommodate large tokens

    The max header is exceeded in the following scenario
    - Auth tokens built with a keystone v3 API catalog
    - A catalog with approximately 8 or more endpoints defined

    Change-Id: Ie815e457c0b25ab828e780b5d90233ba0ceff61f
    Closes-Bug: #1251026

Fix proposed to branch: stable/havana
Review: https://review.openstack.org/75751