Token expiry window is too narrow
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
python-keystoneclient |
Fix Released
|
Medium
|
Jamie Lennox |
Bug Description
When using a token we have a check to make sure the last token we received is still valid before using it. This allows us to fetch a new token before making a request. Currently we check that the token has at least 1 second before it expires so we can use it.
1 second is unrealistically short for this dfeault window. Given the way tokens are sent from service to service the token can expire between the initial request was issued and some other service tries to validate it.
This is not intended to replace trusts or provide a service with the opportunity to cache a token for future use. It is purely saying that the token a user sends should be valid for the length of that request which may be longer than 1 second.
The way this was handled currently is that if a request was met with a 401 error the session object would fetch a new token and then try to re-issue the request. This will theoretically work in most situtations but it requires the services to be good at handling rollback and communicating failure states so that re-issuing the exact same request again will work - something i'm not convinced of.
I'm proposing 120 seconds. This is a small percent of the default token length, but something that all requests should fit within. I have no other reason for this number and am open to other suggestions.
Changed in python-keystoneclient: | |
assignee: | nobody → Jamie Lennox (jamielennox) |
status: | New → In Progress |
Changed in python-keystoneclient: | |
milestone: | none → 1.4.0 |
importance: | Undecided → Medium |
Changed in python-keystoneclient: | |
status: | Fix Committed → Fix Released |
Reviewed: https:/ /review. openstack. org/169947 /git.openstack. org/cgit/ openstack/ python- keystoneclient/ commit/ ?id=e79d571aa6a 8f036e7d9acb2dc b104f8a9c51259
Committed: https:/
Submitter: Jenkins
Branch: master
commit e79d571aa6a8f03 6e7d9acb2dcb104 f8a9c51259
Author: Jamie Lennox <email address hidden>
Date: Thu Apr 2 10:15:29 2015 +1100
Increase minimum token life required
MIN_ TOKEN_LIFE_ SECONDS is the number of seconds that the token provided
must be valid for to be used when making authentication requests. 1
second has always been a dumb number and was not based on any existing
value.
Because a user token may be reused by a service to make requests on
behalf of a user if the token is valid when sent it may not be valid for
the life of the request.
2 minutes is also an arbitrary value, but it should allow plenty of time
for service requests to complete before being rejected.
Closes-Bug: #1441910 c7904e656ca382a 5270f793a8b
Change-Id: I395a0770e72d1e