python-keystoneclient

Token expiry window is too narrow

Bug #1441910 reported by Jamie Lennox on 2015-04-08

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	python-keystoneclient	Fix Released	Medium	Jamie Lennox	python-keystoneclient 1.5.0

Bug Description

When using a token we have a check to make sure the last token we received is still valid before using it. This allows us to fetch a new token before making a request. Currently we check that the token has at least 1 second before it expires so we can use it.

1 second is unrealistically short for this dfeault window. Given the way tokens are sent from service to service the token can expire between the initial request was issued and some other service tries to validate it.

This is not intended to replace trusts or provide a service with the opportunity to cache a token for future use. It is purely saying that the token a user sends should be valid for the length of that request which may be longer than 1 second.

The way this was handled currently is that if a request was met with a 401 error the session object would fetch a new token and then try to re-issue the request. This will theoretically work in most situtations but it requires the services to be good at handling rollback and communicating failure states so that re-issuing the exact same request again will work - something i'm not convinced of.

I'm proposing 120 seconds. This is a small percent of the default token length, but something that all requests should fit within. I have no other reason for this number and am open to other suggestions.

OpenStack Infra (hudson-openstack) on 2015-04-08

Changed in python-keystoneclient:
assignee:	nobody → Jamie Lennox (jamielennox)
status:	New → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-04-09: Fix merged to python-keystoneclient (master)

Reviewed: https://review.openstack.org/169947
Committed: https://git.openstack.org/cgit/openstack/python-keystoneclient/commit/?id=e79d571aa6a8f036e7d9acb2dcb104f8a9c51259
Submitter: Jenkins
Branch: master

commit e79d571aa6a8f036e7d9acb2dcb104f8a9c51259
Author: Jamie Lennox <email address hidden>
Date: Thu Apr 2 10:15:29 2015 +1100

Increase minimum token life required

    MIN_TOKEN_LIFE_SECONDS is the number of seconds that the token provided
    must be valid for to be used when making authentication requests. 1
    second has always been a dumb number and was not based on any existing
    value.

    Because a user token may be reused by a service to make requests on
    behalf of a user if the token is valid when sent it may not be valid for
    the life of the request.

2 minutes is also an arbitrary value, but it should allow plenty of time
for service requests to complete before being rejected.

Closes-Bug: #1441910
Change-Id: I395a0770e72d1ec7904e656ca382a5270f793a8b

Changed in python-keystoneclient:
status:	In Progress → Fix Committed

Morgan Fainberg (mdrnstm) on 2015-05-21

Changed in python-keystoneclient:
milestone:	none → 1.4.0
importance:	Undecided → Medium

Morgan Fainberg (mdrnstm) on 2015-05-28

Changed in python-keystoneclient:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.