keystonemiddleware

Fernet + Memcache causes validation failures

Bug #1460225 reported by Morgan Fainberg
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
keystonemiddleware
Fix Released
Medium
Morgan Fainberg
keystonemiddleware 1.7.0

Bug Description

Reported via EMail:

When enabling memcache caching of tokens at the endpoint and utilizing Fernet tokens, the Fernet token id is utilized as the cache key. In many cases this results in a cache key that is too large for Memcache.

The solution is to always hash token ids (even uuid) to a consistent cache key that is within the parameters of memcache's limitations.

This can be solved either by simply hashing the token_id to a consistent key or rewriting keystonemiddleware to utilize a toolchain/library like dogpile.cache. As this impacts both Kilo and Master, it is likely the correct fix is to start with a simple key-hashing and then move master to using better toolchains such as dogpile.cache.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystonemiddleware (master)

Fix proposed to branch: master
Review: https://review.openstack.org/186971

Changed in keystonemiddleware:
assignee: nobody → Morgan Fainberg (mdrnstm)
status: New → In Progress
Morgan Fainberg (mdrnstm)
tags: added: kilo-backport-potential
Changed in keystonemiddleware:
importance: Undecided → Medium
milestone: none → 1.7.0
Dolph Mathews (dolph)
tags: added: fernet
OpenStack Infra (hudson-openstack)
Changed in keystonemiddleware:
assignee: Morgan Fainberg (mdrnstm) → Samuel de Medeiros Queiroz (samueldmq)
OpenStack Infra (hudson-openstack)
Changed in keystonemiddleware:
assignee: Samuel de Medeiros Queiroz (samueldmq) → Morgan Fainberg (mdrnstm)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystonemiddleware (master)

Reviewed: https://review.openstack.org/186971
Committed: https://git.openstack.org/cgit/openstack/keystonemiddleware/commit/?id=2d4e19404aa33200767dab86956608878876b03a
Submitter: Jenkins
Branch: master

commit 2d4e19404aa33200767dab86956608878876b03a
Author: Morgan Fainberg <email address hidden>
Date: Fri May 29 17:43:31 2015 -0700

    Ensure cache keys are a known/fixed length

    Do not assume a token_id will result in a sane length for a memcache
    key length. In cases such as Fernet, these ids can easily exceed the
    limit on memcache key size. This change ensures we always use a SHA256
    of the token id passed in, resulting in a fixed length cache key.

    Change-Id: I550e0a1b190047438756bbf40490815a5f177ea7
    Closes-Bug: #1460225

Changed in keystonemiddleware:
status: In Progress → Fix Committed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystonemiddleware (stable/kilo)

Fix proposed to branch: stable/kilo
Review: https://review.openstack.org/202072

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystonemiddleware (stable/kilo)

Reviewed: https://review.openstack.org/202072
Committed: https://git.openstack.org/cgit/openstack/keystonemiddleware/commit/?id=518e9c3a7f34f7f4b86d82da0f9f3a2923358753
Submitter: Jenkins
Branch: stable/kilo

commit 518e9c3a7f34f7f4b86d82da0f9f3a2923358753
Author: Morgan Fainberg <email address hidden>
Date: Fri May 29 17:43:31 2015 -0700

    Ensure cache keys are a known/fixed length

    Do not assume a token_id will result in a sane length for a memcache
    key length. In cases such as Fernet, these ids can easily exceed the
    limit on memcache key size. This change ensures we always use a SHA256
    of the token id passed in, resulting in a fixed length cache key.

    Change-Id: I550e0a1b190047438756bbf40490815a5f177ea7
    Closes-Bug: #1460225
    (cherry picked from commit 2d4e19404aa33200767dab86956608878876b03a)

tags: added: in-stable-kilo
Revision history for this message
Steve Martinelli (stevemar) wrote :

this has been released for a while now

Changed in keystonemiddleware:
status: Fix Committed → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/keystonemiddleware 1.5.3

This issue was fixed in the openstack/keystonemiddleware 1.5.3 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.