Keystone PKI token length hits cookie size limit
Bug #1071865 reported by
Gabriel Hurley
This bug affects 2 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Fix Released
|
High
|
Adam Young | ||
keystone (Ubuntu) |
Fix Released
|
Critical
|
Gabriel Hurley |
Bug Description
When Keystone's PKI tokens are enabled the length of the token itself is 3.95kb, nearly exceeding the cookie size limit without any additional data. This makes PKI tokens incompatible with the cookie session backend in Horizon. We need a way to detect/configure support for this so it doesn't bite users in unexpected ways.
Changed in horizon: | |
status: | New → In Progress |
importance: | Undecided → Critical |
assignee: | nobody → Gabriel Hurley (gabriel-hurley) |
milestone: | none → grizzly-1 |
Changed in horizon: | |
status: | Fix Committed → Fix Released |
Changed in keystone: | |
status: | In Progress → Fix Released |
affects: | horizon → keystone (Ubuntu) |
Changed in keystone (Ubuntu): | |
milestone: | grizzly-1 → none |
To post a comment you must log in.
I'm adding Keystone to this just to make sure that the impact of the change from UUID to PKI tokens by default in Keystone gets tracked.
Thus far, the discussion on resolving this is tending towards enabling token handling via the hash of the token rather than/in addition to the full PKI-signed token ID.