Ubuntu
keystone package

Keystone PKI token length hits cookie size limit

Bug #1071865 reported by Gabriel Hurley
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Fix Released
High
Adam Young
keystone (Ubuntu)
Fix Released
Critical
Gabriel Hurley

Bug Description

When Keystone's PKI tokens are enabled the length of the token itself is 3.95kb, nearly exceeding the cookie size limit without any additional data. This makes PKI tokens incompatible with the cookie session backend in Horizon. We need a way to detect/configure support for this so it doesn't bite users in unexpected ways.

Gabriel Hurley (gabriel-hurley)
Changed in horizon:
status: New → In Progress
importance: Undecided → Critical
assignee: nobody → Gabriel Hurley (gabriel-hurley)
milestone: none → grizzly-1
Revision history for this message
Gabriel Hurley (gabriel-hurley) wrote :

I'm adding Keystone to this just to make sure that the impact of the change from UUID to PKI tokens by default in Keystone gets tracked.

Thus far, the discussion on resolving this is tending towards enabling token handling via the hash of the token rather than/in addition to the full PKI-signed token ID.

Revision history for this message
Gabriel Hurley (gabriel-hurley) wrote :

It turns out that Keystone already supports handling PKI-signed tokens via the MD5 hash but only for the SQL token backend. The work to add it to the KVS token backend will be tracked here: https://bugs.launchpad.net/keystone/+bug/1073272

Once that's in there, then Horizon can switch to using the MD5 of the token instead of the full token.

Revision history for this message
Adam Young (ayoung) wrote :

Work is being done in https://review.openstack.org/#/c/15116/

Changed in keystone:
status: New → In Progress
assignee: nobody → Adam Young (ayoung)
importance: Undecided → High
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to horizon (master)

Fix proposed to branch: master
Review: https://review.openstack.org/15316

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to horizon (master)

Reviewed: https://review.openstack.org/15316
Committed: http://github.com/openstack/horizon/commit/c61c5e28cc629c65166bcff2d974a622310f32b5
Submitter: Jenkins
Branch: master

commit c61c5e28cc629c65166bcff2d974a622310f32b5
Author: Gabriel Hurley <email address hidden>
Date: Fri Nov 2 15:10:43 2012 -0700

    Enforce use of latest django_openstack_auth for PKI compat.

    The latest django_openstack_auth supports PKI-signed tokens by
    using Keystone's "is_ans1_token" function to determine if PKI
    tokens are in use and react approriately if so.

    Fixes bug 1071865

    Change-Id: I62ba6370de829345d3214d80011a58e4ac6cd218

Changed in horizon:
status: In Progress → Fix Committed
Thierry Carrez (ttx)
Changed in horizon:
status: Fix Committed → Fix Released
Adam Young (ayoung)
Changed in keystone:
status: In Progress → Fix Released
krishnan gopalakrishnan (gk-krishnan)
affects: horizon → keystone (Ubuntu)
Changed in keystone (Ubuntu):
milestone: grizzly-1 → none
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.