PKI support breaks memcache token backend

Bug #1119641 reported by Devin Carlen on 2013-02-08
16
This bug affects 3 people
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Medium
Adam Young
Grizzly
Medium
Adam Gandelman
python-keystoneclient
Undecided
Unassigned

Bug Description

When using PKI support, the memcache backend breaks. It appears to be attempting to place the entire token as the key?

(root): 2013-02-08 01:14:03,404 ERROR wsgi __call__ Key length is > 250
Traceback (most recent call last):
  File "/opt/stack/keystone/keystone/common/wsgi.py", line 228, in __call__
    result = method(context, **params)
  File "/opt/stack/keystone/keystone/token/controllers.py", line 470, in validate_token
    token_ref = self._get_token_ref(context, token_id, belongs_to)
  File "/opt/stack/keystone/keystone/token/controllers.py", line 432, in _get_token_ref
    self.assert_admin(context)
  File "/opt/stack/keystone/keystone/common/wsgi.py", line 261, in assert_admin
    context=context, token_id=context['token_id'])
  File "/opt/stack/keystone/keystone/common/manager.py", line 47, in _wrapper
    return f(*args, **kw)
  File "/opt/stack/keystone/keystone/token/backends/memcache.py", line 58, in get_token
    token = self.client.get(ptk)
  File "/usr/lib/python2.7/dist-packages/memcache.py", line 862, in get
    return self._get('get', key)
  File "/usr/lib/python2.7/dist-packages/memcache.py", line 813, in _get
    self.check_key(key)
  File "/usr/lib/python2.7/dist-packages/memcache.py", line 1023, in check_key
    % self.server_max_key_length)
MemcachedKeyLengthError: Key length is > 250

Looks like we need something similar to this here as well - https://review.openstack.org/#/c/15116/

Mehdi Abaakouk (sileht) wrote :

I'm using keystone 2013.1~rc1 and I have the same king of backtrace:

Traceback (most recent call last):
  File "/usr/lib/python2.7/dist-packages/keystone/common/wsgi.py", line 236, in __call__
    result = method(context, **params)
  File "/usr/lib/python2.7/dist-packages/keystone/token/controllers.py", line 142, in authenticate
    token_id=token_id)
  File "/usr/lib/python2.7/dist-packages/keystone/common/manager.py", line 47, in _wrapper
    return f(*args, **kw)
  File "/usr/lib/python2.7/dist-packages/keystone/token/backends/memcache.py", line 58, in get_token
    token = self.client.get(ptk)
  File "/usr/lib/python2.7/dist-packages/memcache.py", line 862, in get
    return self._get('get', key)
  File "/usr/lib/python2.7/dist-packages/memcache.py", line 813, in _get
    self.check_key(key)
  File "/usr/lib/python2.7/dist-packages/memcache.py", line 1023, in check_key
    % self.server_max_key_length)
MemcachedKeyLengthError: Key length is > 250

Adam Young (ayoung) on 2013-03-27
Changed in keystone:
assignee: nobody → Adam Young (ayoung)
Adam Young (ayoung) wrote :

The logic from https://review.openstack.org/#/c/15116/ is already performed in the memcached backend.

In line
https://github.com/openstack/keystone/blob/master/keystone/token/backends/memcache.py#L66

the call to token.unique_id(token_id) performs the hash function. but looks like it was missed on the get function.

Fix proposed to branch: master
Review: https://review.openstack.org/25537

Changed in keystone:
status: New → In Progress
Dolph Mathews (dolph) on 2013-04-02
tags: added: grizzly-backport-potential

Reviewed: https://review.openstack.org/25537
Committed: http://github.com/openstack/keystone/commit/a62d3afae43ebe191fe86f8d1ebed3e8bfaeba17
Submitter: Jenkins
Branch: master

commit a62d3afae43ebe191fe86f8d1ebed3e8bfaeba17
Author: Adam Young <email address hidden>
Date: Wed Mar 27 12:10:08 2013 -0400

    Fix token ids for memcached

    Bug 1119641

    Change-Id: Ia22764acc69a272b37364193d10c553a48679b9a

Changed in keystone:
status: In Progress → Fix Committed

Reviewed: https://review.openstack.org/27979
Committed: http://github.com/openstack/keystone/commit/2b5b24ed833ad32e78a72ebd421ec2607a0d375b
Submitter: Jenkins
Branch: stable/grizzly

commit 2b5b24ed833ad32e78a72ebd421ec2607a0d375b
Author: Adam Young <email address hidden>
Date: Wed Mar 27 12:10:08 2013 -0400

    Fix token ids for memcached

    Bug 1119641

    Change-Id: Ia22764acc69a272b37364193d10c553a48679b9a
    (cherry picked from commit a62d3afae43ebe191fe86f8d1ebed3e8bfaeba17)

Alan Pevec (apevec) on 2013-05-02
Changed in keystone:
importance: Undecided → Medium
tags: removed: grizzly-backport-potential
Sam Morrison (sorrison) wrote :

This also affects the auth_token middleware in keystoneclient

Adam Young (ayoung) wrote :

If it does it is a different problem. This was an error storing tokens and was specific to the memcached backend.

Changed in python-keystoneclient:
status: New → Invalid
Thierry Carrez (ttx) on 2013-05-29
Changed in keystone:
milestone: none → havana-1
status: Fix Committed → Fix Released
Thierry Carrez (ttx) on 2013-10-17
Changed in keystone:
milestone: havana-1 → 2013.2
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers