OpenStack Identity (keystone)

Memcache token backend issue upgrading from Grizzly

Bug #1202053 reported by Kieran Spear
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Expired
Low
Unassigned

Bug Description

Noticed a possible upgrade issue with the pluggable token provider change:
https://github.com/openstack/keystone/commit/c238ace30981877e5991874c5b193ea7d5107419#L12L121

If old PKI tokens still live in a usertoken- index value in memcache, keystone will try to use them as a key to get the actual token. Since they're > 256 bytes this will likely raise an error and make token creation fail for any user with an old token.

Tags: pki
Revision history for this message
Dolph Mathews (dolph) wrote :

I'm not clear on how to reproduce this (or if you've actually produced an error?)

Changed in keystone:
milestone: none → havana-2
status: New → Incomplete
Revision history for this message
Kieran Spear (kspear) wrote :

This is hypothetical at this point, but I'll explain further:

usertokens-<user_id> looks like this in a grizzly memcache server:

"MIICfQYJK...", "MIIasdfjncoie...","MIIconiwec..."

where the length of each encoded token string is around 4k.

The change above in master will do the following when that Grizzly deployment is upgraded to Havana:

    token_list = jsonutils.loads('[%s]' % record) <--- record = self.client.get('usertokens-x')
    for token_i in token_list:
        ptk = self._prefix_token_id(token_i) <--- ptk = "token-MIICfQYJK..."
        token_ref = self.client.get(ptk)

(Pdb) mc.get('token-MIICfQYJK..............................')
*** MemcachedKeyLengthError: Key length is > 250

Which is basically what happened in:
https://bugs.launchpad.net/keystone/+bug/1119641

Changed in keystone:
status: Incomplete → New
Thierry Carrez (ttx)
Changed in keystone:
milestone: havana-2 → none
Adam Young (ayoung)
Changed in keystone:
status: New → Confirmed
importance: Undecided → Low
Revision history for this message
Dolph Mathews (dolph) wrote :

This looks like it was fixed long ago - IIRC we use a hash of the token as a memcache key. Leaving as Incomplete in case someone can correct me.

tags: added: pki
Changed in keystone:
status: Confirmed → Incomplete
Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for Keystone because there has been no activity for 60 days.]

Changed in keystone:
status: Incomplete → Expired
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.