Memcached token backend should work with any timezone

Bug #1221087 reported by You Yamagata on 2013-09-05
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Medium
You Yamagata
Grizzly
Medium
David Geng

Bug Description

In configuration document, it looks like following configuration are required with memcache token backend.

- Memcached server's timezone is set to UTC.
- Timezone of both Memcached and Keystone server should be same.
So Keystone server's timezone is also set to UTC.

http://docs.openstack.org/developer/keystone/configuration.html#memcached-and-system-time

I guess this limitation is caused by incorrect expiration time is set when tokens are generated.

backends/memcache.py call utils.unixtime() and it calls time.mktime().
time.mktime() return localtime, not UTC, so its value depends on time zone.

In my tests, if keystone server runs with UTC + N (N>=1), token authorization failed.

# run keystone server with UTC+1
> env TZ='UTC-1' tools/with_venv.sh bin/keystone-all
# get token
> env TZ=UTC tools/with_venv.sh keystone .. token-get
+-----------+----------------------------------+
| Property | Value |
+-----------+----------------------------------+
| expires | 2013-09-05T08:38:14Z |
| id | fecd5f9e1c1842f0a60d86a07584fca4 |
| tenant_id | 7b1abdb5213a4962bcaf04a7e0881a91 |
| user_id | 03a2d2e23ff94bfa908856d2c1081110 |
+-----------+----------------------------------+
# use token
> env TZ=UTC curl -H "X-Auth-Token:$TOKEN" http://localhost:5000/v2.0/tenants
{"error": {"message": "Could not find token, fecd5f9e1c1842f0a60d86a07584fca4.", "code": 401, "title": "Unauthorized"}}

Changed in keystone:
assignee: nobody → You Yamagata (y-yamagata)
Dolph Mathews (dolph) wrote :
Changed in keystone:
importance: Undecided → Medium
status: New → In Progress
Dolph Mathews (dolph) on 2013-09-06
Changed in keystone:
milestone: none → havana-rc1
status: In Progress → Fix Committed
Thierry Carrez (ttx) on 2013-10-02
Changed in keystone:
status: Fix Committed → Fix Released
Thierry Carrez (ttx) on 2013-10-17
Changed in keystone:
milestone: havana-rc1 → 2013.2
Alan Pevec (apevec) wrote :

Proposed for stable/grizzly
https://review.openstack.org/51995

Morgan Fainberg (mdrnstm) wrote :

Grizzly is EOL, wont fix the grizzly branch at this point. Havana and beyond have this fix.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers