username validation 64 chars but can be 255 in database

Bug #1279750 reported by Abu Shohel Ahmed on 2014-02-13
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Low
sudhakar kumar srivastava

Bug Description

Currently, username/password authentication mechanism has input length validation checker in keystone/token/controllers.py

def _authenticate_local(self, context, auth):

      ...

     if user_id and len(user_id) > CONF.max_param_size:
     ...

     if len(username) > CONF.max_param_size:

where by default, keystone.conf set max_param_size to 64
whereas in user db schema, user_id is 64 and username is 255.

DB and frontend validation should be consistent in size.

information type: Private Security → Public
description: updated
Dolph Mathews (dolph) on 2014-02-13
Changed in keystone:
importance: Undecided → Low
status: New → Triaged
Juan Manuel Ollé (juan-m-olle) wrote :

I don't know what Abu mean with consistent, but an extra validation to avoid by config to set len(user_id) > 64 (db size) and len(username) > 255 (db size) could be useful

If someone think it is valid, I could make the change and corresponding UTs

I got a problem related to this bug. I have created a user with a large length of name but the user can't be authorized because of the length.

I'd like to make the change to fix this bug. I'm adding a new param "max_userename_size" to keystone.common.config and use it in keystone.token.controllers.

Fix proposed to branch: master
Review: https://review.openstack.org/128504

Changed in keystone:
assignee: nobody → takehirokaneko (takehiro-kaneko)
status: Triaged → In Progress

I looked into a bit of history here. It appears that https://review.openstack.org/#/c/22694/ moved the database size from 64 to 255, but didn't fix the code to completely take advantage of it.

Changed in keystone:
assignee: takehiro-kaneko (takehiro-kaneko) → nobody
Adam Young (ayoung) on 2016-01-13
summary: - input validation problem in authentication front end
+ username validation 64 chars but can be 255 in database
Changed in keystone:
status: In Progress → Triaged
tags: added: validation
Changed in keystone:
assignee: nobody → Trevor McCasland (twm2016)

Fix proposed to branch: master
Review: https://review.openstack.org/285393

Changed in keystone:
status: Triaged → In Progress

Fix proposed to branch: master
Review: https://review.openstack.org/286852

Change abandoned by Trevor McCasland (<email address hidden>) on branch: master
Review: https://review.openstack.org/286852
Reason: Please reference this review instead: https://review.openstack.org/#/c/285393/

David Stanek (dstanek) wrote :

It appears that the problem only exists in V2 auth, at least that's what I got looking at the proposed fix. If that's the case do we want to spend cycles on a deprecated API?

Trevor McCasland (twm2016) wrote :

@David Stanek If we want to continue down this route, should we mark the bug as "Won't fix"?

David Stanek (dstanek) wrote :

@Trevor, If we this really is just a v2 change then I'd vote for won't fix. I also commented in the review that I don't even see the purpose for the validation.

Change abandoned by Trevor McCasland (<email address hidden>) on branch: master
Review: https://review.openstack.org/285393
Reason: Abandoning due to inactivity.

I don't see an issue with this. I could see a bug if keystone controller were validating strings that were longer than what the db specify. Also, isn't the default of 64 reasonable ?

Changed in keystone:
assignee: Trevor McCasland (twm2016) → nobody
Changed in keystone:
assignee: nobody → sudhakar kumar srivastava (sudhakar.srivastava)
Steve Martinelli (stevemar) wrote :

There's nothing to fix here. max_param_size if for any HTTP parameter, we set this to 64 to prevent a DOS attack.

UserIDs should not be greater than 64, IDs are not usually in the request payload but part of the URL, regardless any userID in keystone is 32 (if stored in SQL) or 64 (if we're shadowing an LDAP user).

Now, Username is set to 255 since these values may come from LDAP and be rather large, thus we set it to 255.

Additionally, we added validation for user create in this patch: https://review.openstack.org/#/c/348531/7 but as you can see from the comments in the schema for "_identity_name" we do not validate that it must be a specific size, since it could come from an LDAP backend, where we don't have any control over the length of the name.

WONTFIX

Changed in keystone:
status: In Progress → Won't Fix

Change abandoned by Steve Martinelli (<email address hidden>) on branch: master
Review: https://review.openstack.org/128504
Reason: no change in 4 months, lots of negative reviews and bug is marked as WONTFIX. abandoning

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers