Token expiration time with memcache->kvs->dogpile is wrong
Bug #1294862 reported by
Dag Stenstad
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Invalid
|
Medium
|
Unassigned |
Bug Description
There seems to be a bug somewhere when creating the expiration field for tokens when using the new memcached-
Aystems are UTC+1 (HW clock, TZ Europe/Oslo), and "[token] expiration = 3600" in configuration, wich is the default.
No requests to any API services (except keystone) worked, all systems reported that token is expired.
Put in some debugging, and it seems the expiration is set to UTC + conf.token.
Setting expiration to a higher value than 3600 makes the token valid.
Changed in keystone: | |
importance: | Undecided → Medium |
assignee: | nobody → Morgan Fainberg (mdrnstm) |
milestone: | none → icehouse-rc1 |
Changed in keystone: | |
status: | New → Incomplete |
Changed in keystone: | |
milestone: | icehouse-rc1 → none |
Changed in keystone: | |
assignee: | Morgan Fainberg (mdrnstm) → nobody |
To post a comment you must log in.
So keystone tokens use utctime for expiration so it makes sense that the expiry is UTC + conf.token. expiration. That would imply that it is a bug in auth_token middleware that isn't correctly doing utc but on a lookover auth_token i'm pretty certain it's ok (because there was a bug similar to this earlier in the cycle).
My first guess would be that the value that python is reporting for utc is wrong either for keystone or for the other services. Can you do
python -c "import datetime; print datetime. datetime. utcnow( )"
on both keystone and other services just to make sure they are the same, because beyond that i'm somewhat stumped.