Encode PKI token (back port changes to Havana)
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| OpenStack Identity (keystone) |
Invalid
|
Undecided
|
Priti Desai | ||
Bug Description
Authenticating a user based on pre-existing PKI token is not supported in Havana. PKI tokens are much longer and different from its id (id column from token table). When PKI tokens are passed as token_id to POST …/auth/tokens, it does not encode PKI token to generate its ID which is happening in IceHouse.
Havana is missing this if statement:
if isinstance(
https:/
if is_ans1_
hasher = hashlib.md5()
return hasher.hexdigest()
IceHouse version:
if is_ans1_
hasher = hashlib.md5()
if isinstance(
return hasher.hexdigest()
Is it possible to backport these changes into Havana?
| Changed in keystone: | |
| assignee: | nobody → Priti Desai (priti-desai) |
| Dolph Mathews (dolph) wrote | #1 |
| Changed in keystone: | |
| status: | New → Invalid |
PKI token ID's are either the base64 encoded token itself (for the purposes of X-Auth-Token / X-Subject-Token), or an MD5 hash of the base64 encoded token (for the purposes of HTTP resources) (the hash method likely becoming configurable in Juno or rendered unnecessary by token compression).