Fernet tokens can fail with LDAP identity backends

Bug #1459382 reported by Lance Bragstad on 2015-05-27
28
This bug affects 8 people
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
High
Lance Bragstad
Kilo
High
Dolph Mathews

Bug Description

It is possible for Keystone to fail to issue tokens when using an external identity backend, like LDAP, if the user IDs of a different format than UUID. This is because the Fernet token formatter attempts to convert the UUID to bytes before packing the payload. This is done to save space and results in a shorter token.

When using an LDAP backend that doesn't use UUID format for the user IDs, we get a ValueError because UUID can't convert whenever the ID is to UUID.bytes [0]. We have to do something similar with the default domain in the case that it's not a uuid, same with federated user IDs [1], which we should probably do in this case.

Related stacktrace [2].

[0] https://github.com/openstack/keystone/blob/e5f2d88e471ac3595c4ea0e28f27493687a87588/keystone/token/providers/fernet/token_formatters.py#L415
[1] https://github.com/openstack/keystone/blob/e5f2d88e471ac3595c4ea0e28f27493687a87588/keystone/token/providers/fernet/token_formatters.py#L509
[2] http://lists.openstack.org/pipermail/openstack/2015-May/012885.html

tags: added: fernet
Changed in keystone:
importance: Undecided → Medium

Fix proposed to branch: master
Review: https://review.openstack.org/186120

Changed in keystone:
assignee: nobody → Lance Bragstad (lbragstad)
status: New → In Progress
Lance Bragstad (lbragstad) wrote :

Note that the tests included in this patch should be reinforced by functional tests that test this specific case with LDAP and Fernet tokens.

Changed in keystone:
importance: Medium → High
tags: added: kilo-backport-potential
Changed in keystone:
milestone: none → liberty-1

Reviewed: https://review.openstack.org/186120
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=cb32568954e7ab7f2dbaa2aa7a3070b34ae3ca08
Submitter: Jenkins
Branch: master

commit cb32568954e7ab7f2dbaa2aa7a3070b34ae3ca08
Author: Lance Bragstad <email address hidden>
Date: Wed May 27 18:18:28 2015 +0000

    Don't fail on converting user ids to bytes

    When building Fernet token payloads, we should attempt to convert user IDs to bytes
    because this makes the payload a little smaller, resulting in a smaller token.
    But if we are unable to convert the user ID to bytes we shouldn't fail with a
    ValueError because the user ID could be coming from LDAP, or some other
    external identity backend. We can't assume the user ID is a UUID.

    Change-Id: I05b1e8389b15475c3fe512a2f82ec86f81422a05
    Closes-Bug: 1459382

Changed in keystone:
status: In Progress → Fix Committed

Related fix proposed to branch: master
Review: https://review.openstack.org/186393

Reviewed: https://review.openstack.org/186392
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=5b650ff3f9b86c3aa6889fca479be8be57fc08e0
Submitter: Jenkins
Branch: master

commit 5b650ff3f9b86c3aa6889fca479be8be57fc08e0
Author: Lance Bragstad <email address hidden>
Date: Thu May 28 13:35:30 2015 +0000

    Don't assume group IDs are UUID format

    When using the Fernet token provider to build a federated payload, we can't
    assume that the group ID will always be a UUID format that we can convert to
    bytes. This change makes the Fernet code smart enough to pass the original
    group ID in the payload if it can't convert it to bytes.

    Change-Id: I6d00902eb461c22aafd9cb5ca706b05bedefd37d
    Related-Bug: 1459382

Reviewed: https://review.openstack.org/186393
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=f5f1caf9e9e4dc0d916fc48b32a408f477a87829
Submitter: Jenkins
Branch: master

commit f5f1caf9e9e4dc0d916fc48b32a408f477a87829
Author: Lance Bragstad <email address hidden>
Date: Thu May 28 13:45:13 2015 +0000

    Don't assume project IDs are UUID format

    Since Keystone has the ability to be deployed with an LDAP backend, we can't
    guarantee that project IDs will always be UUID formatted. That change makes it
    so that we attempt to convert project IDs to bytes before packing and if we
    fail, pass the original project ID into the payload at the expense of a
    slightly longer payload.

    Change-Id: Id81ed23879ee7a9adeb50454ef0cb7acd13f1a0a
    Related-Bug: 1459382

Changed in keystone:
status: Fix Committed → Fix Released
Dolph Mathews (dolph) on 2015-07-30
tags: removed: kilo-backport-potential

Related fix proposed to branch: stable/kilo
Review: https://review.openstack.org/212605

Reviewed: https://review.openstack.org/186376
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=b255b8ff71aab225d2788bf7cc49f35e665aa9fc
Submitter: Jenkins
Branch: stable/kilo

commit b255b8ff71aab225d2788bf7cc49f35e665aa9fc
Author: Lance Bragstad <email address hidden>
Date: Wed May 27 18:18:28 2015 +0000

    Don't fail on converting user ids to bytes

    When building Fernet token payloads, we should attempt to convert user IDs to bytes
    because this makes the payload a little smaller, resulting in a smaller token.
    But if we are unable to convert the user ID to bytes we shouldn't fail with a
    ValueError because the user ID could be coming from LDAP, or some other
    external identity backend. We can't assume the user ID is a UUID.

    Change-Id: I05b1e8389b15475c3fe512a2f82ec86f81422a05
    Closes-Bug: 1459382
    (cherry picked from commit cb32568954e7ab7f2dbaa2aa7a3070b34ae3ca08)

tags: added: in-stable-kilo

Reviewed: https://review.openstack.org/212603
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=f8afb29a9daecce5ab1738d1a8a6e543159de502
Submitter: Jenkins
Branch: stable/kilo

commit f8afb29a9daecce5ab1738d1a8a6e543159de502
Author: Lance Bragstad <email address hidden>
Date: Thu May 28 13:35:30 2015 +0000

    Don't assume group IDs are UUID format

    When using the Fernet token provider to build a federated payload, we can't
    assume that the group ID will always be a UUID format that we can convert to
    bytes. This change makes the Fernet code smart enough to pass the original
    group ID in the payload if it can't convert it to bytes.

    Change-Id: I6d00902eb461c22aafd9cb5ca706b05bedefd37d
    Related-Bug: 1459382
    (cherry picked from commit 5b650ff3f9b86c3aa6889fca479be8be57fc08e0)

Reviewed: https://review.openstack.org/212605
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=a9726d2b22a1710a98edbdaf2da32ec2e312c545
Submitter: Jenkins
Branch: stable/kilo

commit a9726d2b22a1710a98edbdaf2da32ec2e312c545
Author: Lance Bragstad <email address hidden>
Date: Thu May 28 13:45:13 2015 +0000

    Don't assume project IDs are UUID format

    Since Keystone has the ability to be deployed with an LDAP backend, we can't
    guarantee that project IDs will always be UUID formatted. That change makes it
    so that we attempt to convert project IDs to bytes before packing and if we
    fail, pass the original project ID into the payload at the expense of a
    slightly longer payload.

    Change-Id: Id81ed23879ee7a9adeb50454ef0cb7acd13f1a0a
    Related-Bug: 1459382
    (cherry picked from commit f5f1caf9e9e4dc0d916fc48b32a408f477a87829)

Thierry Carrez (ttx) on 2015-10-15
Changed in keystone:
milestone: liberty-1 → 8.0.0
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers