OpenStack Identity (keystone)

Support sub-second accuracy in Fernet's creation timestamp

Bug #1513541 reported by Lance Bragstad on 2015-11-05

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Won't Fix	Medium	Unassigned

Bug Description

The fernet token provider has sub-second format, but it is currently truncated to .000000Z. This is because the library (pyca/cryptography [0]) that keystone relies on for generating fernet tokens uses integer timestamps instead of floats, which loses sub-second accuracy. We should find a way to support sub-second accuracy in Fernet's creation timestamp so that we don't hit token revocation edge cases, like the ones documented here - https://review.openstack.org/#/c/227995/ .

This will likely have to be a coordinated effort between the cryptography development community and the maintainers of the Fernet specification [1].

This bug is to track that we include the corresponding fix (via version bump of cryptography) for keystone.

[0] https://github.com/pyca/cryptography
[1] https://github.com/fernet/spec

Tags:

Lance Bragstad (lbragstad) on 2015-11-05

tags:

added: fernet

Steve Martinelli (stevemar) on 2015-11-30

Changed in keystone:
importance:	Undecided → Medium

Revision history for this message

Morgan Fainberg (mdrnstm) wrote on 2016-02-01:

As discussed at the midcycle, the direction we are moving is towards no subsecond support anywhere instead.

Morgan Fainberg (mdrnstm) on 2016-02-08

Changed in keystone:
status:	New → Won't Fix

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.