OpenStack Identity (keystone)

keystone fernet cannot work with mod wsgi anymore

Bug #1528981 reported by Dave Chen on 2015-12-24

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Fix Released	High	Dave Chen	OpenStack Identity (keystone) mitaka-2 "m2"

Bug Description

With the latest code, fernet cannot work anymore due to this change id (Change-Id: I0723cd50bbb464c38c9efcf1888e39d14950997b).

The stacktrace like this,

2015-12-23 10:47:53.526487 9923 DEBUG passlib.registry [req-e4501bef-5f1e-4bd3-8e1b-7320093b767b - - - - -] registered 'sha512_crypt' handler: <class 'passlib.handlers.sha2_crypt.sha512_crypt'> register_crypt_handler /usr/local/lib/python2.7/dist-packages/passlib/registry.py:284
2015-12-23 10:47:53.625320 9923 INFO keystone.token.providers.fernet.utils [req-e4501bef-5f1e-4bd3-8e1b-7320093b767b - - - - -] Loaded 2 encryption keys (max_active_keys=3) from: /etc/keystone/fernet-keys/
2015-12-23 10:47:53.735808 mod_wsgi (pid=9923): Exception occurred processing WSGI script '/usr/local/bin/keystone-wsgi-public'.
2015-12-23 10:47:53.735856 TypeError: expected byte string object for header value, value of type unicode found

Need identify which change from this commit (https://review.openstack.org/#/c/259563/) cause the regression

See original description

Dave Chen (wei-d-chen) on 2015-12-24

Changed in keystone:
assignee:	nobody → Dave Chen (wei-d-chen)

Dave Chen (wei-d-chen) on 2015-12-24

description:

updated

Steve Martinelli (stevemar) on 2015-12-24

Changed in keystone:
milestone:	none → mitaka-2
importance:	Undecided → High

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-12-24: Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/261205

Changed in keystone:
status:	New → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-01-05: Change abandoned on keystone (master)

Change abandoned by Dave Chen (<email address hidden>) on branch: master
Review: https://review.openstack.org/262364
Reason: in favor of https://review.openstack.org/#/c/261205/

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-01-05: Fix merged to keystone (master)

Reviewed: https://review.openstack.org/261205
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=5b445469b6369fe991f725b90833c54f399ab350
Submitter: Jenkins
Branch: master

commit 5b445469b6369fe991f725b90833c54f399ab350
Author: Dave Chen <email address hidden>
Date: Thu Dec 24 15:10:47 2015 +0800

Fix the incompatible issue in response header

    Some changes were made to fix fernet padding for python3 [1],
    fernet payload is decoded to str after encryption when
    creating a fernet token. But it will be unicode string on
    python27 and this is not compatible with `mod_wsgi`.

    `mod_wsgi` needs the value in the response headers is binary(str)
    type on python2, and unicode(str) type on python3. This patch
    does this translation accordingly to make keystone works with
    `mod_wsgi`.

[1] https://review.openstack.org/#/c/231711/
Closes-Bug: #1528981

Change-Id: I0217ac10d20c51a9c17bed566f326eb6db6ed949

Changed in keystone:
status:	In Progress → Fix Released

Revision history for this message

Thierry Carrez (ttx) wrote on 2016-01-21: Fix included in openstack/keystone 9.0.0.0b2

This issue was fixed in the openstack/keystone 9.0.0.0b2 development milestone.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.