Rebuilding authentication methods is broken with python3
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| OpenStack Identity (keystone) |
Fix Released
|
Medium
|
Lance Bragstad | ||
Bug Description
Keystone uses several techniques to make fernet tokens as small as possible. One of these techniques is to take the token's authentication methods and convert them to an integer before msgpack'ing the payload and encrypting it.
The conversion from a list of unique strings to an integer is relatively simple. Each authentication methods has its own unique value and a sum of the methods is packed into the token. On validation, keystone does some math to "re-inflate" the integer into it's original list [0].
The problem is that in python2, division operations between two integers results in an integer. In python3, they result in a float. For example, the following is with python3:
>>> result = 5 / 4
>>> result
1.25
>>> type(result)
<class 'float'>
The sample example in python2:
>>> result = 5 / 4
>>> result
1
>>> type(result)
<type 'int'>
The logic to re-inflate a list of methods from an integer expects integers [1]. As a result, if cache_on_issue is disabled and keystone is running with python3, a token's method list at authentication time will be different from the list at validation time.
[0] https:/
[1] https:/
| Changed in keystone: | |
| status: | New → Triaged |
| importance: | Undecided → Medium |
| Changed in keystone: | |
| assignee: | nobody → Lance Bragstad (lbragstad) |
| status: | Triaged → In Progress |
| OpenStack Infra (hudson-openstack) wrote Fix merged to keystone (master) | #1 |
| Changed in keystone: | |
| status: | In Progress → Fix Released |
| Changed in keystone: | |
| milestone: | none → rocky-1 |
| OpenStack Infra (hudson-openstack) wrote Fix included in openstack/keystone 14.0.0.0b1 | #2 |
Reviewed: https:/
Committed: https:/
Submitter: Zuul
Branch: master
commit 93838575c1c866d
Author: Lance Bragstad <email address hidden>
Date: Thu Mar 22 18:13:24 2018 +0000
Fix integer -> method conversion for python3
We have a method that takes an integer and re-inflates it into a list
of authentication methods. This is because it's more efficient to
pass around an integer in a token's payload than a list of strings.
During the token validation process, we take this integer and run it
through a little process to reinflate it's value to a list of auth
methods that were used to obtain the original token.
The re-inflation process doesn't actually work in python3 because it
is coded to expect integers when dividing numbers, which is accurate
for python2. Python3 returns floats when dividing two integers, which
doesn't work with the logic to re-inflate the auth methods. For
example, in python 3::
>>> result = 5 / 4
>>> result
1.25
>>> type(result)
<class 'float'>
In python2:
>>> result = 5 / 4
>>> result
1
>>> type(result)
<type 'int'>
This commit introduces unit tests to prevent regression and includes
a fix so that the conversion works properly on python3.
Closes-Bug: 1758121
Change-Id: I627c2b353da0c3