Keystone logs a warning about token size regardless of max_token_size
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Fix Released
|
Medium
|
Lance Bragstad |
Bug Description
Keystone has a configuration option to control the maximum size of a token `keystone.conf [DEFAULT] max_token_size` [0].
With Fernet tokens, the ideal token should be less than 255 characters. This was due to initial design targets when developing non-persistent tokens and to be mindful of potential storage issues.
When integrating keystone with LDAP, fernet tokens are likely to exceed 255 characters because the strings can't be converted to bytes, making them smaller.
If you deploy keystone with LDAP and then set the max_token_size = 300, you'll still see an informative warning in keystone.log saying:
Fernet token created with length of 268 characters, which exceeds 255 characters
This is because of a hard-coded check in keystone's fernet token provider that doesn't use the max_token_size option [1].
We should consider reusing that configuration option there instead of a hard-coded check because it's misleading to operators why they still see the log message after they've adjusted max_token_size.
[0] https:/
[1] https:/
Changed in keystone: | |
status: | New → In Progress |
Changed in keystone: | |
importance: | Undecided → Medium |
assignee: | nobody → Lance Bragstad (lbragstad) |
milestone: | none → zed-3 |
Reviewed: https:/ /review. opendev. org/c/openstack /keystone/ +/789417 /opendev. org/openstack/ keystone/ commit/ 68bfb685d12937d de11d1a335bd992 203ec7c293
Committed: https:/
Submitter: "Zuul (22348)"
Branch: master
commit 68bfb685d12937d de11d1a335bd992 203ec7c293
Author: Lance Bragstad <email address hidden>
Date: Mon May 3 20:37:35 2021 +0000
Only log warnings about token length when length exceeds max_token_size
Previously, the fernet token provider would log warnings when a fernet
token exceeded 255 characters, which is common for LDAP-backed
deployments. The warning is always issued, even when operators configure
keystone's max_token_size to a higher value, causing confusion because
it appears the configuration value is silently ignored.
This commit fixes that issue by using the max_token_size configuration
parameter consistently in the fernet token provider.
Closes-Bug: 1926483
Change-Id: I4bb54aac9b950d 59082a4468203a3 249790839d7