OpenStack Identity (keystone)

Keystone logs a warning about token size regardless of max_token_size

Bug #1926483 reported by Lance Bragstad on 2021-04-28

This bug affects 4 people

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Fix Released	Medium	Lance Bragstad	OpenStack Identity (keystone) zed-3

Bug Description

Keystone has a configuration option to control the maximum size of a token `keystone.conf [DEFAULT] max_token_size` [0].

With Fernet tokens, the ideal token should be less than 255 characters. This was due to initial design targets when developing non-persistent tokens and to be mindful of potential storage issues.

When integrating keystone with LDAP, fernet tokens are likely to exceed 255 characters because the strings can't be converted to bytes, making them smaller.

If you deploy keystone with LDAP and then set the max_token_size = 300, you'll still see an informative warning in keystone.log saying:

Fernet token created with length of 268 characters, which exceeds 255 characters

This is because of a hard-coded check in keystone's fernet token provider that doesn't use the max_token_size option [1].

We should consider reusing that configuration option there instead of a hard-coded check because it's misleading to operators why they still see the log message after they've adjusted max_token_size.

[0] https://docs.openstack.org/keystone/latest/configuration/config-options.html#DEFAULT.max_token_size
[1] https://opendev.org/openstack/keystone/src/commit/10057702ac361213e74472ec1d0d4e4c4a041f09/keystone/conf/default.py

Tags:

OpenStack Infra (hudson-openstack) on 2021-05-03

Changed in keystone:
status:	New → In Progress

Douglas Mendizábal (dougmendizabal) on 2022-07-25

Changed in keystone:
importance:	Undecided → Medium
assignee:	nobody → Lance Bragstad (lbragstad)
milestone:	none → zed-3

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-07-25: Fix merged to keystone (master)

Reviewed: https://review.opendev.org/c/openstack/keystone/+/789417
Committed: https://opendev.org/openstack/keystone/commit/68bfb685d12937dde11d1a335bd992203ec7c293
Submitter: "Zuul (22348)"
Branch: master

commit 68bfb685d12937dde11d1a335bd992203ec7c293
Author: Lance Bragstad <email address hidden>
Date: Mon May 3 20:37:35 2021 +0000

Only log warnings about token length when length exceeds max_token_size

    Previously, the fernet token provider would log warnings when a fernet
    token exceeded 255 characters, which is common for LDAP-backed
    deployments. The warning is always issued, even when operators configure
    keystone's max_token_size to a higher value, causing confusion because
    it appears the configuration value is silently ignored.

This commit fixes that issue by using the max_token_size configuration
parameter consistently in the fernet token provider.

Closes-Bug: 1926483

Change-Id: I4bb54aac9b950d59082a4468203a3249790839d7

Changed in keystone:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-07-26: Fix proposed to keystone (stable/yoga)

Fix proposed to branch: stable/yoga
Review: https://review.opendev.org/c/openstack/keystone/+/851051

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-07-26: Fix proposed to keystone (stable/xena)

Fix proposed to branch: stable/xena
Review: https://review.opendev.org/c/openstack/keystone/+/851052

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-07-26: Fix proposed to keystone (stable/wallaby)

Fix proposed to branch: stable/wallaby
Review: https://review.opendev.org/c/openstack/keystone/+/851053

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-07-26: Fix proposed to keystone (stable/ussuri)

Fix proposed to branch: stable/ussuri
Review: https://review.opendev.org/c/openstack/keystone/+/851054

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-07-26: Fix proposed to keystone (stable/train)

Fix proposed to branch: stable/train
Review: https://review.opendev.org/c/openstack/keystone/+/851055

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-09-14: Fix included in openstack/keystone 22.0.0.0rc1

This issue was fixed in the openstack/keystone 22.0.0.0rc1 release candidate.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-10-26: Fix merged to keystone (stable/yoga)

Reviewed: https://review.opendev.org/c/openstack/keystone/+/851051
Committed: https://opendev.org/openstack/keystone/commit/aaff84323b020b88682995cf54f4497fe9182815
Submitter: "Zuul (22348)"
Branch: stable/yoga

commit aaff84323b020b88682995cf54f4497fe9182815
Author: Lance Bragstad <email address hidden>
Date: Mon May 3 20:37:35 2021 +0000

Only log warnings about token length when length exceeds max_token_size

This commit fixes that issue by using the max_token_size configuration
parameter consistently in the fernet token provider.

Closes-Bug: 1926483

Change-Id: I4bb54aac9b950d59082a4468203a3249790839d7
(cherry picked from commit 68bfb685d12937dde11d1a335bd992203ec7c293)

tags:

added: in-stable-yoga

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-10-28: Fix merged to keystone (stable/xena)

Reviewed: https://review.opendev.org/c/openstack/keystone/+/851052
Committed: https://opendev.org/openstack/keystone/commit/8917b47533c235439410951435983035e2efb8e1
Submitter: "Zuul (22348)"
Branch: stable/xena

commit 8917b47533c235439410951435983035e2efb8e1
Author: Lance Bragstad <email address hidden>
Date: Mon May 3 20:37:35 2021 +0000

Only log warnings about token length when length exceeds max_token_size

This commit fixes that issue by using the max_token_size configuration
parameter consistently in the fernet token provider.

Closes-Bug: 1926483

Change-Id: I4bb54aac9b950d59082a4468203a3249790839d7

tags:

added: in-stable-xena

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-11-04: Fix merged to keystone (stable/wallaby)

#10

Reviewed: https://review.opendev.org/c/openstack/keystone/+/851053
Committed: https://opendev.org/openstack/keystone/commit/7810813d22f1be4e217ad9596ce392b692fadcf5
Submitter: "Zuul (22348)"
Branch: stable/wallaby

commit 7810813d22f1be4e217ad9596ce392b692fadcf5
Author: Lance Bragstad <email address hidden>
Date: Mon May 3 20:37:35 2021 +0000

Only log warnings about token length when length exceeds max_token_size

This commit fixes that issue by using the max_token_size configuration
parameter consistently in the fernet token provider.

Closes-Bug: 1926483

Change-Id: I4bb54aac9b950d59082a4468203a3249790839d7
(cherry picked from commit 68bfb685d12937dde11d1a335bd992203ec7c293)

tags:

added: in-stable-wallaby

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2023-01-18: Fix included in openstack/keystone 20.0.1

#11

This issue was fixed in the openstack/keystone 20.0.1 release.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2023-10-09: Fix included in openstack/keystone 21.0.1

#12

This issue was fixed in the openstack/keystone 21.0.1 release.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2023-12-21: Change abandoned on keystone (stable/train)

#13

Change abandoned by "Elod Illes <email address hidden>" on branch: stable/train
Review: https://review.opendev.org/c/openstack/keystone/+/851055
Reason: Train is about to transition to End of Life. Open patches needs to be abandoned before branch deletion.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2024-02-07: Change abandoned on keystone (stable/ussuri)

#14

Change abandoned by "Elod Illes <email address hidden>" on branch: stable/ussuri
Review: https://review.opendev.org/c/openstack/keystone/+/851054
Reason: stable/ussuri branch of openstack/keystone transitioned to End of Life and is about to be deleted. To be able to do that, all open patches need to be abandoned.